Security Guide

Remote Camera Access via VPN

How to securely view your RTSP cameras from anywhere using WireGuard, Tailscale, or a router VPN — without exposing cameras to the internet.

RTSP is a local network protocol — cameras and viewer must be on the same network. To access cameras remotely (away from home or office), you need a VPN that creates a secure tunnel back to your local network. SmartRTSP then connects as if you were physically on-site.

Once your VPN is active on your iPhone, SmartRTSP works exactly as it does at home — the same RTSP URLs, the same ONVIF discovery, and the same camera list. The VPN handles all the routing transparently in the background.

Why Not Port Forwarding?

It may seem simpler to forward port 554 on your router to your camera's IP address, making the RTSP stream accessible over the internet. This is a serious security risk and should be avoided.

Port Forwarding — Risks
  • Camera IP exposed to entire internet
  • Cameras actively scanned by botnets
  • Vulnerable to brute-force credential attacks
  • RTSP has no built-in encryption
  • Default credentials = immediate compromise
VPN — Benefits
  • Cameras never exposed to public internet
  • All traffic encrypted in the tunnel
  • Strong authentication before any access
  • Works with SmartRTSP transparently
  • Free options available (Tailscale, WireGuard)

Option 1 — Tailscale

Easiest — Recommended for Beginners · Free for personal use

Tailscale creates a secure peer-to-peer mesh network between your devices without requiring any router configuration. You don't need to touch your router's settings or open any firewall ports.

  1. 1
    Install Tailscale on a home device. This can be a Mac, Windows PC, Raspberry Pi, or NAS (Synology/QNAP). This device must stay on and connected to your home network. Download from tailscale.com.
  2. 2
    Sign in to Tailscale on the home device using a Google, Microsoft, or GitHub account. This creates your personal Tailscale network (tailnet).
  3. 3
    Enable subnet routing on the home device so it can route traffic to your local camera network. Run:
    tailscale up --advertise-routes=192.168.1.0/24
    Replace 192.168.1.0/24 with your home network subnet.
  4. 4
    Approve the subnet route in the Tailscale admin console at tailscale.com/admin.
  5. 5
    Install Tailscale on your iPhone from the App Store. Sign in with the same account. When away from home, connect to Tailscale — then open SmartRTSP and your cameras work as normal.

Option 2 — WireGuard on Router

Best Performance · Requires compatible router

WireGuard is a modern, lightweight VPN protocol built into many routers. It offers the best performance for RTSP streaming with minimal overhead and excellent battery life on mobile. Supported by GL.iNet, pfSense, OPNsense, Asus Merlin, and more.

  1. 1
    Enable WireGuard server on your home router. On GL.iNet: VPN → WireGuard Server → Enable. On OPNsense: VPN → WireGuard → Server → Add.
  2. 2
    Create a client profile for your iPhone. The router will generate a WireGuard config file or QR code.
  3. 3
    Import the config into WireGuard for iOS — download the WireGuard app from the App Store, then scan the QR code or import the config file.
  4. 4
    When away from home, activate the WireGuard tunnel, then open SmartRTSP — all cameras are accessible as if you were on your home network.
Compatible Routers

GL.iNet (all models — easiest), Asus with Merlin firmware, pfSense, OPNsense, Synology RT series, Ubiquiti (EdgeOS/UniFi). Standard Asus/Netgear stock firmware typically does not support WireGuard — check your model.

Option 3 — OpenVPN on Router

Wider router support · Slightly higher overhead than WireGuard

OpenVPN is an older, well-established VPN protocol supported by a wider range of consumer routers. The setup process is similar to WireGuard: enable the OpenVPN server on your router, export a client config, and import it into the OpenVPN Connect app on your iPhone.

Routers with OpenVPN Server Support
Asus routers (stock firmware)
Netgear Nighthawk series
Synology NAS (VPN Server package)
GL.iNet routers
pfSense / OPNsense
DD-WRT / Tomato firmware

Router & Hardware Recommendations

GL.iNet Travel Routers — Easiest Option

GL.iNet routers (GL-MT3000, GL-AXT1800, etc.) have WireGuard and OpenVPN built into a simple web UI. No command line required. Under $100. Excellent choice if you want VPN without complexity.

Synology NAS with VPN Server Package

If you already have a Synology NAS, install the free VPN Server package from Package Center. Supports OpenVPN and L2TP/IPsec. Stays on 24/7 and doubles as an NVR with Surveillance Station.

pfSense / OPNsense — Advanced Users

Open-source firewall/router software that supports WireGuard and OpenVPN. Run it on a mini PC or Protectli appliance. Full control, enterprise features, free software. Requires more setup knowledge.

Testing Your Remote Setup

  1. 1
    Disconnect from your home Wi-Fi — switch to cellular data on your iPhone to simulate being away from home.
  2. 2
    Connect your VPN — open Tailscale, WireGuard, or OpenVPN Connect and activate the tunnel.
  3. 3
    Open SmartRTSP — your cameras should appear and stream normally, using the same RTSP URLs as on your local network.

Troubleshooting Remote Access

  • !
    VPN connected but camera not reachable. Check that subnet routing is enabled (Tailscale) or that the VPN's allowed IPs include your camera's subnet (WireGuard). The VPN must route traffic to your home LAN's subnet, not just the VPN gateway.
  • !
    Slow or choppy stream over mobile data. Switch to sub-stream URLs — they use far less bandwidth. For Hikvision: replace /101 with /102. For Reolink: use h264Preview_01_sub.
  • !
    VPN connection drops frequently. WireGuard has better keepalive behavior than OpenVPN and is less likely to drop on mobile networks. Consider switching from OpenVPN to WireGuard if you experience frequent disconnections.

Frequently Asked Questions

Is port forwarding safe for RTSP cameras?
No. Exposing port 554 directly to the internet is a serious security risk. Cameras with open RTSP ports are indexed by search engines like Shodan and actively targeted by botnets. RTSP also has no built-in encryption. Always use a VPN instead.
What's the easiest VPN for non-technical users?
Tailscale is the easiest option by far. It requires no router configuration — install it on any always-on home device and on your iPhone, and it handles the rest automatically. It's free for personal use and works without opening any router ports.
Can I use a commercial VPN like NordVPN to access my cameras?
No. Commercial privacy VPNs (NordVPN, ExpressVPN, Mullvad, etc.) route your traffic through their servers — they cannot provide access to your home network. You need a VPN that tunnels your iPhone's traffic back to your own home router. Use Tailscale, WireGuard, or OpenVPN for that purpose.
Does remote RTSP streaming use a lot of mobile data?
Main streams typically use 2–8 Mbps, which adds up quickly on mobile data. For remote access, always use sub-stream URLs which are typically 500 kbps–2 Mbps. For Hikvision: use /Streaming/Channels/102 instead of /101. For Reolink: use h264Preview_01_sub instead of h264Preview_01_main.