Monday, October 9, 2023

Self-hosted Wyze Cam v3 camera without internet access - Part 1

This is part 1 of the notes on how to self-host Wyze Cam v3, without internet access, as a RTSP camera. 

Here Part 1 will focus on preparing the network setup. Part 2 (TBC) will be on configuring the Wyze camera.

Background 

For testing purposes, I have a Home Assistant(HA) setup with several Zigbee devices running Zigbee2MQTT and Mosquitto.

To add NVR feature, I have since installed Frigate and added a Google TPU card for accelerating event detection. The IP cameras used are Wyze Cam v3 patched with custom firmware to output two RTSP streams (a lower resolution for preview and event detection, and a higher resolution for recording).

Here are some highlights of the original setup

  • The ISP dual-band router supports 5GHz network
  • The HA machine is setup in a separate room running openSUSE Tumbleweed. It is connected to an Access Point (AP) via LAN cable
  • The AP is an old dual-bank router flashed with DD-WRT custom firmware. It serves two purposes: the 5GHz network is configured as a wireless bridge to provide internet access to the HA machine and allow other devices on the home network to access HA, while the 2.4GHz network (with a different SSID) is configured as access point for IP cameras



The setup runs fine with one issue: the IP cameras have internet access. I don't like the idea that the IP cameras can "phone home" anytime. Ideally, after initial setup, I would like to remove the Internet access from those cameras.

Tried to setup virtual networks, bridges, and firewall rules etc on the AP. But none worked reliably.

So here is the new idea:
  • since I have several USB wifi adapters not in use, I could add one to the HA machine and configure it as an AP with a different SSID and subnet. It will be running in 2.4GHz to minimize interference with the 5GHz home network
  • with the HA being a Linux machine, I will have the flexibility on routing (or not routing) traffic around i.e. effectively blocking internet access for the cameras
  • I don't need to access the IP cameras remotely (i.e. when away from home), don't need to receive any notifications on my phone, and don't mind giving up using the Wyze app. If I really need to access the cameras remotely, I could VPN back to my home network first.



A few things needed to be configured on the HA Linux machine.

EDIT 2024-06-02 A few changes on the device setup:

  • the rtl8812au package from OpenSUSE isn't stable and keeping up to date with kernel updates. So ended up installing the driver from source as dkms
  • using NetworkManager to setup host access point seems to cause conflicts on many things. Ended up to unmanage the wifi adapter with nm (adding "unmanaged-devices=interface-name:wlp0s16f0u1;" in /etc/NetworkManager/conf.d/99-localhost.conf). Then force the ip on the device with ifconfig with a custom systemd service. Finally use hostapd for the access point setup

EDIT 2024-06-10 script for the custom systemd service, assuming the interface is wlan0:
[Unit]
Description=Assign IP address to wifi interface for AP
Requires=sys-subsystem-net-devices-wlan0.device
Before=hostapd.service dnsmasq.service
After=sys-subsystem-net-devices-wlan0.device

[Service]
Type=oneshot
ExecStart=/usr/bin/ifconfig wlan0 up 192.168.20.1 netmask 255.255.255.0

[Install]
WantedBy=multi-user.target


USB wifi adapter

The wifi adapter I will be using has the Realtek 8812 chipset. The driver can be installed via `rtl8812au` package. However, installing it caused the Coral TPU dkms driver stopped working. Eventually, needed to install the newer version and recompile.

Next is to configure the wifi adapter as AP. Since the openSUSE machine is using NetworkManager, I used `nmcli` to configure it. The steps are similar to those mentioned here for Centos.

EDIT 2023-11-18. Some addition useful commands:
- disable WPA: sudo nmcli con modify "connection name" 802-11-wireless-security.proto rsn
- disable WPS: sudo nmcli con modify "connection name" 802-11-wireless-security.wps-method 1

EDIT 2023-11-25. To disable the excessive logging of the driver, change the log level to none

For the examples below, assume the new wifi interface is "wlan0" and has the IP address of 192.168.20.1/255.255.255.0. The two IP cameras will be assigned with address 192.168.20.91 and 192.168.20.92.


DHCP setup

Each IP camera will be assigned the same IP address via DHCP service provided by dnsmasq. Following these steps for a minimal setup.

local-service

conf-file=/etc/dnsmasq.d/trust-anchors.conf
dnssec

# only serve dhcp on the wifi interface
interface=wlan0

# some dynamic ip in case needed to connect for troubleshooting
dhcp-range=192.168.20.80,192.168.20.89,255.255.255.0,6h

# fixed ip for the ip cam
dhcp-host=d0:3f:27:xx:yy:zz,192.168.20.91
dhcp-host=d0:3f:27:aa:bb:cc,192.168.20.92

# announce the HA machine (192.168.20.1 here as an example) as DNS server and ntp server
dhcp-option=6,192.168.20.1
dhcp-option=option:ntp-server,192.168.20.1

conf-dir=/etc/dnsmasq.d/,*.conf


DNS setup

The dnsmasq will also be serving as DNS server for the cameras. To avoid them to keep querying the hard-coded NTP severs, create a conf file under /etc/dnsmasq.d directory to redirect them to local machine.

address=/time-a.inst.gov/192.168.20.1
address=/time-b.inst.gov/192.168.20.1
address=/time-a-g.inst.gov/192.168.20.1
address=/time-b-g.inst.gov/192.168.20.1
address=/clock.fmt.he.net/192.168.20.1
address=/ntp0.cornell.edu/192.168.20.1


NTPD time server

I like to configure the IP camera to overlay timestamp on the video. Unfortunately the Wyze camera firmware contains a binary that only query several hard-coded NTP servers. But the wz_mini_hacks firmware actually comes with a NTP process to update the time. More on how to set it up in part 2.

For now, make sure the HA machine has NTPD setup properly and ready. Run `sudo ntpq -c lpeer` to check


IP Masquerading

During the initial setup, the Wyze camera needs internet access. To allow the traffic routed to internet and back using NetworkManager and firewalld:

# assuming wlan0 is the device id of the wifi adapter configured with nmcli
sudo nmcli con up wlan0
# move the interface to trusted zone to allow all traffic
sudo firewall-cmd --zone=trusted --change-interface=wlan0
sudo firewall-cmd --zone=trusted --add-masquerade
# assuming eth0 is the LAN interface with internet access
sudo firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE
sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wlan0 -o eth0 -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT


When we are done configuring IP cameras and making sure Frigate can access them, revoke the access and isolate the cameras from internet.

sudo firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE
sudo firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i wlan0 -o eth0 -j ACCEPT
sudo firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo firewall-cmd --zone=trusted --remove-masquerade


For a proper setup, should probably also move the wifi adapter to another zone. But well...

That is it for the Linux machine setup. Next part of the notes will focus on setting up the Wyze camera for self-hosting.


No comments:

Post a Comment