Ask HN: Self-hosted open source IP security cameras?
There are many options for IP security cameras and multi-camera setups. Ubiquiti, Foscam, Nest, Ring, and all of the things. But they all involve running untrusted internet connected devices on a local network. I want to improve my physical security with these devices without providing nodes to some future DDoS botnet or whatever else these poorly secured IoT devices will get repurposed for. I also don't want my system to be useless if the internet goes down or if BigCompany decides to change their terms or drop service for their APIs or whatever else.
Wondering if anyone has had success in setting up a self-hosted (maybe open source) camera system for their site? And if so, any advice? recommendations? sources for information that you found useful? Once you step up from consumer level (Nest/Ring/Wyze) cameras, you'll find that nearly every IP camera supports the standard RTSP/ONVIF format. They don't need any internet access to function. Standard practice is to secure them by using a dedicated VLAN (so they can't talk to anything else on your network) and default deny firewall rules (so they can't get to the Internet or other parts of your network). It's definitely not plug-and-play, but if you have experience setting up networks it's pretty straightforward. If you want remote access to the cameras while off your local network, you'll need to set up a VPN. I have a bunch of Hikvision cameras (DS-2CD2342WD-I) that were about $120/each that I'm happy with. I don't have any security concerns about them phoning home or doing anything nefarious, because they're completely segregated on their own locked down network. If you want to record, you'll need to set up an NVR. You can buy one (i.e. https://amzn.to/3HFNEWw) or run software on your own server. I use Milestone XProtect's free license at one site, and Synology's Surveillance Station at another. You could also look for cameras that have an SD card slot built in, and configure recording directly on the camera. I have never accepted the “separate VLAN” approach as safe. You must assume those devices are actively hostile, so you must maintain perfect security and constant vigilance. To borrow an idea I first heard uttered about male birth control: it makes less sense to put on a bulletproof vest than it does to take the bullets out of the gun. Why allow hostile devices on your network at all? How does this not end up with you eventually shooting yourself in the foot? The issue here is that HikVision is a Chinese company, and they have been widely known to supply equipment to the government to aid in the suppression of the Uighur people. Same with Dahua. The next problem is that both these companies operate under a very wide array of brands, hundreds if not thousands of names, some of which you might recognize and may have thought that they were separate. Lorex is one such brand. Many more can be found at https://securitycamcenter.com/hikvision-oem-list/ and https://securitycamcenter.com/dahua-oem-list/ among others. Next, you have the other companies like Wyze that take Dahua hardware and put their own firmware on it. So, if you want to use hardware from a company that is not compromised like HikVision or Dahua, the options get much more limited. At that point, you might want to start looking at building your own on top of the Raspberry Pi plus their camera options. Personally, I'm still looking for someone who has decided to commercialize cameras based on the Raspberry Pi, so that I can buy a whole stack of them at once and I don't have to build them all myself. As an embedded engineer, I wonder if it would be possible for me to become a VAR for one of those Chinese companies, such that I could get enough of their hardware specs to do a full-featured clean room implementation of the firmware that then could be released as open source. I don’t want to make hardware, but I could build out a Yocto-based distribution. Or has someone already done this? I think that is basically what Wyze has done, only they haven't released their firmware. There are open source versions of firmware for Wyze/Dahua cameras, but I believe they include major components that are just black boxes from the OEM. I don't know how much of that you would be able to reverse Engineer in a clean room. Thank you for those links. I tried avoiding Danua and Hikvision. I went with Amcrest, only to find it on the Danua list. :( Luckily i only spent $150 for 3 cameras Yeah, when I saw Amcrest on the list, I figured out that something like that might have happened. Sorry to be the bearer of bad news! I've been trying for a long time to learn how to setup this "separate VLAN" stuff. Do you have a resource you could recommend? :) It's a router/switch/firewall thing. You're building multiple virtual LANs and using them to separate the traffic. You could implement VLANs in your core switch for the house, maybe using Mikrotik or other managed switches that are VLAN-capable. That might allow you to use a simpler router that doesn't need to understand how You could implement VLANs in your router or gateway or