Using a Raspberry Pi Setup to create your own Personal Home Security Network with access to the Internet

[Douglas Jones]

My father and I are experimenting with using one or more Raspberry Pi 3 B+ models to create a do-it-yourself Home Security Network which will include multiple IP cameras, a server to store saved videos or still pictures and grant access to members of my family (using secure username/password) over the Internet using the Motion Eye OS on the main Raspberry Pi to view video streams over a Web browser outside of the Home network.  I think this will be possible, but I have concerns about opening this system up to the Internet.

1. If I open up a Port on the Router to allow access to the Raspberry Pi, is there a way to make the system secure from hackers?

2. Do I have to setup a Firewall on the Raspberry Pi (hardware or software) to prevent unauthorized access?

3. I have read about creating RSA Authorization Key Pairs which will be created by each authorized user on the device to be used to access the security system outside the Home network. The public key would be in a certain directory on the Raspberry Pi, the user has the Private key on their device, you may use a passcode to grant access, the server sends info to the user device and the user device responds with an encrypted code, if the server verifies the code is correct, the server then asks the user to enter his username/password, and if those are correct the user is granted access to the Raspberry Pi running the Motion Eye OS to view the videos streams on the user's device when for instance he is in another city when he is away from his home.  Is this possible?

Thanks,

Doug

[dew...@gmail.com]

My system, mentioned earlier, consists of 9 Raspberry Pis, soon to be expanded to 12. I have 8 Pis running USB cameras, and 1 Pi not attached to a camera. The 8 camera Pis store images locally, and backup images to the 9th cameraless Pi (the 2nd path in the file storage option). Those 8 Pis can ONLY be accessed internally via IP address from within the network. The 9th Pi has a 2TB drive attached, which keeps all images until I decide to delete them (over 6 months of still images). The cameraless Pi is also the ONLY Pi AND ONLY thing that can be reached via port forwarding. So to reach any of my actual cameras from outside the network, one MUST successfully log into the cameraless Pi first AND that will not get you anywhere else on my network.

[David Chew]

Look up OPENVPN.    And look at PFSENSE,   works great here,  creates a tunnel into my home network only from users with a CERTIFICATE and user name password.

 

Also lets you run any local apps like Phillips Hue, etc.

 

I have PFSENSE on old laptop with on-board NIC and USB NIC,    and a third NIC could be a DMZ if you wanted.   

 

 

 

 

 

Sent from Mail for Windows 10

 

---

From: moti...@googlegroups.com <moti...@googlegroups.com> on behalf of Douglas Jones <jones...@gmail.com>
Sent: Monday, December 3, 2018 3:46:12 PM
To: motioneye
Subject: Using a Raspberry Pi Setup to create your own Personal Home Security Network with access to the Internet

 

--
You received this message because you are subscribed to the Google Groups "motioneye" group.
To unsubscribe from this group and stop receiving emails from it, send an email to motioneye+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/motioneye/f32655c3-5f20-4336-bec6-bf3e1f20ac1c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Douglas Jones]

Dew...@gmail.com,

I think that I understand how your system is set up, but I have a hypothetical question for you.  Let us suppose that someone with a brilliant method broke into your cameraless Pi by breaking your username/password to gain access, why would it not be possible for that hacker to also be able to access the rest of your entire Home network?  If this is possible, I might want to do something similar.

Thanks

[Richard Brouwer]

Hi,

What you can do is setup a VPN server on your PI see for an example https://medium.freecodecamp.org/running-your-own-openvpn-server-on-a-raspberry-pi-8b78043ccdea

If you setup properly it is very hard to break into your network via this route. Of course if you use a weka password for your WiFi network they can hack into your system that way, but I assume that your WiFi network password is strong and you change it on a regular basis.

I have setup VPN for several companies and I have never seen that people broke into these networks. Of course if you are sloppy with your certificates hackers can get in your network, but here I also assume nobody else than you or trusted family ;) have access to your computer.

Cheers,

Richard

Op di 4 dec. 2018 om 03:39 schreef Douglas Jones <jones...@gmail.com>:

--

You received this message because you are subscribed to the Google Groups "motioneye" group.
To unsubscribe from this group and stop receiving emails from it, send an email to motioneye+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/motioneye/71f5e12b-2c53-4a58-ba7a-32cbc75877a3%40googlegroups.com.

