我已经安装了两个大华IPC-C15网络摄像机在内部网络中并希望通过 VPN 使它们可访问。
本地网络设置如下:
- 默认网关:192.168.1.1
- vpn连接的机器:192.168.1.31
- IP摄像头:192.168.1.4{0,1}
- 动态子网(其他机器):192.168.1.50-90
我将默认网关和 vpn 连接的机器分开,并希望避免混合它们(默认网关是普通的 ADSL 路由器,从硬件角度来看 vpn 客户端有点不稳定)。
我考虑过以下通过VPN暴露摄像头的计划:
- 为摄像机上的所有服务分配唯一端口
- 转发 VPN 连接机器上的特定端口
- 在已连接 VPN 的计算机上通过 VPN 访问服务
下面的图表应该可以清楚地说明
[cam-0]
(1080, 5664) \
--> [vpn-client] --> (VPN)
[cam-1] (forwards 1080, 1081)
(1081, 5665) / ( 5664, 5665)
摄像头在修改后的端口下工作正常,所以我尝试通过端口转发使它们可用。我转发了所有需要的端口cam-0
(甚至有点过分了)
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 1080 -j DNAT --to-destination 192.168.1.40:1080
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 1554 -j DNAT --to-destination 192.168.1.40:1554
iptables -t nat -A PREROUTING -p udp -i eth0 --dport 1554 -j DNAT --to-destination 192.168.1.40:1554
iptables -t nat -A PREROUTING -p udp -i eth0 --dport 37777 -j DNAT --to-destination 192.168.1.40:37777
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 37777 -j DNAT --to-destination 192.168.1.40:37777
iptables -t nat -A PREROUTING -p udp -i eth0 --dport 37778 -j DNAT --to-destination 192.168.1.40:37778
iptables -A FORWARD -p udp -d 192.168.1.40 --dport 37778 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.40 --dport 37777 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.40 --dport 1080 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.40 --dport 1554 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
最终结果是 HTTP 访问可以正常工作,但 RTSP 播放不正常。我不敢尝试 ONVIF 发现,它可能很乱。
ffplay 的 RTSP 错误如下
$ ffplay -hide_banner 'rtsp://$USER:[email protected]:1554'
[rtsp @ 0x7fa124000b80] UDP timeout, retrying with TCP 0B f=0/0
[rtsp @ 0x7fa124000b80] method PAUSE failed: 455 Method Not Valid in This State
[rtsp @ 0x7fa124000b80] Could not find codec parameters for stream 0 (Video: h264, none): unspecified size
Consider increasing the value for the 'analyzeduration' and 'probesize' options
Input #0, rtsp, from 'rtsp://admin:[email protected]:1554':
Metadata:
title : Media Server
Duration: N/A, bitrate: N/A
Stream #0:0: Video: h264, none, 90k tbr, 90k tbn, 180k tbc
Stream #0:1: Audio: aac, 16000 Hz, mono, fltp
[rtsp @ 0x7fa124000b80] UDP timeout, retrying with TCP 0B f=0/0
[rtsp @ 0x7fa124000b80] method PAUSE failed: 455 Method Not Valid in This State
如果我查看执行转发的机器上的 iptables 统计信息,数据包似乎流动:
# iptables -L -vn
Chain INPUT (policy ACCEPT 9827 packets, 6479K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 196 packets, 17202 bytes)
pkts bytes target prot opt in out source destination
1620 183K ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.40 tcp dpt:1080 state NEW,RELATED,ESTABLISHED
107 21217 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.40 tcp dpt:1554 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.40 udp dpt:1554 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.40 udp dpt:37778 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.40 tcp dpt:37777 state NEW,RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 857 packets, 96412 bytes)
pkts bytes target prot opt in out source destination
# iptables -t nat -L -vn
Chain PREROUTING (policy ACCEPT 233 packets, 45610 bytes)
pkts bytes target prot opt in out source destination
128 7680 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1080 to:192.168.1.40:1080
7 420 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1554 to:192.168.1.40:1554
0 0 DNAT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:1554 to:192.168.1.40:1554
0 0 DNAT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:37777 to:192.168.1.40:37777
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:37777 to:192.168.1.40:37777
0 0 DNAT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:37778 to:192.168.1.40:37778
Chain INPUT (policy ACCEPT 233 packets, 45610 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 246 packets, 23141 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
455 38579 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0
我目前没有什么主意,因此非常感谢任何关于如何推进这一进程的建议。
答案1
显然转发规则有效,我只需要要求 ffmpeg 使用 tcp ffplay -rtsp_transport tcp
。
此外,我正在使用的 Android 应用程序(Ovnifer)只需转发 HTTP 和 RSTP 端口即可,因此我认为此操作已完成。