Using OpenVPN to allow P2P streaming

If you ever tried to stream from one mobile to another by using the mobile data connection, you've probably felt frustrated that it's mostly not allowed. In fact, whether your IP address is reachable from the public Internet depends on your ISP and most mobile ISPs operate a NAT that multiplexes several network-internal IP addresses through a single address visible to the public Internet. The externally visible IP address may also change on the fly as you move around from cell tower to cell tower. So, unless you are one of the few lucky users that have a fixed mobile IP address, you won't be able to reach your CamON Live Streaming IP camera from remote.

Of course, your device can reach the Internet and thus push streaming is always allowed. It is possible to stream to YouTube, other RTMP servers, Google Drive and the supported cloud services.

Ok, but what if I really want to use my phone as an IP camera and see it from remote with another phone? The easiest solution is to use a VPN. This way the two phones will be accessible as if they were on the same local network.

A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running across a VPN may therefore benefit from the functionality, security, and management of the private network. Encryption is a requirement of a VPN and this makes the connection safe.

CamON Live Streaming implements an HTTP server to make the embedded web page and other resources accessible. When used as an IP camera, it uses the RTSP protocol to stream audio/video contents. Both HTTP and RTSP are not encrypted and, even if it was possible to connect two phones directly over the mobile connection, it wouldn't be a good idea, since someone would be able to easily spy the stream content.

A VPN solves both connectivity and security issues.

Well, you have some options, like joining an existing VPN service or using Amazon Web Services (AWS).

Since we love technology and we like to save money, here we will explore a do-it-by-yourself solution based on OpenVPN, a free and open source VPN system.

First of all, you need a server, that is any PC that you can expose to the Internet. It may be a dedicated PC, your laptop or even some other device, like a NAS. In this post, for the sake of simplicity, we will see how to setup a Windows PC for the purpose.

If your server is behind a router, you will need to forward the OpenVPN port (UDP 1194 by default) to the server. To set up port forwarding, you will likely need to set up the server with a static local IP address instead of the default dynamic (changing) IP.

Your server will need to have a static internet IP or Domain Name to be accessible over the long term. One solution is to sign up for an account with DynDNS and install the DynDNS Updater on your server. When signing up you will determine the static Domain Name of your server, for example myserver.dyndns.org.

Make sure to set a rule on your server's firewall allowing incoming traffic on UDP port 1194.

Download the installer from here and run it on the server computer (current version is 2.5.0).

During the setup, make sure to check mark the component named EasyRSA 3 Certificate Management Scripts.

Cryptography needs a bunch of certificates and keys that will allow to safely identify the clients and the server one to each others and to encode the exchanged data. Here's all we need to do to set up everything properly.

1. Open the command prompt as an Administrator, navigate to the OpenVPN directory, and run EasyRSA-Start to open the EasyRSA 3 shell:

   cd "C:\Program Files\OpenVPN\easy-rsa"
   EasyRSA-Start

2. Initialize a new PKI environment:

   ./easyrsa init-pki
   

3. Build a new certificate authority (CA):

   ./easyrsa build-ca nopass

4. Generate the server certificate and key:

   ./easyrsa build-server-full server nopass

5. Generate Diffie Hellman parameters (this is necessary to set up the encryption):

   ./easyrsa gen-dh

6. Exit the EasyRSA 3 shell:

   exit

7. Generate a shared-secret key (required when using tls-auth):

   "C:\Program Files\OpenVPN\bin\openvpn.exe" --genkey secret "C:\Program Files\OpenVPN\easy-rsa\pki\ta.key"

Now that we have created all the files we need, let's create a working server configuration.

1. Copy the sample server configuration file to the config folder:

   copy "C:\Program Files\OpenVPN\sample-config\server.ovpn" "C:\Program Files\OpenVPN\config\server.ovpn"

2. Edit server.ovpn:

   notepad "C:\Program Files\OpenVPN\config\server.ovpn"

3. Find and uncomment the following lines:

   topology subnet

   client-config-dir ccd

   client-to-client

4. Copy the certificates and the keys to the config folder:

   copy "C:\Program Files\OpenVPN\easy-rsa\pki\ca.crt" "C:\Program Files\OpenVPN\config\ca.crt"
   copy "C:\Program Files\OpenVPN\easy-rsa\pki\ta.key" "C:\Program Files\OpenVPN\config\ta.key"
   copy "C:\Program Files\OpenVPN\easy-rsa\pki\dh.pem" "C:\Program Files\OpenVPN\config\dh2048.pem"
   copy "C:\Program Files\OpenVPN\easy-rsa\pki\issued\server.crt" "C:\Program Files\OpenVPN\config\server.crt"
   copy "C:\Program Files\OpenVPN\easy-rsa\pki\private\server.key" "C:\Program Files\OpenVPN\config\server.key" 

5. Create the clients configuration directory:

   mkdir "C:\Program Files\OpenVPN\config\ccd"

6. From Start, execute OpenVPN GUI as an Administrator.
7. Double-click the OpenVPN GUI icon from the tray and the connection will start:
   
8. If everything's fine, the icon will show green and your server will be up and ready:
   
9. To control or troubleshoot the connection, just right-click the icon and you'll have access to commands and logs:
   

It's time to setup our clients. Let's install the OpenVPN Connect client app on our phones.