[dew...@gmail.com]

If someone does get into my cameraless Pi (I call it "Console"), all they can do is move around inside of my MotionEye system.  However, nothing is impossible so they would have gain access to the console as admin and turn on SSH, then they could get my wireless credentials via SSH (I am purposely being vague so as to not give hacking instructions).  But doing that requires knowing the IP address *and* port for the console, and the port scanning and attempts will be logged on the router.  Even with those wireless credentials, the next steps are; 1) finding out where I am physically located since they must be close enough to access my wifi (router configured to deny remote admin access), and 2) circumventing the router's "Access Control" to even log in with those stolen credentials (again, vagueness on purpose).

[David Chew]

Also see OPENVPN and Pfsense

Sent from my iPhone

To view this discussion on the web visit https://groups.google.com/d/msgid/motioneye/CAPURjcHP%2BRhA3P80g3xmBwx8EtnPdP7jmiG3H5Lo-TVOP_siHQ%40mail.gmail.com.

[Douglas Jones]

Thanks for the help guys!  Any suggestions and recommendations is very much appreciated.

Best regards,

Doug

[William]

You are JUST the man I've been looking for....um, so to speak!

I am a veteran computer tech (since 1982), had mad DOS skills, owned Windows 2.0/286, have always been a Mac head. Now, in my 50's, I find myself learning all about Linux and Raspberry Pi's to make a security system for myself and later for my folks. I've looked all over the internet for this problem and cannot seem to find a solution. All of the Pi's have been freshly installed (Christmas Day, in fact!) and are using the 20181209 pre-release motioneye OS.

Scenario:

• I have a Pi 3B w/ Pi camera 2.1 on the SE corner of my porch (Name: SE - IP: 192.168.1.201, wireless)
• I have a Pi 3B w/ Pi camera 1.1 on the SW corner of my porch (Name: SW - IP: 192.168.1,202, wireless)
• I have a camera-less Pi 3B as a server to pull the two cams into one place (Name: Vision - IP: 192.168.1.200, ethernet 100Mb)
• My Netgear 6200 router (IP: 192.168.1.10, ethernet 100/1000)
• MS Windows Server 2016 for DNS (IP: 192.168.1.15, ethernet 100/1000)
• All the motioneye Pi's are using port 8089 for streaming
• Remote access testing is done via my iPhone, with wifi and bluetooth turned off (forcing an external, celluar connect into my router)
• All three Pi's have the following Video Streaming options set the same:
• Streaming port: 8089
• Authentication mode: Disabled
  

Issue:

• I can't see "Vision - IP: 192.168.1.200"

Troubleshooting:

• changed port forwarding parameters (port number, IP forwarded to, range vs single port)
• checked Vision, SE, and SW repeatedly from iPhone
  
• changed wifi to eth0 and back on each Pi
• changed each Pi's Network->Gateway to the actual cable modem's IP (192.168.100.1)
  

Resultant(s):

• I can see SE and SW perfectly fine each and every test I do, using "normal" port forwarding
• "Normal" port fowarding is done by editing the rule, clicking on the new IP address, and apply. I have also manually punched in all of the IP data, just in case there was some kind of data corruption going on
  
• Vision times out on my iPhone ("Safari could not open the page because it could not connect to the server.")

Conclusion(s):

• either I'm missing something obvious or there is possibly a software/OS bug?

Thanks for any light you can shed on this and any questions will be answered ASAP.

========================================================================================

[Kevin Shumaker]

Do you have wifi turned on Vision? You don't want to if Ethernet is on. Try setting gateway to 192.168.1.10. What is the subnet mask on the PIs? If you try to connect to the network, with a PC or the iPhone, can you see the Vision? 

--

You received this message because you are subscribed to the Google Groups "motioneye" group.
To unsubscribe from this group and stop receiving emails from it, send an email to motioneye+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/motioneye/ce785e0f-eb15-4c15-975d-46f2454fc887%40googlegroups.com.

[William]

The whole system works flawlessly when I access it internally (192.168), ie., I can log into each individual machine and Vision (200) works as advertised. I can remote into 201 and 202 by changing the forwarding port to 201 and 202 respectively. ONLY 200 is giving me a hassle. Gateways were all set to .10, changed to modem upon suggestion in a post. Subnet mask is 255.255.255.0. One thing that is VERY confusing to me is changing parameters on the screen. I have three tabs open in my browser: 200, 201, and 202. I have checked EACH Pi individually and they are set identically (as far as shared data - gateway, DNS, etc.) This is VERY mystifying to me, since it works perfectly internally.

