I have been wanting to write an article about a script for working with a camera through the DVRIP protocol for quite some time, but the discussion on the recent news about prompted me to first talk about how I set up video surveillance at my place, and then move on to scripts and more.
We had 2 packs… So wait, that's not the story.
We had 2 TP-LINK routers, Internet access behind a provider NAT, a Partizan surveillance camera, I don’t remember which model (any IP camera that supports RSTP over TCP or DVRIP will do) and a cheap VPS for 4 euros with the characteristics: 2 core CPU 2.4GHz, 4GB RAM, 300 GB HDD, 100 Mbit/s port. And also the reluctance to buy anything for this that would cost more than a patch cord.
foreword
For obvious reasons, we can't just forward the camera ports on the router and enjoy life, besides, even if we could, we shouldn't do it.
Out of the corner of my ear, I heard that there are some options with IPv6 tunneling, where it seems that everything can be done so that all devices on the network receive an external IPv6 address, and this would simplify things a bit, however, still leaving the security of this event in question , and also the support in the standard TP-LINK firmware for this miracle is somehow strange. Although it is possible that in the previous sentence I am talking complete nonsense, so do not pay attention to it at all.
But, fortunately for us, almost any firmware for any router (a rather unfounded statement in fact) contains a PPTP / L2TP client or the ability to install custom firmware with its presence. And from this we can already build some kind of strategy of behavior.
Topology
In a fit of fever, my brain gave birth to something like this wiring diagram,
and during another attack I drew to put it on Habr
The address 169.178.59.82 is randomly generated and serves as an example only
Well, or if in words, then:
- Router TP-LINK 1 (192.168.1.1), into which a cable is inserted that sticks out of the wall. An inquisitive reader will guess that this is a provider cable through which I get Internet access. A variety of home devices are connected to this router via a patch cord or Wi-Fi. It's a network 192.168.1.0
- Router TP-LINK 2 (192.168.0.1, 192.168.1.200), into which a cable is inserted that sticks out of the TP-LINK 1 router. Thanks to this cable, the TP-LINK 2 router, as well as devices connected to it, also have access to the Internet. This router has a PPTP connection (10.0.5.100) configured to the server 169.178.59.82. The IP Camera 192.168.0.200 is also connected to this router and the following ports are forwarded
- 192.168.0.200:80 -> 49151 (webface)
- 192.168.0.200:34567 -> 49152 (DVRIP)
- 192.168.0.200:554 -> 49153 (RTSP)
- Server (169.178.59.82, 10.0.5.1), to which the TP-LINK 2 router is connected. Pptpd, shadowsocks and 3proxy are running on the server, through which you can access devices on the 10.0.5.0 network and thus have access to the TP-LINK 2 router.
Thus, all home devices on the 192.168.1.0 network can access the camera via TP-LINK 2 at 192.168.1.200, and all other devices can connect via pptp, shadowsocks or socks5 and access 10.0.5.100.
Setting
The first step is to connect all devices according to the diagram in the figure above.
- Setting up a TP-LINK 1 router comes down to reserving the address 192.168.1.200 for TP-LINK 2. Optional if you need a fixed address for access from the 192.168.1.0 network. And, if desired, you can reserve 10-20 Mbps for it (10 is enough for one video stream in 1080 with a head).
