Connect my NVR device to noip endpoint

[dev4openid]

Hi all,
Warning! Non-expert here!

BTW I am using 24.7_1

I think I have configured the Noip end correctly.  It reflects my WAN ISP DHCP address so I like to believe it is right. 
Not sure how to test it?
Also, I am experimenting, so I am using a free account.   If this works, I will get a paid for account.

The way I see it, is that the DNS endpoint provided by Noip could be accessed by http//:XXXX.ddns.net. I do not have a cert yet, so it would be HTTP://   [Note: I would be using a proper domain reg. and add to noip, as per the service provided]

To get to the device (NVR) I need to define the mapping from the the the firewall to the device - thus a connection is made between the device and the firewall, and then it should be automatic to connect to the endpoint. 
The result being that I will be able to, via a browser, connect to the device and log in.

Assuming the device is on 192.168.40.1 (and OPNSense is 192.168.1.1) I am looking for advice as to where to provide the routing.   I am going to assume a firewall rule?

In the LAN pool?
Bidirectional I figure, as the device needs to validate itself ti the DDNS and secondly, allow for when I attempt to connect via http//:XXXX.ddns.net

Any guidance appreciated.

I found https://www.youtube.com/watch?v=i546YF91dHk to be somewhat useful but incomplete for 24.7_1

I found this guide (https://www.cctvcameraworld.com/port-forwarding-for-dvr-and-nvr/) and have enabled ports 80, 554, 37777 and 37778 but it still does not come through.
I have asked NVR manufacturer support for port recommendations to confirm these.

[dseven]

There are a few different approaches here:

1) Use port-forwarding to expose your NVR to the internet - probably not recommended, since the NVR security may not be "internet grade"

2) Use a reverse-proxy, such as Caddy - provides somewhat better security, and authentication options

3) Setup a VPN server on OPNsense, probably WireGuard, which you can connect to with your own clients when away from home, and access anything on your LAN

Assuming NVR access is just for your own use, and you're not trying to make it available to the public, I'd lean towards option (3)

[dev4openid]

@dseven Thanks for the input.

Option 3 looks good.  My only concern is that I am not sure that the clients that are to connect will support wireguard.

Do you have any experience in that regard?

[dseven]

I only have experience with my Android phone as a client - it's been working very well for me. I believe all of the major platforms are supported ... https://www.wireguard.com/install/

[dev4openid]

@dseven
Thanks for the reply.
I have been following this guide: https://homenetworkguy.com/how-to/configure-wireguard-opnsense/
and I can connect via wireguard to my server BUT through my local network.
When I attempt the connection via the internet side via my mobile -  Nope!     (I scanned the 3-d code to ensure my config is right)

I suspect there is a "bridging requirement" to connect the wireguard from the LAN side to the Internet.
Any advice/pointers - anybody?

[dseven]

If you follow that guide, it will allow VPN clients to access the internet via your OPNsense firewall, but will not allow them to access internal services on your LAN (such as your NVR) unless you add explicit rules to allow it - did you do that?

Quote:

"With these two rules, you will have access to your home’s Internet while connected remotely but no other access to your internal network(s). If you simply want a secure VPN for public WiFi hotspots, you do not need to add more rules.

If you wish to allow further access to devices/apps/services on your internal network(s), you will need to add rules above the second rule just as you would with any other network interface you have configured."

[dev4openid]

@dseven I have followed the guide explicitly.

The VPN tunnel connects from the internet.  I have connected via my iPhone and the VPN states connected.

As stated: Add the Outbound NAT Rule (Required if Not Creating WireGuard Interface) - I have the Wireguard Interface defined, thus ignored this section of doc.

The section you referred to re: With these two rules, you will have access to your home’s Internet while connected remotely but no other access to your internal network(s). If you simply want a secure VPN for public WiFi hotspots, you do not need to add more rules.
I have implemented these exactly as per the doc, BUT my browser does not pick up the internet and times out.

Any ideas here?