You have IP cameras installed — Hikvision, Dahua, Reolink, Axis, or a mix — and you want to watch them when you are away from the building. Simple enough in theory. But the moment you start researching the options, you encounter a minefield of tradeoffs: port forwarding that exposes your network, VPNs that require installs on every device, vendor cloud apps that raise privacy questions, and cloud relay services you may not have heard of yet.
This guide cuts through the noise. We will walk through every major method, explain exactly how each works, and give you an honest comparison so you can make the right choice for your situation.
Table of Contents
Method 1: Port Forwarding
Port forwarding tells your router to pass incoming traffic on a specific port to a specific device on your LAN. For an IP camera serving RTSP on port 554, you would forward external port 554 to the camera's internal IP.
How it works
You log into your router admin panel and add a rule: any traffic arriving on external port 554 (or a custom port like 15544) gets sent to 192.168.1.64:554. Then from outside you connect to rtsp://YOUR_PUBLIC_IP:554/stream1.
Pros
- Fast to set up if you know your router
- No third-party service or ongoing cost
- Direct connection — lowest possible latency
Cons
- Exposes camera firmware directly to the internet
- IP camera firmware is notoriously vulnerable (Mirai, etc.)
- Static public IP usually required, or you lose access on reconnect
- Does not work behind CGNAT
- No browser playback — RTSP clients only
- Each camera needs its own port rule
Port forwarding is the method recommended by most camera manufacturer quickstart guides because it is easy to document in a manual. It is also, from a security standpoint, the worst option. Internet-facing camera firmware regularly receives zero-day exploits, and most consumer cameras receive infrequent security patches.
Method 2: DDNS + Port Forwarding
Dynamic DNS (DDNS) solves the problem of a changing public IP address by mapping a hostname like mycameras.dyndns.org to your current IP. A small client running on your router or a PC updates the DNS record whenever your IP changes.
How it works
Services like No-IP, DuckDNS, or DynDNS provide free or low-cost hostnames. Your router runs a DDNS update client. You then connect to rtsp://mycameras.dyndns.org:554/stream1 instead of a raw IP.
Pros
- Solves dynamic IP problem cheaply
- Works with existing port forwarding setup
- Human-readable hostname
Cons
- All the same security problems as plain port forwarding
- DNS propagation delay when IP changes (30s–5min gap)
- Still does not work behind CGNAT
- Adds dependency on DDNS provider uptime
DDNS + port forwarding is an incremental improvement on plain port forwarding. It does not address the fundamental security exposure. If your goal is security, skip both of these methods.
Method 3: VPN (Tailscale / WireGuard)
A VPN creates an encrypted tunnel between your viewing device and your home/office network. Once connected, your phone or laptop gets an IP address on your LAN as if it were physically present, and you can access cameras at their private IP addresses.
WireGuard (self-hosted)
WireGuard is a lean, fast VPN protocol. You install a WireGuard server on a machine in your network (or on a VPS with a public IP that your cameras are tunnelled through). Each viewing device gets a WireGuard client config file. Requires a machine with a reachable public IP, some CLI comfort, and ongoing maintenance.
Tailscale (managed WireGuard)
Tailscale wraps WireGuard in a managed coordination layer. Install the Tailscale app on your NVR or a server on the camera LAN, and on each device you want to view from. Tailscale handles key distribution, NAT traversal (including CGNAT in many cases), and provides a 100.x.x.x IP space for your devices.
Pros
- Strong encryption — traffic never exposed publicly
- Tailscale is free for personal use (up to 100 devices)
- Peer-to-peer where possible — low latency
- Full LAN access for ONVIF, NVR software, PTZ
Cons
- VPN client must be installed on every viewing device
- Does not work on shared/public devices without install
- Cannot share a stream URL with a third party
- Corporate/school networks often block VPN traffic
- RTSP is not browser-playable — needs a separate player
- More complex setup than cloud relay
Method 4: Cloud Relay (TheRelay)
A cloud relay service installs a lightweight agent on your LAN. The agent opens an outbound connection to the cloud infrastructure and creates a persistent tunnel. Your camera streams are then accessible via cloud-hosted endpoints, with no inbound firewall rules required.
How TheRelay works
TheRelay agent runs on a machine on your camera LAN (Linux, Windows, or Docker). It connects outbound to TheRelay's servers. You add cameras via the dashboard — the agent can auto-discover ONVIF cameras or you can enter RTSP URLs manually. Each camera gets a set of cloud endpoints.