- On the server, you need to install and configure pptpd. I have Ubuntu 18.04 and the steps were something like the following (the donor was an example ):
- Install the required packages:
sudo apt install pptpd iptables-persistent - We bring to the following form
/etc/pptpd.conf
option /etc/ppp/pptpd-options bcrelay eth0 # Интерфейс, через который ваш сервер ходит в интернеты logwtmp localip 10.0.5.1 remoteip 10.0.5.100-200 - Rule
/etc/ppp/pptpd-options
novj novjccomp nologfd name pptpd refuse-pap refuse-chap refuse-mschap require-mschap-v2 #require-mppe-128 # Можно раскомментировать, но мой TP-LINK c ним не дружит ms-dns 8.8.8.8 ms-dns 1.1.1.1 ms-dns 77.88.8.8 ms-dns 8.8.4.4 ms-dns 1.0.0.1 ms-dns 77.88.8.1 proxyarp nodefaultroute lock nobsdcomp - Adding credentials to
/etc/ppp/chap-secrets
# Secrets for authentication using CHAP # client server secret IP addresses username pptpd password * - Add to
/etc/sysctl.conf
net.ipv4.ip_forward=1and reload sysctl
sudo sysctl -p - Restart pptpd and add it to autoload
sudo service pptpd restart sudo systemctl enable pptpd - Rule
iptables
sudo iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT sudo iptables -A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE sudo iptables --table nat --append POSTROUTING --out-interface ppp+ -j MASQUERADE sudo iptables -I INPUT -s 10.0.5.0/24 -i ppp+ -j ACCEPT sudo iptables --append FORWARD --in-interface eth0 -j ACCEPTAnd save
sudo netfilter-persistent save sudo netfilter-persistent reload
- Install the required packages:
- Setting up TP-LINK 2
- We reserve the address 192.168.0.200 for our camera:
DHCP -> Address Reservation - MAC address - MAC of the camera, can be viewed in DHCP -> List of DHCP clients
- Reserved IP address - 192.168.0.200 - Forwarding ports:
Forwarding -> Virtual servers - Service port: 49151, Internal port: 80, IP address: 192.168.0.200, Protocol: TCP
- Service port: 49152, Internal port: 34567, IP address: 192.168.0.200, Protocol: TCP
- Service port: 49153, Internal port: 554, IP address: 192.168.0.200, Protocol: TCP - Set up VPN connection:
Network -> WAN - WAN connection type: PPTP
- Username: username (see /etc/ppp/chap-secrets)
- Password: password (see /etc/ppp/chap-secrets)
- Confirm password: password (see /etc/ppp/chap-secrets)
- Dynamic IP
- IP address / Server name: 169.178.59.82 (obviously, the external IP of your server)
- Connection mode: Connect automatically - Optionally allow remote access to the router webmord
Security -> Remote control - Web Management Port: 80
- Remote management IP address: 255.255.255.255 - Restarting the TP-LINK 2 router
- We reserve the address 192.168.0.200 for our camera:
Instead of PPTP, you can use L2TP or, if you have custom firmware, then whatever your heart desires. I chose PPTP as this scheme was not based on security considerations, and pptpd is the fastest VPN server in my experience. Moreover, I really didn’t want to install custom firmware, which means I had to choose between PPTP and L2TP.
If I didn’t make a mistake anywhere in the manual, and you did everything right and you were lucky, then after all these manipulations
- firstly
ifconfigwill show the interface
ppp0 inet 10.0.5.1 netmask 255.255.255.255 destination 10.0.5.100, - secondly, 10.0.5.100 must be pinged,
- and thirdly
ffprobe -rtsp_transport tcp "rtsp://10.0.5.100:49153/user=admin&password=password&channel=1&stream=0.sdp"Should detect the stream.
rtsp port, login and password you can find in the documentation for your camera
Conclusion
In principle, it’s already not bad, there is access to RTSP, if proprietary software works through DVRIP, then you can use it. You can save the stream using ffmpeg, speed up the video by 2-3-5 times, split it into pieces for an hour, upload it all to Google Drive or social networks, and much, much more.
I didn’t like RTSP over TCP, because somehow it didn’t work very stable, but over UDP, for the reasons that we cannot (or we can, but I don’t want to do this) forward the range of ports on which RTSP will shove the video stream , it will not work, I wrote a script that drags the stream over TCP over DVRIP. It seemed to be more stable.
From the advantages of the approach - we can take something that supports a 2G whistle in place of the TP-LINK 4 router, power it all together with the camera from the UPS (which will undoubtedly be required much less capacious than when using the registrar), in addition, the recording is transmitted almost instantly to the server, so that even if attackers get into your place, they will not be able to remove the video from them. In general, there is room for maneuver and it all depends on your imagination.
PS: I know that many manufacturers offer ready-made cloud solutions, but at a price they are almost twice the cost of my VPS (of which I already have 3, so I need to put resources somewhere), provide much less control, and also do not very satisfactory quality.
Source: habr.com