Skip to content

Top Best Ask Show New Jobs

Ask HN: Self-hosted open source IP security cameras?

80 pointsDietaryNonsense4y ago43 comments

There are many options for IP security cameras and multi-camera setups. Ubiquiti, Foscam, Nest, Ring, and all of the things. But they all involve running untrusted internet connected devices on a local network. I want to improve my physical security with these devices without providing nodes to some future DDoS botnet or whatever else these poorly secured IoT devices will get repurposed for. I also don't want my system to be useless if the internet goes down or if BigCompany decides to change their terms or drop service for their APIs or whatever else.

Wondering if anyone has had success in setting up a self-hosted (maybe open source) camera system for their site? And if so, any advice? recommendations? sources for information that you found useful?

43 comments

40 comments · 20 top-level

dervjd4y ago· 8 in thread

Once you step up from consumer level (Nest/Ring/Wyze) cameras, you'll find that nearly every IP camera supports the standard RTSP/ONVIF format. They don't need any internet access to function. Standard practice is to secure them by using a dedicated VLAN (so they can't talk to anything else on your network) and default deny firewall rules (so they can't get to the Internet or other parts of your network). It's definitely not plug-and-play, but if you have experience setting up networks it's pretty straightforward. If you want remote access to the cameras while off your local network, you'll need to set up a VPN.

I have a bunch of Hikvision cameras (DS-2CD2342WD-I) that were about $120/each that I'm happy with. I don't have any security concerns about them phoning home or doing anything nefarious, because they're completely segregated on their own locked down network.

If you want to record, you'll need to set up an NVR. You can buy one (i.e. https://amzn.to/3HFNEWw) or run software on your own server. I use Milestone XProtect's free license at one site, and Synology's Surveillance Station at another. You could also look for cameras that have an SD card slot built in, and configure recording directly on the camera.

voakbasda4y ago

I have never accepted the “separate VLAN” approach as safe. You must assume those devices are actively hostile, so you must maintain perfect security and constant vigilance.

To borrow an idea I first heard uttered about male birth control: it makes less sense to put on a bulletproof vest than it does to take the bullets out of the gun.

Why allow hostile devices on your network at all? How does this not end up with you eventually shooting yourself in the foot?

bradknowles4y ago

The issue here is that HikVision is a Chinese company, and they have been widely known to supply equipment to the government to aid in the suppression of the Uighur people. Same with Dahua.

The next problem is that both these companies operate under a very wide array of brands, hundreds if not thousands of names, some of which you might recognize and may have thought that they were separate. Lorex is one such brand. Many more can be found at https://securitycamcenter.com/hikvision-oem-list/ and https://securitycamcenter.com/dahua-oem-list/ among others.

Next, you have the other companies like Wyze that take Dahua hardware and put their own firmware on it.

So, if you want to use hardware from a company that is not compromised like HikVision or Dahua, the options get much more limited. At that point, you might want to start looking at building your own on top of the Raspberry Pi plus their camera options.

Personally, I'm still looking for someone who has decided to commercialize cameras based on the Raspberry Pi, so that I can buy a whole stack of them at once and I don't have to build them all myself.

voakbasda4y ago

As an embedded engineer, I wonder if it would be possible for me to become a VAR for one of those Chinese companies, such that I could get enough of their hardware specs to do a full-featured clean room implementation of the firmware that then could be released as open source. I don’t want to make hardware, but I could build out a Yocto-based distribution. Or has someone already done this?

spacexsucks4y ago

Thank you for those links. I tried avoiding Danua and Hikvision. I went with Amcrest, only to find it on the Danua list. :(

Luckily i only spent $150 for 3 cameras

peterhadlaw4y ago

I've been trying for a long time to learn how to setup this "separate VLAN" stuff. Do you have a resource you could recommend? :)

bradknowles4y ago

It's a router/switch/firewall thing. You're building multiple virtual LANs and using them to separate the traffic.

You could implement VLANs in your core switch for the house, maybe using Mikrotik or other managed switches that are VLAN-capable. That might allow you to use a simpler router that doesn't need to understand how

You could implement VLANs in your router or gateway or firewall, depending on your hardware. In that case, you might be able to use simpler and less expensive unmanaged switches.

Exactly how those devices implement VLANs is going to differ somewhat. It might be easy to configure a switch for VLANs, where a given port or group of ports are on one VLAN, and a different port or group of ports might be on a different VLAN. Implemented at the router/gateway/firewall level, you might have to make those assignments based on MAC addresses, and/or internal IP addresses if you can tie that into your DHCP service.

VLANs can be complex to set up, depending on where and how they are configured. And they're not a panacea. But they can be very helpful, if implemented correctly.

