How-to: View your Home Security Cameras or NVR Remotely using a VPN

How to access security camera or NVR remotely from anywhere - VueVille
How do you access your security cameras remotely when you are away from home? In all likelihood, you are accessing each device using the manufacturer’s mobile app because they simply work without having to mess with port forwarding or VPNs. In other words you are relying on the manufacturer’s P2P servers, whether you realise it or not.

I think there are two main issues with this approach:

  1. Inconvenience
    If you have a Hikvision camera, an Amcrest camera and a Reolink camera, you may be using the Hikvision iVMS app to access the Hikvision camera, the Amcrest app to access the Amcrest camera and finally the Reolink app to access the Reolink camera, one by one. Not the most convenient way to access all your cameras is it?
  2. Security
    Although its straightforward and simple to use your camera manufacturer’s native app, you should understand what exactly is happening here. You are allowing the camera to make an outgoing connection from your network to the manufacturer’s servers. So essentially you are trusting the manufacturer’s security practices. If you are using their cloud service for data storage instead of using local storage, you are trusting your private data to a 3rd party.If you think this is without risks, just google the iCloud hack. If it can happen to Apple, it can happen to you.

So, what’s the alternative?

If you are a power user like me, why not do what I do and use a single app like tinyCAM Monitor Pro to view the live streams of all your cameras?

How to access your DIY security cameras remotely using a NAS VPN server - tinyCAM Monitor Pro - VueVille

tinyCAM Monitor Pro

And why not access your DIY NAS NVR and review all your camera’s recorded clips in one place, with simultaneous synchronised playback?

How we built our DIY Home Security System QVRClient-VueVille.com

QNAP NAS – QVRClient

And why not do all of this securely without relying on any 3rd party to protect your data?

As I alluded to earlier, there are 3 ways to access your home network remotely, but not all are secure:

  1. the manufacturer’s own app which uses the manufacturer’s servers, uPnP and P2P protocols to reach your camera,
  2. port forwarding each of your devices to your router,
  3. set up a VPN server on your home network – I recommend this method!

The first and second methods are not secure as you are either relying on the security of your device manufacturers or opening up multiple ports on your network to the Internet (port forwarding). The recommended way of remotely accessing your home network and security cameras is by creating a VPN connection from your remote device straight to your home network.

If you are wondering how your VPN server can be reached from the Internet, you have been paying attention! You cannot eliminate port forwarding totally. Your VPN server needs to listen for incoming connections and so you have to port forward your VPN server’s port to the router. But this is far safer than port forwarding every single camera and exposing these devices which often have poor security to the dangerous digital expanse we call the Internet.

Unless you have a static IP for your home broadband, you also have to deal with the fact that your home IP address will change occasionally and so you may not be able to reach your VPN server when you need to! Fear not, there is a way around it – Dynamic DNS services.

Setting up a VPN server on your NAS in 4 steps

Here’s a 4-step summary of how to set up the VPN method of remotely accessing your home network and your security cameras:

  1. Set up a device in your home network to act as a VPN server, eg. WiFi router, NAS, a PC or a Raspberry Pi
  2. Forward the OpenVPN port from your NAS to your broadband router
  3. Set up the same VPN server or any other device in your home network to periodically report your home IP address to a Dynamic DNS service, so that you can always reach your VPN server using an address like yournetworkname.noip.com
  4. Set up a VPN client on the device you will use to remotely access your home network, eg. your mobile phone, tablet or laptop

Now simply use the VPN client to connect to your VPN server and voila, you are in your home network, as if you never left home. You can then access your security camera or any device on your home network, without relying on third-party P2P services, without port forwarding each IP camera, without a static ip address, and with maximum security.

Let’s take these steps one by one and break them down. I will be using my QNAP TS-253A NAS for this how-to.

Some house-keeping

Make sure you disable all existing port forwarding rules and uPnP in your router settings. Then systematically disable P2P in each of your cameras (and NVR if you use one). This locks down the cameras and other devices so that they are isolated from the Internet and cannot ‘dial home’ without your knowledge.

If you still want to use the camera manufacturer’s app, you should not disable uPnP and P2P. But then don’t be surprised if your cameras and network get hacked!