firewall, depending on your hardware. In that case, you might be able to use simpler and less expensive unmanaged switches. Exactly how those devices implement VLANs is going to differ somewhat. It might be easy to configure a switch for VLANs, where a given port or group of ports are on one VLAN, and a different port or group of ports might be on a different VLAN. Implemented at the router/gateway/firewall level, you might have to make those assignments based on MAC addresses, and/or internal IP addresses if you can tie that into your DHCP service. VLANs can be complex to set up, depending on where and how they are configured. And they're not a panacea. But they can be very helpful, if implemented correctly. A VLAN is a separate broadcast domain in ethernet networks. VLANs prevent communication between different VLANs unless you set it up for inter-vlan routing. Thats why they suggest putting these untrusted devices on a separate VLAN (isolation). Typically you assign a whole new group of ip adresses for each Vlan ID. For example:
camera network - vlan 10 - 10.0.10.0 255.255.255.0 wifi network - vlan 11 - 10.0.11.0 255.255.255.0 wired network - vlan 12 - 10.0.12.0 255.255.255.0 pfsense supports VLANs. Lawrence Systems in YouTube covers pfsense a lot. This is one video where they talk about setting up VLAN in pfsense: https://www.youtube.com/watch?v=b2w1Ywt081o On the wifi side, TPLink EAP245 access point allows you to configure multiple SSIDs, each with separate VLANs so that you can have one set of devices connect to one SSID, another group of devices to another SSID and so on. pfsense firewall rules can be configured to prevent the devices on separate VLANs from seeing each other. You can also block internet to access for one VLAN, and have the wireless IP cameras connect to it. I use Frigate (https://frigate.video/) on a rPI for recording and doing person detection for 3 Reolink cameras. Connecting that to HomeAssistant for dashboard and notifications.
It works great!
I boot the rPI (model 4 with 8gb RAM) from a USB-SSD to not worry about SD-cards. I connected a Coral USB device for the person detection since the rPI itself can only manage about 2 frames/s. And here's the video that introduced me to Frigate: https://www.youtube.com/watch?v=pqDCEZSVeRk&t=1834s I also forgot to mention that the Reolink cameras are not connected to any cloud and work locally. Thanks for mentioning this. I had no idea it existed. I have a bunch of hikvision cameras which are not capable of detecting people which is really all I care about. I don't care about birds or cats. :D My goals were mostly the same, and I realized I needed RTSP/ONVIF cameras with poe links Started using kerberos.io but got frustrated with their licensing. I had thought using their hooks would be enough for my use case. In the end I wrote some code that uses opencv to monitor the stream, look for motion, then I isolate the motion and use yolov3 to classify what is in the motion area. The motion isolation ended up being required because I didn't want the car in my driveway to be classified on every video. Then some simple rules to control how things get saved and if I get alerted. If I am alerted the video gets uploaded to an s3 bucket, and a presigned link gets sent over telegram. Of course, I keep a local copy for some time as well :) My cameras are all on an isolated network. The server monitoring them has two nics so it's able to route to the cameras and externally. The server consumes a lot of CPU, but I hope to eventually get a minor gpu for it to offload some of the work It's been a very fun and rewarding project, and I hope to keep iterating. There's a channel on YouTube called "The Hook Up" that has a lot of good videos about home automation. Here's his playlist of videos he's made on security cameras: https://www.youtube.com/playlist?list=PL-51DG-VULPom8Ud6vdf5... Most relevant to your question might be this video: Build The BEST Security Camera NVR: Free Locally Processed AI Computer Vision with Blue Iris. Blue Iris is a Windows-only program. There are others available on other platforms, and they may or may not have support for running external machine learning systems for this kind of purpose. On the Mac, check out SecuritySpy. On Linux and Unix, check out Shinobi. Thanks! Not open source, but fairly open standard, I'm in love with Milestone XProtect Essential+[1] because I'm a Windows Server guy. Free for 8 cameras, has extremely universal support for cameras (you can add in RTSP streams, Onvif, MJPEG/HTTP grab, etc) and some really good SDK support[2] - and a PowerShell module[3] to boot. And, more importantly, a really good view on ethics[4]: > We require employees, partners, and customers to comply with applicable laws and to respect human rights. We do not accept discrimination, human rights violations, violations of child labor laws. We have incorporated human rights language into our licensing terms, which were supplemented by the Copenhagen Clause in 2019. [1] https://www.milestonesys.com/solutions/platform/video-manage...
[2] https://www.milestonesys.com/community/developer-tools/mip-a...
