Arlo|Smart Home Security|Wireless HD Security Cameras
× Arlo End of Life Policy Notice
To view Arlo’s new End of Life Policy, click here.

Reply
Discussion stats
  • 59 Replies
  • 19664 Views
  • 14 Likes
  • 15 In Conversation
Mavrrick
Luminary
Luminary
I am just looking for clarity on what is needed from a network perspective for local sotage access across a vpn. This is suggestrd by the app to use instead of using port forwarding to enable external access for better security. I have a unraid server with OpenVPN installed. I can connect to multiple internal network objects. Whenever i try to connect to the local storage though i tap on the hub select in the library and nothing happens.

Initially I thought it might be related to the ip of my device remotely. I updated my VPN config to have me on the same class C network as the hub and still nothing.
59 REPLIES 59
Retired_Member
Not applicable

Mavrrick, vnorred, were either of you successful in getting this working over VPN?  I'm experiencing the exact same thing.  VPN works just fine for connecting to anything on my local network (including opening connections to the open ports on the Arlo hub), but the local storage access isn't recognized in the Arlo app.

 

I even did a packet capture of all the traffic coming from my phone when on the local network, I don't see anything special happening there.  A bunch of connections to the Arlo servers and then the connections going to the hub.  There's gotta be something in the app that's somehow skipping going to the hub when it's on VPN.

 

Extremely frustrating that there isn't more details available about this.  

vnorred
Guide
Guide

Nothing new to report.  I can still access all my LAN devices via VPN but not the local storage on my VMB5000 smart hub.  I am reasonably knowledgeable in setting up VPNs.  I actually have 2 separate OpenVPN servers on my LAN for testing this and clients for each server on my Galaxy phone, but neither works for accessing my local storage.  You identified there is an initial handshake between your remote mobile device and the Arlo server before the connection to the local Arlo hub's local storage.  I am guessing, but the Arlo server must identify these packets as coming from a mobile device outside the LAN so the connection to local storage is not allowed.  Although I do not know enough about the packet structure to see how that could be the case.  Remember the Arlo rules:  Only a mobile device on the LAN is allowed access to local storage.  Desktops are not allowed access to local storage.  I suspect Arlo has never successfully implemented this and will not admit it.  I agree on the frustration level.

Retired_Member
Not applicable

Yeah.  I'm fine with mobile device only.  I just wish it worked!

 

My only other idea was to set up a tap VPN instead of tun, so that the VPN client could be on the same L2 subnet as the hub.  But Android doesn't support tap-style VPNs, so I'm kind of out of options.

 

I just want a clear answer on all this, that's all I really want.

vnorred
Guide
Guide

Misterdorm - - Mobile device is fine with me too.  I am using "OpenVPN for Android" and not the official "OpenVPN Connect".  But that should not make any difference.  

 

I had thought of trying tap instead of tun but discovered it was not available for android as you pointed out.  So that was a dead end.  Just to make sure local storage was available remotely I did setup port forwarding and it worked flawlessly from multiple remote locations.  But that method is just not acceptable to me due to the obvious security hole.  Just so you are aware of what I have setup, I am running OpenVPN server on my Netgear R7000 gateway router and another OpenVPN server on a Raspberry Pi 4 (PiVPN).  Both servers work fine as advertised except for when I want to remotely connect to my local storage.  When I run the Arlo App on my Galaxy phone from a remote location, I can access the regular cloud storage but the "Cloud" "Smart Hub" notation at the top of the library does not appear.  That is the same display as you would get with a desktop PC locally.  So somehow the Arlo server does not recognize my phone coming through the VPN as a mobile device.  Any info I can help you with I will provide but I think we are at a dead end.  I doubt if anyone has this working and Arlo is ignoring the issue completely.

Mavrrick
Luminary
Luminary
I am convinced it is in the mobile app. Try this and you will understand why. Open up the Arlo app and connect to the local storage from your internal wifi. Then simply swipe down and turn off your wifi and turn on the vpn through cellular. You should be able to still get your stuff from the base station.

This tells me there is something being validated when the Arlo app is started. Once you create thay initial connection it will continue to work as long as you don't close the app.
Retired_Member
Not applicable

I have the same suspicion.  But I've tried this and as soon as WiFi is turned off/VPN connected, the app page refreshes and the popup menu for "Cloud"/"[Local storage]" disappears.  Maybe I'm just not doing it fast enough.