A VLAN is a separate broadcast domain in ethernet networks. VLANs prevent communication between different VLANs unless you set it up for inter-vlan routing. Thats why they suggest putting these untrusted devices on a separate VLAN (isolation). Typically you assign a whole new group of ip adresses for each Vlan ID.

For example: camera network - vlan 10 - 10.0.10.0 255.255.255.0

wifi network - vlan 11 - 10.0.11.0 255.255.255.0

wired network - vlan 12 - 10.0.12.0 255.255.255.0

nonamechicken4y ago

pfsense supports VLANs. Lawrence Systems in YouTube covers pfsense a lot. This is one video where they talk about setting up VLAN in pfsense: https://www.youtube.com/watch?v=b2w1Ywt081o

On the wifi side, TPLink EAP245 access point allows you to configure multiple SSIDs, each with separate VLANs so that you can have one set of devices connect to one SSID, another group of devices to another SSID and so on. pfsense firewall rules can be configured to prevent the devices on separate VLANs from seeing each other. You can also block internet to access for one VLAN, and have the wireless IP cameras connect to it.

the-smug-one4y ago· 3 in thread

Axis cameras aren't open source, but they're just Linux running systemd and Axis (or other) software. You can ssh into them, write your own apps, etc. They're not particularly locked down. They support ONVIF and VAPIX, which are API:s that VMS's such as Milestone and Genetec target.

> poorly secured IoT devices will get repurposed for.

Don't let it have access to the outside net then?

dTal4y ago

>Axis cameras aren't open source, but they're just Linux running systemd

How is this not a GPL violation?

7steps2much4y ago

I think (but don't know if i am correct) that the original commenter was referring to the custom software running on top of Linux?

If they just run "stock" Linux then they can point their users towards that? Or maybe they just don't care until they get sued, also an option of course.

bradknowles4y ago

Axis cameras are the old-school corporate gold standard for doing a network video camera. Sadly, they're priced like it.

I can buy a half dozen to a dozen cheaper ONVIF-capable cameras from a well-known brand, for the same price I'd pay to get one Axis camera.

But then you run into the issue noted above, where virtually all Chinese cameras are made by a small number of companies, most of whom are implicated in the suppression of the Uighur people, and who frequently sell their core hardware to other companies to install their own firmware.

Sad, but true.

larsla4y ago· 2 in thread

I use Frigate (https://frigate.video/) on a rPI for recording and doing person detection for 3 Reolink cameras. Connecting that to HomeAssistant for dashboard and notifications. It works great! I boot the rPI (model 4 with 8gb RAM) from a USB-SSD to not worry about SD-cards. I connected a Coral USB device for the person detection since the rPI itself can only manage about 2 frames/s.

larsla4y ago

And here's the video that introduced me to Frigate: https://www.youtube.com/watch?v=pqDCEZSVeRk&t=1834s

I also forgot to mention that the Reolink cameras are not connected to any cloud and work locally.

Thanks for mentioning this. I had no idea it existed.

I have a bunch of hikvision cameras which are not capable of detecting people which is really all I care about. I don't care about birds or cats. :D

sterlinm4y ago· 2 in thread

There's a channel on YouTube called "The Hook Up" that has a lot of good videos about home automation. Here's his playlist of videos he's made on security cameras:

https://www.youtube.com/playlist?list=PL-51DG-VULPom8Ud6vdf5...

Most relevant to your question might be this video: Build The BEST Security Camera NVR: Free Locally Processed AI Computer Vision with Blue Iris.

https://www.youtube.com/watch?v=fwoonl5JKgo

bradknowles4y ago

Blue Iris is a Windows-only program. There are others available on other platforms, and they may or may not have support for running external machine learning systems for this kind of purpose.

On the Mac, check out SecuritySpy. On Linux and Unix, check out Shinobi.

DietaryNonsenseOP4y ago

Thanks!

lormayna4y ago· 2 in thread

I have several cheap chinese cameras (Sricam) in a separated VLAN without internet access in my home LAN. The camera are connected via ONVIF to a Raspberry running [motion](https://motion-project.github.io/).

better off using VPN from the camera to your camera server … within your home LAN, unless you can create the camera firmware.

Many seccam have IRC beaconing of which your gateway should be firewalling off.