[3] https://www.milestonepstools.com/
[4] https://www.milestonesys.com/about-us/csr/ Axis cameras aren't open source, but they're just Linux running systemd and Axis (or other) software. You can ssh into them, write your own apps, etc. They're not particularly locked down. They support ONVIF and VAPIX, which are API:s that VMS's such as Milestone and Genetec target. > poorly secured IoT devices will get repurposed for. Don't let it have access to the outside net then? >Axis cameras aren't open source, but they're just Linux running systemd How is this not a GPL violation? I think (but don't know if i am correct) that the original commenter was referring to the custom software running on top of Linux? If they just run "stock" Linux then they can point their users towards that? Or maybe they just don't care until they get sued, also an option of course. Yeah, any changes to the kernel would obviously also get GPL:d :). Axis cameras are the old-school corporate gold standard for doing a network video camera. Sadly, they're priced like it. I can buy a half dozen to a dozen cheaper ONVIF-capable cameras from a well-known brand, for the same price I'd pay to get one Axis camera. But then you run into the issue noted above, where virtually all Chinese cameras are made by a small number of companies, most of whom are implicated in the suppression of the Uighur people, and who frequently sell their core hardware to other companies to install their own firmware. Sad, but true. I have several cheap chinese cameras (Sricam) in a separated VLAN without internet access in my home LAN.
The camera are connected via ONVIF to a Raspberry running [motion](https://motion-project.github.io/). better off using VPN from the camera to your camera server … within your home LAN, unless you can create the camera firmware. Many seccam have IRC beaconing of which your gateway should be firewalling off. My camera server is in a separate VLAN and the traffic from cameras pass through a FW to reach it. The cameras cannot reach internet or any other hosts inside my home network.
According to the logs on the FW, my cameras are beaconing in China through DNS. I tried pretty much all of them, now I'm working on my own NVR(https://eternityforest.com/doku/doku.php?id=tech:nvr). For the cameras themselves, Amcrest is good enough for me, but the PineCube looks like it has potential. I am running Wyze v2 cameras with RTSP firmware on them, using Homebrige and Scrypted. People are also liking camera.ui too. Homebridge - https://github.com/homebridge/homebridge scrypted - https://github.com/koush/scrypted/wiki/Installation:-Docker-... camera.ui - https://github.com/SeydX/camera.ui Check out the Pine Cube: https://www.pine64.org/cube/ Looks like they are out of stock, but this seems to have potential. Unfortunately, it uses components listed as end-of-life and support has not been fully mainlined. For open source and self-hosted, I've been pretty pleased with openmiko (https://github.com/openmiko/openmiko). I put this on a couple $20-ish wyze cams that are used adhoc right now, but will be combined with frigate and home assistant when I can get ahold of a Coral USB device. I had been planning to make security cameras with RPi, HQ Camera, and a 3d-printed case. But that was back when Pi 4's were $30, rather than unobtainable. I hadn't really figured out the software story, but my previous attempts with Pi Zero and basic camera left me wanting more horsepower. I setup a WYZE/Dafang camera with dafang-hacks firmware. Then run a MQTT server to pass messages on motion activity. A basic script runs ffmpeg and records the RTSP stream on a separate server. I was just tracking rodents temporarily though. Not that well suited for security applications. You can used ZoneMinder with various PoE cameras and put the system on it's own network/segment. Check the ESP32-CAM. Very cheap, although there's some diy involved. AgentDVR in docker is a great alternative to blueIris if you don't want to run Windows. You can plug any onvif camera into it easily enough. Works with home assistant too. Agent is not FOSS though. Only iSpy is. It seems everyone is resigned to crunchy/gooey 90s style networks for these. I guess an alternative could be some sort of VPN dongle to put in front of each one. Shinobi is another option to consider. Besides the typical web gui, it gives you a decent "REST" API, so I ended up building a little flutter app for android which runs on top of a wireguard tunnel back to the site. The only thing not open source is the cameras and don't hold your breath waiting on something to come out at a decent price. There's only like 5 MFGs that make the actual hardware so most consumer products are rebranded, software locked and sold at a loss to hook you into the subscription. I know Pine64 had some dev kits but nothing you could buy in quantity. Reolink cameras using Shinobi as an NVR I have problems with Reolink and RTSP compatibility. It kinda works but has frame skip issues with some software. Flussonic might be worth checking out.