How to Configure a VPN-Based Solution for Connecting Remote CCTV Cameras Over SIM-Based Internet to a Central NVR?

[haider.modi]

Hey everyone,

I’m working on a project to connect IP-based CCTV cameras installed at multiple remote locations to a centralized NVR over the internet. The tricky part is that these locations use SIM-based 4G/5G internet, and I need to ensure secure connectivity using a VPN. Here’s a quick rundown of what I’m trying to do:

At each remote site, I have IP cameras connected to a 4G/5G router. These routers need to act as VPN clients to securely connect to a central VPN server. At the central site, I’ve got an NVR that needs to communicate with all the remote cameras over the VPN. The NVR is connected to a high-speed internet line, and I plan to set up the VPN server on the router/firewall here. I want the connection to be reliable and secure, while also keeping bandwidth usage efficient since the remote locations depend on SIM-based internet. I might use a static IP or Dynamic DNS to make the VPN server accessible if needed.

I could use some advice on a few things:

• What’s the best VPN protocol for this setup? I’m considering options like IPSec, OpenVPN, or WireGuard, but I’m not sure which works best with SIM-based internet.
• Any recommendations for solid 4G/5G routers that are reliable and have good VPN client support?
• What’s the best way to configure the central VPN server to securely handle connections from multiple remote locations?
• Are there tips for optimizing bandwidth and ensuring redundancy with SIM-based internet?
• Would it be better to use a cloud-based VPN server instead of an on-premise one for scalability?

If anyone has experience with similar setups or can recommend hardware, step-by-step guidance, or tips to make this work smoothly, I’d really appreciate it. Thanks in advance!

 

[Spritebottle2809]

Hi, have you received any feedback on this? I have a similar application and basically need the same configuration. I currently have one remote site (Client) working to the NVR (Server) using OpenVPN and Grandstream routers. But I now don't know how to link the next remote site to the server.

 

[bigredfish]

I can’t speak to SIM based networks, but WireGuard is a buttload faster and lighter than OpenVPN

 

[bp2008]

Cellular networks have no impact on your choice of VPN. The biggest problem is typically the learning curve. The more networking knowledge and experience and patience you have, the easier it will be. For example, many users would struggle with even just setting up different LAN IP address ranges at every site, and if that describes you, then setting up site-to-site VPNs isn't going to be fun.

Money can also help to solve this. One option that should be considered is using Ubiquiti Unifi routers at all locations so you can use "Site Magic".

https://community.ui.com/questions/Introducing-Site-Magic/4861b026-5374-404b-9b1b-d2b142acae62

It supports more than 2 locations and tries to be super easy, basically plug and play. But I'm not sure about their cellular connection support so you might have to use a second router to handle the SIM card and cellular connection. They might also require you to maintain a paid cloud management subscription now. I'm just not sure about that. But I am fairly sure it would be your easiest option.

If you dont' want to be tied to Ubiquiti or if you already have some VPN-capable routers, there are still lots of options.

OpenVPN is not a great choice to start with anymore due to its relatively low efficiency (lower speed) and complex configuration. But if it is all that is available, it can do the job.

IPSec is faster but I've never used it.

Wireguard is the fastest of all common VPN protocols and was designed to have short and simple configuration. Of course how that translates to real world ease of setup depends on the creator of the router software.

I have set up 2 remote sites streaming cameras to a central NVR at a third site via Wireguard. I used a pfsense router at the NVR location, basically acting as the "server" for all the other wireguard clients to connect to (although Wireguard doesn't really have a concept of server versus client -- everything is just a "peer"). For the clients I used an asus router with ARM cpu running FreshTomato firmware at one client location, and a cheap little gl-inet router at the other client location. Pfsense was by far the hardest interface to figure out because it is so complex and powerful. I always struggle to figure out the proper NAT/firewall/etc configurations to make traffic flow properly. The gl-inet had the simplest setup because it doesn't expose many options (at least not in the default interface).

Using a third-party service like Tailscale can also make setup easier. Tailscale uses Wireguard internally so should have great performance. Subnet routers · Tailscale Docs You should be able to set that up on a raspberry pi or a cheap x86 mini PC for $100-$200 on amazon, and not even need to worry about what VPN protocols your internet router supports.

 

[elvisimprsntr]

+1 TailScale

Will traverse any level of NAT, Including CGNAT. You only need one instance (Windows, macOS, *nix, AppleTV, etc.) of TailScale running on your network and advertise sub-net routes to access any IP based device on your network remotely. Even a Neanderthal like me can set it up.

 

[Serodgers]

WireGuard is fast and easy. At my father law house I have a cheap mesh router setup Deco W6000. It has VPN server option built in forWireGuard.

WireGuard was easy to setup and at my house Blue Iris has three cameras from my father in laws house that record and alert. Setup windows Wireguard app on Blue Iris and it can see the three cameras (Tapo C110).

So I have my local IP cams (Dahua) and the three Cams in another state that all work seamless in Blue Iris.


Sent from my iPhone using Tapatalk