 

I agree, it's something in the app.  Nothing network-wise is preventing this from working.

Mavrrick
Luminary
Luminary
I should of validated again before i spoke. It appears the fixed that. It doesn't seem to work anymore for me either. It did initially when i was first testing this.
vnorred
Guide
Guide

I tried what Maverick described with the same results both of you just described.  It does not work now. 

 

Here is something for thought.  When your mobile device sends packets into the LAN, the source address is not from the mobile device, since it no longer has a local IP address.  But the source address is from the local device running the OpenVPN server, which is not a mobile device.  I believe your mobile device comes through the tunnel as 10.8.0.2 (or similar) and the VPN server converts it to its own IP for delivery.  So the display on the Arlo App changes to that of the non-mobile local device, like your desktop.  The "cloud/smart hub" label at the top disappears.

vnorred
Guide
Guide

Sorry I had some mistyping in that last post.  Here is what I should have said at the end.

 

. . . .  VPN server converts it to its own local IP for delivery.  So the display on the Arlo App changes to that of the non-mobile device, like your desktop.  The "cloud/smart hub" label at the top disappears.

Retired_Member
Not applicable

Yeah I see what you're saying.  But the way I have my OpenVPN set up is without NAT, so the IP the phone has from the VPN is the IP that actually connects to the hub.

Retired_Member
Not applicable

Here's what I got back from Arlo support today.  Might try a couple other things to trick the port forwarding, but by all accounts this is a dead end.

 

I understand that you are trying to set up Direct Storage Access. However, you've mentioned that you would rather not enable port forwarding. My apologies as you need to enable it for the Direct Storage Access to work in your end.

There's an advisory message once you have set it up.
Note: Enabling port forwarding can expose your overall network security to attacks and vulnerabilities and should be used with caution.

Here is the link for your reference: https://kb.arlo.com/000062337/What-is-Direct-Storage-Access-and-how-do-I-use-it

If you would like to send a suggestion, you can send it using this link: https://community.arlo.com/t5/Arlo-Idea-Exchange/idb-p/arlo-idea-exchange. This way the app developer will review your idea and might consider adding it to the future updates.

vnorred
Guide
Guide

Misterdoem - The link in their reply is rather dumb.  They as much as admit that the VPN access will not work when they say "My apologies as you need to enable it (Port Forwarding) for the Direct Storage Access to work in your end."   The linked document still says to use the VPN method for better security.  Also the link to offer suggestions is really a dead end.  What would you say?  Would you suggest they make the VPN work as advertised? 

 

Are you saying that your VPN client has a static IP associated with your VPN server?  So the tunnel has a static IP at both ends?

Retired_Member
Not applicable

Well, yeah, for sure I would want to have it work. 🙂

 

It's not really a static IP on the VPN, it's just that the VPN clients use another IP range.  Clients on the VPN get an IP in 192.168.99.x, and then they receive a route for 192.168.101.x (LAN) via the VPN.  

vnorred
Guide
Guide

I see that our VPNs are working the same.  Except that the version OpenVPN server I am using assigns for the VPN 10.8.0.X as the VPN tunnel, so the clients get assigned sequential network addresses in that range.  Since I have only one client (my phone) on this VPN it gets 10.8.0.2 as the first client.  My LAN uses 192.168 11.X.

 

I do not have a utility to check a packet for source address, but I believe that packets from my phone coming through the tunnel are shown as coming from the VPN server device's LAN IP address.  If that is true that will prevent the local storage device from allowing the packet in as it would be recognized as a non-mobile device.  When I get a little time I will install a VPN server on my tablet and see if local storage allows access from my phone.  That may be a week or so out.

DevNull200
Aspirant
Aspirant
Hi All,
I've setup my 4540 with static DHCP reservation 192.168.3.148. Configured my Cisco AnyConnect to give clients IPs from LAN DHCP server so there is no additional subnet involved or NAT. Disabled WIFi on my Galaxy S8 and went via Verizon LTE. Phone got 192.168.3.118 after VPN was established. I confirmed that I can ping 192.168.3.148 from the phone using terminal emulator. Opened Arlo Application and ofcourse I DON'T see local USN storage like everybody reporting. Arlo Support what is going on ????
vnorred
Guide
Guide

DevNull200 - your setup is the same as most report.  I have a DHCP reservation for my VMB5000 hub like you do.  I am using a Galaxy S7 phone for the OpenVPN client.  I reported some time back, maybe in a different thread, that I can ping the hub and traceroute to the hub through my VPN from outside my LAN.  But the ARLO App in the Library display will not show the Cloud/Smart Hub option at the top of the library display.  I still believe that the packets coming through the VPN are not being recognized as coming from a mobile device on the LAN.