Step 1 – Set up the QNAP NAS as a VPN server

  1. Login to your QNAP NAS using an admin account and search for vpn. Click on QVPN.How to access your DIY security cameras remotely using a NAS VPN server - Step 1 - 001 - VueVille
  2. This will take you to the QVPN page in the QNAP App service. Click the Install button.How to access your DIY security cameras remotely using a NAS VPN server - Step 1 - 002 - VueVilleHow to access your DIY security cameras remotely using a NAS VPN server - Step 1 - 003 - VueVille
  3. Now go to the desktop and you will find a new QVPN Service shortcut. Click on it.How to access your DIY security cameras remotely using a NAS VPN server - Step 1 - 004 - VueVille
  4. The QVPN app will open. You have three different VPN technologies to choose from at this point – PPTP, OpenVPN and L2TP/IPSec. Since PPTP and L2RP/IPSec are not the most secure protocols, turn on OpenVPN.How to access your DIY security cameras remotely using a NAS VPN server - Step 1 - 005 - VueVille
  5. Choose OpenVPN from the menu on the left and tick the checkbox of the first three options as shown below. Click Apply.How to access your DIY security cameras remotely using a NAS VPN server - Step 1 - 006 - VueVille
  6. Now click “Download Certificate” and save the resulting zip file to your hard drive.
  7. Choose Privilege Settings from the menu on the left, and enable OpenVPN for the accounts you would like to use to login to your home network.How to access your DIY security cameras remotely using a NAS VPN server - Step 1 - 007 - VueVille
  8. If you would like to have all VPN connections logged, turn this on in the Connection Logs section.

Step 2 – Port Forwarding from your NAS to your router

Follow your broadband router or gateway’s instructions to forward the 1194 UDP port from the NAS to an external port. 1194 is the default port used by OpenVPN.

If your router supports port forwarding with port translation, one tip I have is to choose an external port that is not 1194. This adds an extra layer of security from hackers who may be scanning for an open 1194 port on your network. So for example, I would map UDP port 1194 of my NAS to the router’s external port 35376, where 35376 is just a random port I chose.

So port 35376 on router -> port 1194 on NAS. The screenshot below shows how this port forwarding rule is set up in my ISP-provided broadband router.

How to access your DIY security cameras remotely using a NAS VPN server - Step 2 - 001 - VueVille

Step 3 – Set up Dynamic DNS on your QNAP NAS

  1. First sign up for a dynamic dns account at noip.com (or any service supported by QNAP), note that the free account forces you to verify your account every 30 days.
  2. Login to your QNAP NAS using an admin account and navigate to Control Panel>Network & File Services>Network Access and click on the DDNS Service.How to access your DIY security cameras remotely using a NAS VPN server - Step 3 - 001 - VueVille
  3. Enable the DDNS Service, and enter the noip username, password and host name you created at noip.com and click ‘Apply All’.

Step 4 – Set up the OpenVPN client on your device

Before you can set up the OpenVPN client on any device, you need to edit the client configuration file (openvpn.ovpn):

  1. Unzip the certificate zip file you downloaded from your NAS earlier, you will now have 3 files ca.crt, openvpn.ovpn and readme.txt
  2. Edit the openvpn.ovpn file and replace the IP address with the noip hostname you created in the steps above.How to access your DIY security cameras remotely using a NAS VPN server - Step 3 - 002 - VueVille
  3. Save the file.