[dew...@gmail.com]

Interest indeed.  The one thing I do see is that you have the gateway set to your modem as mentioned.  My gateway is set to my *router*, 192.168.1.1 (remember, the Pi is talking with the router, not the modem), the "standard" gateway.  The only special configuration in my setup is choosing what port I wanted to use as the input from the outside on my router (I used a very random number).

Dewey

[William]

I was once an MSCE, so I have a pretty good understanding of networking (or so I thought until I ran into this project, lol) and this is a puzzler to me. I had the gateway set to my router (192.168.1.10), changed it to the modem (192.168.100.1), and then back again when the modem didn't work for me. What's even stranger is that I SWEAR that it worked ONE TIME, when I was first setting up the system. I can't remember if I accessed it again immediately or not, but I also avoid using standard ports whenever possible. The first port I tried to forward was external:8888 to 192.168.1.200:8081. Then I diddled around with different ports, then decided on 8089, set all the Pi's to 8089 and it works as advertised...internally.

[William]

For kicks and giggles (and also almost out of ideas), I changed the network on Vision to wireless and rebooted. Same resultant: forward 8089 to 200 and "server not found", change it back to 201 and I can see that camera only (as one would expect, since I'm direct accessing 201 ONLY). Maybe I need to wipe Vision and reinstall Motioneye. I did add/remove the cameras a few times as I was figuring out the software.

BTW, I thank you for your help with this - it's been a bugger, let me tell you! I go to bed, wake up with a thought and at all hours I'll be putzing with this.

On Thursday, December 27, 2018 at 12:14:56 PM UTC-5, dew...@gmail.com wrote:

[dew...@gmail.com]

I don't have the Pis set up for anything special at all.  In short, my cameraless Pi, named "Console" is set up as 192.168.1.200, and all the other Pis are 201, 202, 203, etc, etc.  Each camera Pi is completely standard, other than trigger and mask settings, with no special settings other than uploading media files in "File Storage" via FTP to the Console, where they are stored on the 2TB drive.  (The files are also locally stored on each Pi for 1 day).  While the Console doesn't have any *attached* cameras, each of my camera Pis are added to the Console using the add camera option, choosing Remote MotionEye Camera, and entering http://{each Pi IP address}, user name and password.  My router is set to forward all incoming traffic on the correct port to the Console, where it is met with the regular MotionEye login.  So to reach my cameras internally, I only type 192.168.1.200, but to reach my cameras from outside, I type {my home IP address}:{my forwarded port}.

Dewey

[mmaypo]

A couple things to try: are you certain the router is not blocking external originating incoming connections that are getting forwarded to192.168.1.200:8089?  are you certain the firewall on the Pi is not blocking it? One sure way to know - does your router have span capability? If yes, span the router's incoming traffic to an interface which you can monitor with a packet sniffer like wireshark. Capture traffic while trying to access 192.168.1.200 from outside and you will narrow down where the problem is; if you see packets with 192.168.1.200 as dest., then capture traffic on the segment between the router interface and Pi. If the incoming traffic is there, the trouble is with the Pi. Main point is a packet sniffer is your friend at this point.

- Mark

[David Chew]

Why not setup just one MotionEyeOS to point to multiple cameras?

To view this discussion on the web visit https://groups.google.com/d/msgid/motioneye/d48aeb6d-cdc0-463c-aa6b-ebe852781b0f%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

David T. Chew

610-996-7165 (C)

[Douglas Jones]

My Setup So Far:

I have just set up the beginning of a Home Security Surveillance System for my Dad.  So far, I have setup the following system below.  Remember, I am in the process of building the system.

System Setup:

1.  One Raspberry Pi 3 B+ (Wireless) with only MotionEyeOS installed with a Webcam attached via USB connection.

2.  One Raspberry Pi 3 B+ (Ethernet) with Raspbian Stretch OS installed, Headless (no monitor, no keyboard, no mouse), and with the MotionEye application running in the background as a daemon with no camera.  This is what I call the Home Network Server in which I have a 256 GB USB thumb drive plugged into this Pi.

3.  I am talking to my Dad about buying a Foscam 2RC Wifi Camera 1080p HD wireless IP camera.

Amazon: https://www.amazon.com/Foscam-Security-Surveillance-Detection-Available/dp/B07DJ5RSTM/ref=sr_1_21_sspa?ie=UTF8&qid=1545774713&sr=8-21-spons&keywords=d-link+ip+camera&psc=1

Setup:  https://www.youtube.com/watch?v=zTXZP86W_HE

How to connect to system over the Internet (Outside the Home Network).