My camera server is in a separate VLAN and the traffic from cameras pass through a FW to reach it. The cameras cannot reach internet or any other hosts inside my home network. According to the logs on the FW, my cameras are beaconing in China through DNS.

tedchs4y ago· 1 in thread

Check out the Pine Cube: https://www.pine64.org/cube/

voakbasda4y ago

Looks like they are out of stock, but this seems to have potential. Unfortunately, it uses components listed as end-of-life and support has not been fully mainlined.

mustava4y ago· 1 in thread

AgentDVR in docker is a great alternative to blueIris if you don't want to run Windows. You can plug any onvif camera into it easily enough. Works with home assistant too.

eternityforest4y ago

Agent is not FOSS though. Only iSpy is.

nwmcsween4y ago· 1 in thread

Reolink cameras using Shinobi as an NVR

I have problems with Reolink and RTSP compatibility. It kinda works but has frame skip issues with some software.

My goals were mostly the same, and I realized I needed RTSP/ONVIF cameras with poe links

Started using kerberos.io but got frustrated with their licensing. I had thought using their hooks would be enough for my use case.

In the end I wrote some code that uses opencv to monitor the stream, look for motion, then I isolate the motion and use yolov3 to classify what is in the motion area. The motion isolation ended up being required because I didn't want the car in my driveway to be classified on every video.

Then some simple rules to control how things get saved and if I get alerted. If I am alerted the video gets uploaded to an s3 bucket, and a presigned link gets sent over telegram. Of course, I keep a local copy for some time as well :)

My cameras are all on an isolated network. The server monitoring them has two nics so it's able to route to the cameras and externally. The server consumes a lot of CPU, but I hope to eventually get a minor gpu for it to offload some of the work

It's been a very fun and rewarding project, and I hope to keep iterating.

Not open source, but fairly open standard, I'm in love with Milestone XProtect Essential+[1] because I'm a Windows Server guy.

Free for 8 cameras, has extremely universal support for cameras (you can add in RTSP streams, Onvif, MJPEG/HTTP grab, etc) and some really good SDK support[2] - and a PowerShell module[3] to boot.

And, more importantly, a really good view on ethics[4]:

> We require employees, partners, and customers to comply with applicable laws and to respect human rights. We do not accept discrimination, human rights violations, violations of child labor laws. We have incorporated human rights language into our licensing terms, which were supplemented by the Copenhagen Clause in 2019.

[1] https://www.milestonesys.com/solutions/platform/video-manage... [2] https://www.milestonesys.com/community/developer-tools/mip-a... [3] https://www.milestonepstools.com/ [4] https://www.milestonesys.com/about-us/csr/

eternityforest4y ago

I tried pretty much all of them, now I'm working on my own NVR(https://eternityforest.com/doku/doku.php?id=tech:nvr).

For the cameras themselves, Amcrest is good enough for me, but the PineCube looks like it has potential.

zikduruqe4y ago

I am running Wyze v2 cameras with RTSP firmware on them, using Homebrige and Scrypted. People are also liking camera.ui too.

Homebridge - https://github.com/homebridge/homebridge

scrypted - https://github.com/koush/scrypted/wiki/Installation:-Docker-...

camera.ui - https://github.com/SeydX/camera.ui

maybebill4y ago

For open source and self-hosted, I've been pretty pleased with openmiko (https://github.com/openmiko/openmiko). I put this on a couple $20-ish wyze cams that are used adhoc right now, but will be combined with frigate and home assistant when I can get ahold of a Coral USB device.

mindslight4y ago

I had been planning to make security cameras with RPi, HQ Camera, and a 3d-printed case. But that was back when Pi 4's were $30, rather than unobtainable. I hadn't really figured out the software story, but my previous attempts with Pi Zero and basic camera left me wanting more horsepower.

epakai4y ago

I setup a WYZE/Dafang camera with dafang-hacks firmware. Then run a MQTT server to pass messages on motion activity. A basic script runs ffmpeg and records the RTSP stream on a separate server.

I was just tracking rodents temporarily though. Not that well suited for security applications.

You can used ZoneMinder with various PoE cameras and put the system on it's own network/segment.

squarefoot4y ago

Check the ESP32-CAM. Very cheap, although there's some diy involved.

https://dronebotworkshop.com/esp32-cam-intro/

It seems everyone is resigned to crunchy/gooey 90s style networks for these. I guess an alternative could be some sort of VPN dongle to put in front of each one.

boxingrock4y ago

Shinobi is another option to consider. Besides the typical web gui, it gives you a decent "REST" API, so I ended up building a little flutter app for android which runs on top of a wireguard tunnel back to the site.

The only thing not open source is the cameras and don't hold your breath waiting on something to come out at a decent price. There's only like 5 MFGs that make the actual hardware so most consumer products are rebranded, software locked and sold at a loss to hook you into the subscription. I know Pine64 had some dev kits but nothing you could buy in quantity.

your_username4y ago

Flussonic might be worth checking out.

j / k navigate · click thread line to collapse