Android devices – Set up the OpenVPN for Android client

  1. Transfer the three files, ca.crt, the edited openvpn.ovpn and readme.txt to your mobile device.
  2. Install the OpenVPN for Android app from the Google Play Store.How to access your DIY security cameras remotely using a NAS VPN server - Step 4 - 001 - VueVilleWhen you first open the app, it will look like this:How to access your DIY security cameras remotely using a NAS VPN server - Step 4 - 002 - VueVille
  3. Tap the + symbol at the top right of the app which will give you the screen below.How to access your DIY security cameras remotely using a NAS VPN server - Step 4 - 003 - VueVille
  4. At the ‘Add Profile’ screen, select Import.
  5. Now choose the openvpn.ovpn file you copied to your mobile device.How to access your DIY security cameras remotely using a NAS VPN server - Step 4 - 004 - VueVille
  6. At the Convert Congif File screen, select the certificate file you downloaded.How to access your DIY security cameras remotely using a NAS VPN server - Step 4 - 005 - VueVille
  7. Now select the tick mark at the top right.
  8. Now you will find a new profile called openvpn in the app Profiles tab, tap this.How to access your DIY security cameras remotely using a NAS VPN server - Step 4 - 006 - VueVille
  9. In the Allow Connection screen, click OK.How to access your DIY security cameras remotely using a NAS VPN server - Step 4 - 008 - VueVille
  10. When it asks for the username and password, press Cancel.
  11. Click on the edit icon of the openvpn profile.
  12. Go to the Server List tab and change the Server Port to the port number you forwarded the UDP 1194 port to. If you followed my recommendation of using an external port such as 35376 which is different from 1194, use that. Back out to the main app screen.How to access your DIY security cameras remotely using a NAS VPN server - Step 4 - 007 - VueVille
  13. Make sure you are on an external network such as 3G or 4G, and tap the openvpn profile to connect.
  14. Enter the username and password of one of your QNAP NAS accounts which you allowed VPN access to the NAS. Click Ok.How to access your DIY security cameras remotely using a NAS VPN server - Step 4 - 011 - VueVille
  15. That’s it you are now connected to your QNAP VPN server!

Conclusion

I hope this how-to has helped you set up your own VPN server at home which lets you securely access your security cameras and the home network remotely.

Even if you are not ready to implement a full blown VPN server, it’s a great idea to disable uPnP on your router and to avoid port forwarding your devices to the Internet.

Daniel Ross

Daniel Ross

I am Daniel and VueVille is where I document my DIY smart home journey. I focus on 100% local-processing and local-storage because that’s the only way to secure my family’s safety and privacy. Oh and I don’t like monthly subscriptions!

24 Comments
  1. Hi Daniel; Thanks for this great info! I will give it a try here with my new Lorex system I just purchased. I already have a dahua PTZ I use to keep an eye on the horses with, cant wait to try this out on the whole system! Thanks for all you great info and insight.

  2. Hi, Daniel! Very informative article. I am retired and trying to beef up my security at a vacation home in a rural area in the foothills of the Sierras in Northern CA. Long story short, after a miserable experience with Hughsnet Satelite ISP and their “new satellite” (whose 200 mini antenna panels are each dedicated to different states or large areas in the US and elseware) whose only mini-antenna that didn’t work was the one serving Northern CA. my only remaining choice for internet service was Verizon Wireless. (Here is where the fun starts!) Cellular carriers being fearful that too many people would set up remotely accesses NVRs/NAS devices via Verizon Wireless internet connectivity, so they customize their system software to use “pseudo-IP addresses” which allow your device(smartphone/tablet) to access public internet sites, but NOT vice versa!(I think they call it “Double-NAT” I started to get excited after reading a portion of your article which started to sound like your system configuration did not require port-forwarding, but then toward the end, you state that part of the system DOES require port forwarding? Unless I am misunderstanding, it appears that my only alternative to remotely monitoring my HIKvision cameras remotely via a web-browser will be to set up motion detection as a trigger to take snapshot series and upload the pisc to a cloud server which will send me an email alert as a cue to login to their server and view my camera snapshots(or maybe video if not TOO expensive.) Do I misunderstand your use of port forwarding or anything else? I have also been told that Netgear makes w wireless router AP that will take a Verizon SIM card from an existing smartphone that somehow will facilitate port forwarding, which apparently IS required to remotely view my NVR? Your thoughts?

    • Hi Stan. Thanks and sorry to hear about all the trouble you are having. I thought it was clear from the beginning of the article that it is possible to remotely view your cameras and this happens through the technology populatly called P2P. The point of this article was to show a more secure albeit more difficult method – setting up a VPN server at home (which is impossible without port forwarding).

      Port forwarding simply means you expose one or more of the ports of a specific device in your LAN (internal network) to the public Internet. You would do this so that you can connect from the Public Internet to your device at home.

      So let me summarize this article – there is a way to remotely access your cameras without anyport forwarding at all – just use the P2P option in the camera manufacturer’s mobile app. This will work in your case too – even with the double NAT approach that Verizon uses. Actually what they are doing is assigning the same IP address to many different customers. So Verizon uses NAT first on a single public IP address to give each customer an internal IP address. Then each customer’s internal IP address is further NATted by their router to create a subnet inside Verizon’s network. ISPs do this when they have limited IPv4 addresses / to save money. If you must have a public IP address that is not shared with other customers, you can ask for a dedicated static IP address. This will usually cost you a few dollars a month.

