August 2010 Archives
August 27, 2010

How to safely access a remote IP camera

Open Source

Some time ago I bought a Panasonic BL-C230A Wireless Internet Security Camera so I can monitor my home when I'm not at home. I wanted to be able to get notifications via email when motion is detected at home, and be able to remotely connect to the camera to see what's going on.

Despite the average product rating on Amazon' site, I found the camera to be quite good for what it does, and at its price. It works pretty decent with Chrome or Firefox running on MacOS X or Linux, though you won't get any sound because of the lack of the G.726 audio encoder for the browsers.

The camera comes with a built-in motion detector and you can set it up to email you the images that detected the movement, or you can have it upload those images to an FTP site. It would be nicer if it was able to upload or email short movies with the detected motion, but it doesn't do that. The few open source software monitoring options I investigated did not seem to provide an easy way to do this.

The camera itself comes with instructions on how to setup your home router to allow remote access from the outside of your home network. I wouldn't trust Panasonic, or any other vendor for that matter, with the security of their web server implementation running on their device. Instead of exposing the camera's web server directly over the Internet I decided to use SSH tunneling to allow safe remote access to the camera's web server.

I use an Apple AirPort Extreme Base Station as my router and WiFi access point. There are few nice features of this router that I like:

  • it implements 802.11b/g/n
  • you can set it up to provide two different WiFi networks, one for the trusted computers you own, another one for guests. The computers on the guest network cannot access those on the trusted network. This is great if you have people coming by your house that want to connect to the Internet using your WiFi router.
  • the router has 4 Gigabit Ethernet ports which allow you to connect computers using real copper wires, for faster data transfer between them.
  • it has a pretty flexible interface, allowing you to customize your network the way you want. You can tell for example its built-in DHCP server to always provide a given IP address to a network device based on a MAC address.

The only downside is that it doesn't provide a way to automatically update a DynDNS account when its IP address changes. This however can be easily worked around using ddclient, a small open source program that you can run on a computer inside your home network. The program automatically updates your DynDNS account with the public IP address of your router.

Inside the firewall I have a small Asus Eee Box computer running Ubuntu Linux, which acts as a file server, keeping all my music files so I can access them from wherever I am. I setup this computer with the IP address of 192.168.1.2 and forward port 22 on the router to it. On the Linux box, I only allow SSH connections if the client presents a valid SSH key.

The Linux computer is on the same network with my Panasonic IP camera, which uses the 192.168.1.4 IP address. Since the camera is running a web server on port 80, I can open up a browser and point it to its IP address and I can see the camera's user interface.

Using the above I can now access my IP camera from outside my home. On my MacOS X or Linux laptop, I first setup an SSH tunnel, which simply forwards over a secure, encrypted connection my camera's web server port 80:

ssh -L 8080:192.168.1.4:80 -o 'ServerAliveInterval 60' -N -S none linuxcomputer.dyndns.org

To view my camera, I then open up a browser and go to http://localhost:8080. It works like a charm!

Posted by ovidiu at 11:42 PM | Comments (0) |
 
Ccol stuff
  Arduino TinyWebServer: part 3 and part 2
Search


More from me
Picture gallery
Admin
Copyright © 2002-2011 Ovidiu Predescu.