Streaming Security Camera Video with VLC

From Alpine Linux

Goal

Setup a streaming video solution that small locations can use easily for broadcasting small events, security video or other uses. Because those locations may not have a static IP, route video traffic from your main static IP (on your openvpn server) over a tunnel to the remote location.

Overview

The remote location will require internet access. They will be provided with the following equipment:

  • Minibox style x86 computer
  • Monitor/Keyboard/Mouse
  • Axis P1344 camera w/ POE injector OR Axis Q-7401 capture box
  • network (2 blue cables are straight through, red is crossover) + power cables

Setup instructions

Axis camera

  • Power up camera.
  • Connect to web interface of the camera.
  • Set admin password (example root:test123).
  • Setup -> Video Stream -> Audio -> Check Enable Audio checkbox.
  • Setup -> Video Stream -> Image -> Resolution = 640x480.

Axis capture box

  • Power up box.
  • Connect to web interface of the camera.
  • Set admin password (example root:test123).
  • Setup -> Video Stream -> Audio -> Check Enable Audio checkbox.
  • Setup -> Video Stream -> Image -> Resolution = 720x480.
  • Enable anonymous video viewer.

Minibox

  • Setup USB key w/ Alpine Linux 2.4.5.
  • Enable apk cache.
  • Install the following packages:
alpine-base xscreensaver xf86-input-evdev openssh vlc rsync vim openvpn gawk bash vlc-xorg alsa-utils alsaconf alsa-lib vlc-daemon gstreamer gstreamer-tools gst-plugins-ugly gst-plugins-good gst-plugins-base chrony xf86-video-vesa linux-firmware pciutils usbutils iptables dnsmasq beep shorewall dnscache slim udev nmap tcpdump xf86-video-openchrome abiword busybox evince firefox gnumeric lxdm ristretto sudo xf86-input-keyboard xf86-input-mouse xfce4 xorg-server iftop
  • /etc/network/interfaces
auto eth0
iface eth0 inet dhcp

auto eth1
iface eth1 inet static
	address 10.14.197.1
	netmask 255.255.255.224

auto lo
iface lo inet loopback
  • /etc/ssh/sshd_config - disable password auth
  • /root/.ssh/authorized_keys - install all needed keys
  • adduser jbilyk
  • /etc/chrony/chrony.conf
chrony/chrony.conf 
# default config

server time.nrc.ca 
initstepslew 10 time.nrc.ca
commandkey 10
keyfile /etc/chrony/chrony.keys
driftfile /etc/chrony/chrony.drift

cmdallow 127.0.0.1

allow all
  • rc-update add chronyd
  • /etc/conf.d/dnscache
# DNSCACHE configuration variables:

# IPSEND - ip address to use for requests use 0.0.0.0 for default route
IPSEND=0.0.0.0

# CACHESIZE - Num bytes to use for the cache
CACHESIZE=1000000

# IP - IP addr to listen on
IP=127.0.0.1

#------------------------------------------------------------------------
# The following are flags.  Setting them to ANY value
# (even "false" or "off") will turn the feature on.
#------------------------------------------------------------------------

# HIDETTL - always return TTL as 0
#HIDETTL=

# FORWARDONLY - servers/@ are parent caches, not root servers
#FORWARDONLY=

# UPDATEHINTS - refresh zone hints
UPDATEHINTS=1

  • rc-update add dnscache
  • /etc/dnsmasq.conf (replacing MAC and IP on dhcp-host line as required)
domain-needed
bogus-priv
no-resolv
no-poll
server=10.14.197.1
interface=eth1
except-interface=lo
bind-interfaces
expand-hosts
domain=example.com
dhcp-authoritative
cache-size=0 # dnscache does caching
no-negcache
log-dhcp
dhcp-range=10.14.197.10,10.14.197.20,255.255.255.224,12h
dhcp-option=option:ntp-server,10.14.197.1
dhcp-option=6,10.14.197.1,10.14.0.1
dhcp-option=option:domain-search,example.com
dhcp-host=00:40:8c:c4:7e:99,10.14.197.5,24h # Axis Camera
dhcp-option=option:ntp-server,10.14.197.1
dhcp-option=2,-18000
  • rc-update add dnsmasq
  • /etc/openvpn/openvpn.conf
client
dev tun
proto udp
remote public.ip.addr.ess 1194
resolv-retry infinite
nobind

persist-key
persist-tun

ca ca.pem
cert cert.pem
key key.pem

comp-lzo
verb 3

script-security 2
up /etc/openvpn/up.sh
down /etc/openvpn/down.sh
  • Extract your openvpn cert parts into /etc/openvpn/
openssl pkcs12 -in %CERTPFX% -cacerts -nokeys -out ca.pem
openssl pkcs12 -in %CERTPFX% -nocerts -nodes -out key.pem
openssl pkcs12 -in %CERTPFX% -nokeys -clcerts -out cert.pem
  • rc-update add openvpn
  • /etc/resolv.conf.tail
nameserver 127.0.0.1
  • /etc/conf.d/vlc
# Sample vlc params suitable for running as a daemon