As well as the server, also the clients need their own certificates and keys.

1. Open the command prompt as an Administrator, navigate to the OpenVPN directory, and run EasyRSA-Start to open the EasyRSA 3 shell:

   cd "C:\Program Files\OpenVPN\easy-rsa"
   EasyRSA-Start

2. Generate the client certificate and key for each client, use a different name for each:

   ./easyrsa build-client-full client1 nopass
   ./easyrsa build-client-full client2 nopass

3. Exit the EasyRSA 3 shell:

   exit

For each client, we need to create a configuration file.

1. Starting from the sample client configuration file, create a copy for each client:

   copy "C:\Program Files\OpenVPN\sample-config\client.ovpn" "C:\Program Files\OpenVPN\easy-rsa\pki\private\client1.ovpn"
   copy "C:\Program Files\OpenVPN\sample-config\client.ovpn" "C:\Program Files\OpenVPN\easy-rsa\pki\private\client2.ovpn"

2. Edit clients' config files

   notepad "C:\Program Files\OpenVPN\easy-rsa\pki\private\client1.ovpn"
   notepad "C:\Program Files\OpenVPN\easy-rsa\pki\private\client2.ovpn"

3. Find the following lines:

   cert client.crt
   key client.key

4. Edit them as follows:

   cert client1.crt
   key client1.key

   cert client2.crt
   key client2.key

5. Edit the following line, replacing my-server-1 with your server's public Internet IP Address or Domain Name (may be myserver.dyndns.org)

   remote my-server-1 1194

6. Copy the needed files to each phone (since the keys has to be kept secret, it's best practice to transfer the files over the USB, avoiding sending them by email or similar means):

   "C:\Program Files\OpenVPN\easy-rsa\pki\private\client1.ovpn"
   "C:\Program Files\OpenVPN\easy-rsa\pki\issued\client1.crt"
   "C:\Program Files\OpenVPN\easy-rsa\pki\private\client1.key"
   "C:\Program Files\OpenVPN\easy-rsa\pki\ca.crt"
   "C:\Program Files\OpenVPN\easy-rsa\pki\ta.key"

   "C:\Program Files\OpenVPN\easy-rsa\pki\private\client2.ovpn"
   "C:\Program Files\OpenVPN\easy-rsa\pki\issued\client2.crt"
   "C:\Program Files\OpenVPN\easy-rsa\pki\private\client2.key"
   "C:\Program Files\OpenVPN\easy-rsa\pki\ca.crt"
   "C:\Program Files\OpenVPN\easy-rsa\pki\ta.key"

7. Start OpenVPN Connect, Import Profile from file, then browse to the folder where you've copied the above files and select the config file, i.e. client1.ovpn or client2.ovpn:
    
8. Select Connect after import, then ADD to create the profile; if everything's correct, you'll get connected to the server:
   

It is possible to tell the server which address you'd like to assign to the clients by creating a simple file in the clients configuration directory.

1. Create the files:

   notepad "C:\Program Files\OpenVPN\config\ccd\client1."
   notepad "C:\Program Files\OpenVPN\config\ccd\client2."

2. Add a line for each, indicating the IP address you want to use, for example:

   ifconfig-push 10.8.0.10 255.255.255.0

   ifconfig-push 10.8.0.20 255.255.255.0

3. Restart the server to use the new settings: right-click the icon and select Reconnect. The server will restart in few seconds and the clients will reconnect automatically, obtaining the configured IP addresses.

Using fixed IP will make it easier for you to identify the clients over the network.

At this point we should have a server up and running, with the IP 10.8.0.1, and two clients connected to it, with IP 10.8.0.10 the former and 10.8.0.20 the latter.

Let's open CamON Live Streaming on the first phone. If the WiFi is off and the mobile data connection is used, the VPN address will show up on the main screen, otherwise it will be shown in the settings' Information page as the tun0 interface. It doesn't really matter whether the VPN was detected as the main interface or not, you can use it anyway.

Be sure to deselect the Local networks only option from Settings > Network or streaming will be disabled when using the mobile data connection.

Now let's open a browser on the second phone and enter the address http://10.8.0.10:8080

Of course the CamON Live Streaming IP camera will also be accessible from the server itself.

Well done, enjoy your new network!