1.  I have setup a Static Internal IP address to the Pi which serves as the Home Network Server.  I have setup an Xfinity Router to Port Forward to this Pi.  Below is the IP address I use in the Firefox browser.

http://<Router IP Address>:Port number

2.  The Home Network Server has the MotionEye daemon running in the background (this Pi has Raspbian Stretch OS).

3.  To access over the Internet, I enter the website address shown in 1, and the browser brings up the MotionEye Login Page.  I enter the Username/Password (I have changed it from the default one), and then the system brings up my one and only camera.

4.  If I were to buy another Pi (wireless) with MotionEyeOS installed with Webcam attached, I think that it would be easy to add that new camera.

5.  I can also buy an IP camera (stand-only camera wireless) which will connect to Home Router, then I would be able to add this wireless camera using the IP Stream address.

Of course, I only have one camera at this time, but I anticipate that what I have outlined here should be easy.  I am able to access my Dad's system from my home, and it really works well.  I have heard about a website called No-IP in which you can create a free account, and then setup a Hostname (Network Server) for one of the Pi computers.  I am not sure how exactly this is supposed to work, but I think that it allows you to always access your computer even if the IP address changes from time to time.  However, what I think that I am doing now is logging into my Dad's Router with Port Forwarding to the Pi (Home Network Server).  I don't know if the Router IP address is Static or Dynamic.  Anyway, so far this newly built system is operating pretty well.  I have attached a PowerPoint presentation showing my Dad's setup.

Best of luck to you,

Doug

[Alan McKay]

Personally I'd avoid Foscam. I bought 2 a few years ago because they
were highly recommended all over the place, but as it turned out it
required a Windows client to configure - no way around it. So they
are still sitting unused - both of them.

I'll dig them out and try again at some time. But I don't have
Windows so if they still need a client I'm in trouble

[Douglas Jones]

Hi,

Thanks for the warning.  Can you recommend any IP camera that will work in a wireless manner, and that will work with my setup?  The first one I bought I believe required me to purchase a subscription for Cloud Storage.  However, this is why my Dad wants to use this new setup because he does not want to pay anything for the streaming/storage.

Doug

[Alan McKay]

I am still in the experimentation phase myself so no I cannot. The
ELP camera I mentioned in another thread I have not tried yet directly
with MotionEye or MotionEyeOS, only with Raspbian and various other
programs, but so far I like what I see especially for the price.

I also bought a circa $50 CND Wyze cam but have not yet flashed it
with the open source firmware so it is only their proprietary cloud
system that I have now. So no access that I can see from a web
browser but their app is pretty nice. Right now my teenager and I
have it set up under the kitchen counter as part of our efforts to
catch a damned roof rat that we've been trying to catch for about a
month or so now. The night vision is extremely good and overall it is
a nice cam so I'm going to get a few more.

[Kevin Shumaker]

I use D-Link dcs-5020's and they work very well for me. They have an app, but it's not necessary to use it. They have PTZ. They have the ability to stream mjpeg and h.264 and jpgs, save to any ftp server both stills and movies, have a good web interface, have built in motion detection with masking, sound detection, email notification, in wifi mode they can be used as rudimentary wifi extenders (think: their own wifi mesh) and support ethernet. Which makes them imminently useful for motionEye. I use motionEye to consolidate all my cameras into a single interface, and have it provide the missing features for my other cameras. Most of the other 'big name' systems require some sort of monthly fee, like Arlo, Nest, Ring, SimpliSafe, etc, but a few have hacks to at least read the stream directly.

--

You received this message because you are subscribed to the Google Groups "motioneye" group.
To unsubscribe from this group and stop receiving emails from it, send an email to motioneye+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/motioneye/c9faba3f-aafc-436f-9aba-0ccbad3fe401%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Thanks

Kevin Shumaker

N38° 19' 56.52"
W85° 45' 8.56"

Semper Gumby
“Don't tell people how to do things. Tell them what to do and let them surprise you with their results.” - G.S. Patton, Gen. USA
Ethics are what we do when no one else is looking.
Quis custodiet ipsos custodes?
You know we're sitting on four million pounds of fuel, one nuclear weapon and a thing that has 270,000 moving parts built by the lowest bidder. Makes you feel good, doesn't it?