DevNull200
Aspirant
Aspirant
6+ month and it's still not fixed?

I would say it's time to return this crap back to Netgear. I got this junk from Costco 2 weeks ago, Costco will take it back no questions asked.
jazzphone
Tutor
Tutor

Just to post my experience.

 

I have been using Direct Access Storage with WireGuard VPN for a bit now on both my VMB4540’s.

 

WireGuard is setup on an Ubuntu Server on ESXi.  It is doing NAT and the Ubuntu Server isn’t even on the same subnet as my Arlo SmartHubs.

 

Both VMB4540’s work just fine with access to the Local storage over the VPN connection on LTE.

 

 

Mavrrick
Luminary
Luminary

Jazzphone, 

 

Is there any chance you can pass along some of the details of how you have yours setup. I haven't been able to get wireguard to work on my Unraid Server with the Arlo local access.  

 

By chance did you setup port-forwarding as well for it. If i have wireguard turned on and port forwarding turned on it does work, but then the Arlo Hub is still exposed to the internet. Please PM me if you can provide details about your setup I would like to get this working so i could atleast put something out there about how to set this up.

 

vnorred
Guide
Guide

Jazzphone and Maverick,  I too am interested in your details.  For the mobile device are you using a tablet or phone and what kind?  Like Maverick reports, if I have port forwarding setup, even though I am connecting through the VPN remote access seems to work.  But as soon as the port forwarding is turned off it quits working.  I am running OpenVPN server and not wiregard but I cannot see how that should make any difference.  I have the OpenVPN server running on Linux (Debian) on a Raspberry Pi 4  and it is very stable for accessing all my home LAN devices remotely except the Arlo Smart Hub.  So Jazzphone and I are pretty close or at least similar setup I think.  More details for comparison will certainly help.  I am glad to know someone actually has this working.

jazzphone
Tutor
Tutor

I use my iPhone mainly, but I just tested the iPad with an iPhone acting as an LTE Hotspot and it works as well.

 

Port Forwarding is not enabled, just local storage recording and direct access.

 

 

vnorred
Guide
Guide

I may switch to wiregard to see if that makes any difference, although I don't see why it would.  I am tied up on a project this week but should have time to work on that this weekend.  I will let you know what happens.

vnorred
Guide
Guide

Jazzphone and Maverick - Once again I hit a brick wall.  I switched my VPN server from OpenVPN to Wireguard to try to match your setup and see if that made any difference.  The connection provides the same service, although faster connection and perhaps a little better on throughput.  I can ping my LAN devices and connect with them.  Also can reach the internet through the VPN as verified through traceroute from my phone to various internet destinations.  But when I bring up the Arlo App on my phone, all I get is the cloud library.  The "cloud" option still does not show up at the top of the library display.  I can ping and traceroute to my VMB5000 through the VPN.  And in the Arlo App I can access the VMB5000 setup options with the Devices button.  I would definitely like to know what is different about my setup and Jazzphone's successful setup.  And I am wondering if Maverick got further toward success.

vnorred
Guide
Guide

And to match your setup as closely as possible, I tried one more thing.  I borrowed my daughter's Galaxy S-9 and installed Wireguard Client on it and the Arlo app.  Tried connecting to my LAN remotely and it worked flawlessly to other devices on my LAN as did my old Galaxy S-7.  But using the Arlo App over the VPN the cloud button at the top of the Library display does not show up so still cannot connect to my smart hub.  So no difference using the much newer Android Galaxy S-9.

rlpjsh
Star
Star

Accessing local storage using OpenVPN with no port forwarding works on my iPad Arlo app but not on my Android Arlo app.

I will report this to Arlo Support. 

Discussion stats
  • 59 Replies
  • 19665 Views
  • 14 Likes
  • 15 In Conversation