Remote access with OpenVPN to Cisco Cameras
Camera support has been dropped as EoL with Site Controller version 3.0
Cisco cameras are configured using the web interface. In some cases it may be necessary to access remotely the cameras, through an OpenVPN connection installed on the IR910. This article will describe how to configure the IR910 so all the necessary ports are forwarded (NAT) to the camera and the camera's web interface can be reached through the VPN
Step-by-step guide
- Login to the IR910 and get to the Linux Shell. This can be done by either login using the system user or getting to the IOS shell and in privileged mode use the command rd_debug
Put the following commands on the shell. Replace the IP with the correct IP from the camera to be accessed.
iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 554 -j DNAT --to-destination 172.16.53.101:554 iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 1024 -j DNAT --to-destination 172.16.53.101:1024 iptables -t nat -A PREROUTING -i tun0 -p udp --dport 1024 -j DNAT --to-destination 172.16.53.101:1024 iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 80 -j DNAT --to-destination 172.16.53.101:80 iptables -A FORWARD -p tcp -d 172.16.53.101 --dport 554 -j ACCEPT iptables -A FORWARD -p tcp -d 172.16.53.101 --dport 1024 -j ACCEPT iptables -A FORWARD -p udp -d 172.16.53.101 --dport 1024 -j ACCEPT iptables -A FORWARD -p tcp -d 172.16.53.101 --dport 80 -j ACCEPT iptables -t nat -A POSTROUTING -j MASQUERADE
Check the NAT table with the following command
iptables -t nat -L -n -v
root@Router:~$iptables -t nat -L -n -v Chain PREROUTING (policy ACCEPT 13 packets, 1809 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- tun0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:554 to:172.16.53.101:554 0 0 DNAT tcp -- tun0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1024 to:172.16.53.101:1024 0 0 DNAT udp -- tun0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:1024 to:172.16.53.101:1024 0 0 DNAT tcp -- tun0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:172.16.53.101:80 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0- Once than that, the access the camera with the web browser, using the VPN IP from the router
After the camera configuration is done, it is convinient to delete the NAT routes from the router. To do so paste the following commands (again, replace the IP with the one of the camera)
iptables -t nat -D PREROUTING -i tun0 -p tcp --dport 554 -j DNAT --to-destination 172.16.53.101:554 iptables -t nat -D PREROUTING -i tun0 -p tcp --dport 1024 -j DNAT --to-destination 172.16.53.101:1024 iptables -t nat -D PREROUTING -i tun0 -p udp --dport 1024 -j DNAT --to-destination 172.16.53.101:1024 iptables -t nat -D PREROUTING -i tun0 -p tcp --dport 80 -j DNAT --to-destination 172.16.53.101:80
Check again that the NAT table is correct
root@Router:~$iptables -t nat -L -n -v Chain PREROUTING (policy ACCEPT 7 packets, 1286 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 2 120 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0
The motion detection CANNOT be used using the method described in this document. The motion detection can only be configured using the ActiveX control of the camera, which does not work behind a NAT.
Related articles