      I have another article which explains what P2P is, how it is different from port forwarding OR setting up your own VPN: https://www.vueville.com/home-security/cctv/ip-cameras/secure-remote-viewing-of-home-security-cameras-port-forwarding-vs-p2p-vs-vpn/

      And to your last question – if you use any method other than P2P, you will have to use port forwarding at some point.

      Hope this helps – please let me know if you have any more questions.

  3. After you have connected to the VPN on your mobile device, how do you view the camera streams?

    • Exactly how you would when you are at home and using your home Wi-Fi network. For example, I use the tinyCAM Monitor Pro app, so I would simply open that app and the cameras should show up.

  4. Daniel, I recently retired and am taking a shot at setting up home automation & surveillance capabilities in my home with the free time that I suddenly have available. Thanks for the great info – it’s greatly appreciated by a newbie like me. I recently purchased a QNAP NAS (TS-253Be) and am trying to faithfully follow your step-by-step directions. I’m currently working at setting up the DDNS Service on my NAS and have encountered a different menu than in your instructions. The Control Panel>Network & File Services>Network Services menu has Service Binding and Proxy options, but no DDNS Service. When I search the QNAP Help menu, DDNS Service shows up as an option under Network & Virtual Switch>Access Services>DDNS. This takes me to an application called myQNAPCloud, which is described as “the private cloud provided by a QNAP device; it has no privacy or security concerns and provides a safe, reliable area for your files”. Am I way off track here or do you suppose that this is just another means of accomplishing the same goal? Thanks for your help!

    • I assume you are at step 3b. No do not use the QNAP cloud service -> that’s a totally different thing. Regardless of where the DDNS page is on your specific QNAP NAS, you should enter the DDNS details in the NAS setup. This is because we are using the NAS to tell your DDNS service what your home internet connection’s public IP address is. If you don’t do this step, your DDNS service will eventually fail to find your home network and therefore your NAS and the openVPN server it hosts.

      • Hi Daniel, thanks for this clarification. I had the same doubt when I was going through the setup process.

        How is QNAP cloud service different though? Would you recommend disabling it as it seems to be activated by default?

        • It may be similar but I am afraid it may be collecting data/statistics from my network, so I keep it disabled. You can use any DDNS service btw. For example ASUS routers have a free DDNS service built in.

1 2 3

    Leave a reply

    VueVille
    Logo
    situs slot https://disdukcapil.salatiga.go.id/ngacor/ slot gacor totomacau4d situs toto situs toto situs toto slot gacor slot gacor slot gacor slot gacor slot gacor rtp slot toto slot https://journal.dpkp.ciamiskab.go.id/ rtp slot rtp live slot gacor situs toto slot gacor situs toto situs toto togel https://faculdadediplomata.edu.br/-/ https://www.pilgrimagetour.in/-/ slot gacor situs toto slot gacor slot gacor rtp slot https://ejournal.yahukimokab.go.id/ https://mikrotik.itpln.ac.id/wp-content/uploads/ situs toto slot gacor slot gacor situs toto slot gacor slot gacor slot gacor slot gacor slot gacor slot gacor slot gacor slot gacor situs toto toto slot bento4d bento4d bento4d bento4d bento4d https://cpnsbatola.id/-/ slot777 situs togel bento4d bento4d slot777 bento4d cerutu4d rimbatoto https://smpitbinailmu.sch.id/ bakautoto bakau toto slot https://inspiracionspa.com.mx/-/ bento4d bento4d https://pafikabupatenrejanglebong.org/ https://dinkes.bogorkab.go.id/-/totoslot/ bento4d bento4d bento4d bento4d bento4d https://pafipcbangkabelitung.org/ https://pafipcindonesia.org/ https://pafipclubuklinggau.org/ https://pafipcpagaralam.org/ https://pafipclahat.org/ slot gacor slot gacor slot gacor slot gacor slot gacor slot gacor slot gacor slot gacor slot gacor slot gacor slot gacor slot gacor slot gacor slot gacor slot gacor slot gacor slot gacor slot gacor slot gacor slot gacor slot gacor slot gacor slot gacor slot gacor slot gacor slot gacor slot gacor slot gacor slot gacor slot gacor slot gacor bento4d