## --daemon			detach from prompt
## --file-logging		enable file logging
## --logfile			logfile name/path
## -vvv				verbose logging
## -I dummy			disable X11 interface
## --sout PARAMS		encoding parameters
##				Do NOT quote 'PARAMS' otherwise shell expansions will broke vlc

VLC_OPTS="-I dummy --daemon --file-logging --logfile /var/log/vlc/vlc.log --loop --rtsp-caching=200 rtsp://10.14.197.5:554/axis-media/media.amp?videocodec=h264 --sout #standard{access=http,mux=ts,dst=0.0.0.0:8080}"
  • rc-update add vlc
  • /etc/shorewall/params
A_IF=tun0
B_IF=eth1
E_IF=eth0
  • /etc/shorewall/interfaces
A	$A_IF		detect		dhcp
B	$B_IF		detect		dhcp
E	$E_IF		detect		dhcp
  • /etc/shorewall/policy
A	all	REJECT		info
B	A	ACCEPT
B	E	ACCEPT
all	all	REJECT		info
  • /etc/shorewall/rules
# FW management
ACCEPT		A		fw		tcp	22,80,443

# Manage the camera from the HQ if need be
ACCEPT		A		B		tcp	80

ACCEPT		fw		all		icmp	8
ACCEPT		fw		E		tcp	53,80
ACCEPT		fw		E		udp	53,1194
ACCEPT		fw		B
ACCEPT		B		fw		udp	53
ACCEPT		B		fw		tcp	53
ACCEPT		A		fw		tcp	8080
  • /etc/shorewall/zones
fw	firewall
A	ipv4
B	ipv4
E	ipv4
  • /etc/shorewall/shorewall.conf
STARTUP_ENABLED=Yes
...
IP_FORWARDING=On
  • rc-update add shorewall
  • rc-update add lxdm
  • home/jbilyk/.config/autostart/firefox.desktop
[Desktop Entry]
Encoding=UTF-8
Version=0.9.4
Type=Application
Name=firefox
Comment=
Exec=nice -n 5 firefox
OnlyShowIn=XFCE;
StartupNotify=false
Terminal=false
Hidden=false
  • Set FF homepage to 10.14.197.5 (replacing with ip address of Axis)
  • lbu commit
  • Plug in internet connection to eth0.
  • Plug in crossover cable to axis PoE injector and straight through to Axis.
  • Plug in line-out from mixer to axis.
  • Power up blackbox with monitor, keyboard, mouse connected.
  • Once desktop appears, power on axis.

OpenVPN router

  • /etc/shorewall/rules
DNAT		E		G_196:10.14.196.10	tcp	8080	-	public.ip.addr.ess
  • /etc/shorewall/masq
tun0			0.0.0.0/0	10.14.196.1	tcp	8080

End User Instructions

Please verify that all of the following components shipped properly:

  • Router
  • Monitor
  • Camera
  • Camera power injector
  • 2 x 50' blue network cables
  • 1 x 14' red network cable
  • 2 x 6' black power cables
  • 1 x AC power brick
  • 1 x monitor video cable
  • 1 x keyboard
  • 1 x mouse
  • Place router in desired location. It should be placed on a flat, stable surface.
  • Place monitor nearby to the router.
  • Use one 6' power cord, connect to the monitor and power the monitor on.
  • Connect the monitor video cable from the monitor "RGB" port to the corresponding port on the router.
  • Place camera power injector in desired location.
  • Connect red network cable from the "Data In" jack on the power injector to the router port labelled "Camera".
  • Connect Internet connection to the router port labelled "Internet" using a blue network cable.
  • Connect keyboard and mouse to USB ports on the rear of the router.
  • Plug the AC power brick into the router and then an available power outlet. The router will turn itself on automatically.
  • Wait for a 3 toned beep from the router and the desktop environment to appear. (Note: Mozilla Firefox will open with the error message "Well, this is embarassing". This is normal.).
  • Connect blue network cable from the camera to the "Data & Power Out" jack on the power injector.
  • Once the light on the top of the camera turns green, click "Start New Session" in Firefox. A video window should appear after a brief delay.
  • Adjust the focus and zoom of the camera manually using the dials on the front of the camera.
  • To test the stream on the remote location end, open VLC on a computer with Internet connectivity, then run File -> Open Network Stream and connect to http://public.ip.addr.ess:8080.