OpenNVR

Features List

OpenNVR is built on an offline-first open security architecture designed to eliminate systemic IP camera vulnerabilities. In a landscape where surveillance networks are prime targets for critical infrastructure breaches, traditional NVRs suffer from inherent weaknesses: plaintext RTSP streaming, opaque supply chains, weak default credentials, and enforced vendor-controlled cloud storage.

As detailed in our published architectural research, OpenNVR completely addresses these systemic risks by returning Data and AI Sovereignty back to the customer. We eliminate unnecessary internet exposure through structural safeguards without sacrificing modern, cloud-like functionality.

Beyond security, OpenNVR’s AI sits on a stateless, adapter-based architecture. Each model is wrapped in a lightweight adapter that converts camera frames into a standardized inference format, so any model — local, custom, or cloud — integrates without ever touching the core NVR. Seven adapters ship in v0.1 (YOLOv8, ByteTrack, InsightFace, fast-plate-ocr, BLIP, Whisper, Piper) as reference implementations of the open AI Adapter Contract. Everything runs locally by default; cloud ecosystems like Hugging Face are an explicit, audited opt-in. The result turns standard IP cameras into AI endpoints whose intelligence you can deploy, hot-swap, or scale without hardware changes or system redesign.

Below is a breakdown of the OpenNVR capability matrix and why the architecture makes a resilient surveillance foundation.

1. Zero-Trust Security & Infrastructure

Our foundational security paradigm shifts the NVR from a passive recorder into a hardened, network-isolated security appliance.

  • Dual-NIC isolated camera LAN: The NVR host physically isolates your IP cameras on a dedicated secondary Network Interface Card (NIC). Cameras NEVER touch the broader internet, neutralizing inbound botnet campaigns entirely.
  • Kernel Routing Control: OpenNVR heavily manipulates iptables and kernel packet routing to drop unauthorized lateral movement attempts, so the NVR acts as a hardened gateway.
  • Customer Keys Management (BYOK): Total User-Controlled Encryption. OpenNVR actively encrypts all recording fragments, database metadata, and AI detections at rest using your managed cryptographic keys. A compromised hard drive yields useless data.
  • OTA Linux & Automated OS Upgrades: The NVR features rigorous Over-The-Air (OTA) delivery for the underlying Linux OS. It automatically checks against security databases for the latest OS-level CVE patches and applies them seamlessly without requiring command-line intervention.
  • Hardware Token MFA & Account Lockouts: Mandate TOTP (Time-Based One-Time Password) multi-factor authentications for all dashboard logins. Includes active account lockout responses (180-second lockout on repeated failed attempts) to dynamically prevent brute-force attacks and credential stuffing.
  • Suricata IDS Streams: Directly pipes and charts network intrusion warnings (Suricata fast-logs) within the NVR UI to intercept active port scanning or unauthorized IoT bridging attempts.

2. AI Sovereignty & Anti-Vendor Lock-In

Most modern NVRs force you into a closed-ecosystem, requiring you to buy their proprietary analytics licenses or their specific hardware. OpenNVR destroys vendor lock-in completely.

  • Bring Your Own Model (BYOM): Seamlessly hot-swap inference plugins. Plug in custom PyTorch, TensorFlow, or Darknet models and route video frames to them dynamically.
  • Open Adapter Contract: Any model behind a REST or WebSocket endpoint becomes a first-class detector — about thirty lines of Python with the Apache-2.0 SDK. Cloud providers like Hugging Face are supported as an explicit opt-in; under the default local_only sovereignty policy, any adapter declaring network egress is refused registration.
  • Audio & LLM Pipelines: Go beyond vision. Deploy specialized adapter pipelines for Audio Transcription (Whisper), Speech Synthesis (Piper), and fully-featured conversational AI (Ollama LLM) natively on the edge.
  • Hybrid Cloud & Edge Execution: Keep critical inferencing entirely local on edge GPUs (like kai-c) for privacy, or pipe heavy tensor models selectively to external Cloud APIs.
  • Scene Description & VLMs: Built-in support for advanced Visual Language Models capable of reasoning about events and generating rich natural language descriptions of complex scene contexts.
  • Facial Recognition Suite: Deep integration for InsightFace architectures, featuring endpoint administration for watchlists, employee registries, and automated door access triggering.
  • Smart Dynamic Webhooks: The moment an AI pipeline triggers an incident threshold (e.g. Person Counting > 5, or Unrecognized Face), push robust JSON traces securely over MQTT and HTTP Webhooks to downstream IoT devices.
  • Real-Time AI Event Bus: Subscribe to a high-speed WebSocket and Server-Sent Events (SSE) bus for zero-latency UI updates, telemetry overlays, and synchronous inference tracking across your entire camera fleet.

3. Advanced Governance & Compliance

Enterprise management requires rigorous accountability and precision tooling.

  • Granular User Management & Access Rights: Highly specialized Roles-Based Access Control (RBAC) matrix. Issue precise access rights, restricting support staff to specific live cameras while reserving AI model management solely for core administrators.
  • Permanent Audit Logs: A sophisticated internal API strictly logs every configuration modification, camera deletion, and authentication retry to immutable tables. Easily exportable for compliance and security auditing.
  • System Analytics & Error Logs: Investigate raw backend FastAPI logs or React stack-traces transparently in real-time right from the dashboard GUI.
  • Bare-Metal Network Monitoring: The system probes live eth0/wlan0 networking capabilities, presenting pure throughput and TCP bandwidth directly to the administrator.

4. Intelligent Video Management (NVR Core)

Beneath the security and AI layers sits a stripped-down, highly performant WebRTC and RTSP streaming backend to ensure millisecond latency across global camera fleets.

  • Ultra-Low Latency Live View: Sub-second local viewing leveraging WebRTC connections.
  • Synchronous Timeline Playback: High-performance historical playback capable of scrubbing through thousands of hours of retention across multiple camera lenses simultaneously.
  • Zero-Config ONVIF Discovery: Instantly auto-scan local subnets to discover, configure, and bind standard IP cameras dynamically to the engine.
  • MediaMTX Administration Hooks: Deeply integrated API hooks into MediaMTX to dynamically proxy, re-stream, and administrate the core RTSP engine layers without manual YAML configurations.
  • Containerized Volume Management: Graphically manage massive multi-terabyte Linux data-stores scaling effortlessly across docker binds.
  • PTZ Control Suite: Interface directly with hardware motors from the dashboard GUI to sweep cameras dynamically.