Pros
- No port forwarding, no firewall changes
- Works behind CGNAT — agent connects outbound
- Browser playback via WebRTC — no install on viewer device
- Multiple protocols: WebRTC, RTSP, HLS, RTMP, SRT
- Share stream with any device via URL + token
- Works on corporate and school networks (outbound HTTPS)
- API-friendly for integrations and CV pipelines
Cons
- $2/stream/month cost
- Video hops through cloud server (slight latency increase)
- Requires running the agent process on your LAN
Method 5: Vendor Cloud Apps
Most major camera brands offer their own cloud-based remote viewing apps: Hikvision's Hik-Connect, Dahua's DMSS, Reolink's app, Axis Companion, and so on. These apps use the manufacturer's cloud infrastructure — you register the camera, it connects outbound to the vendor's servers, and the app connects through those servers.
Pros
- Easiest setup for supported cameras — QR code pairing
- Works behind CGNAT
- Mobile app included
- Often free for basic use
Cons
- Video routed through vendor's servers — privacy concerns
- Some vendors are headquartered in jurisdictions with data concerns
- Locked to that manufacturer's cameras
- Limited protocol support — no RTSP/HLS cloud endpoints
- No API access for integrations
- Vendor can discontinue the service or change pricing
Hikvision and Dahua are partially state-owned Chinese companies. Their cloud services have faced regulatory scrutiny in the US, UK, and EU. If you are using these cameras for sensitive environments, routing video through their vendor cloud is worth considering carefully.
Full Comparison Table
| Feature | Port Forwarding | DDNS | VPN | Cloud Relay | Vendor App |
|---|---|---|---|---|---|
| Security | Poor | Poor | Excellent | Excellent | Medium |
| Ease of setup | Medium | Medium | Medium | Easy | Easiest |
| Works behind CGNAT | No | No | Sometimes | Yes | Yes |
| No install on viewer device | No (player needed) | No (player needed) | No (VPN client) | Yes (browser) | App required |
| Protocol support | RTSP only | RTSP only | RTSP only | WebRTC, RTSP, HLS, RTMP, SRT | Proprietary |
| Multi-device access | Yes (RTSP) | Yes (RTSP) | Yes (with VPN) | Yes (any device) | Yes (app) |
| Shareable stream URL | No | No | No | Yes | No |
| API / integration support | No | No | RTSP direct | Yes (cloud RTSP/HLS endpoints) | Limited |
| Cost | Free | Free–$5/yr | Free (self-hosted) | $2/stream/month | Free (basic) |
| Privacy | Your network | Your network | Your network | Your stream token | Vendor's servers |
| Works on corporate networks | Maybe | Maybe | Often blocked | Yes (outbound HTTPS) | Yes |
Which Should You Use?
Choose port forwarding / DDNS if...
You are in a pinch, need a quick temporary solution, fully understand the risks, and are using cameras in a non-sensitive environment with regularly updated firmware. Do not use this for business, residential security, or any camera covering private spaces.
Choose VPN (Tailscale) if...
You are comfortable with a CLI, have one or two personal devices you always view from, and want zero monthly cost. VPN is excellent for the technical homeowner or developer who just needs personal access to their own cameras and does not need to share streams or use a browser.
Choose cloud relay (TheRelay) if...
You need to share access with family members, clients, or integrations. If you want browser-based viewing without installing anything. If you need RTSP, HLS, or WebRTC endpoints for programmatic access. Or if you are behind CGNAT and VPN is not traversing cleanly. At $2/stream/month the cost is minimal relative to the security and convenience gain.
Choose vendor apps if...
You only need basic mobile viewing of a single-brand camera system and privacy is not a concern. Vendor apps are the path of least resistance for non-technical users who just want to glance at a camera feed on their phone.
Recommendation for most users: Cloud relay (TheRelay) offers the best combination of security, convenience, and multi-device access. It works behind CGNAT, requires no port forwarding or firewall changes, supports browser playback, and the multi-protocol output makes it future-proof for integrations. For pure personal use on trusted personal devices, Tailscale VPN is a close second and free.
Try TheRelay — secure remote camera access in minutes
Install the agent on your LAN, add your cameras, get cloud endpoints. No port forwarding. No VPN client on every device.
Get Started FreeFrequently Asked Questions
What is the most secure way to access cameras remotely?
Both a self-hosted VPN (WireGuard or Tailscale) and a cloud relay like TheRelay avoid exposing camera firmware directly to the internet, making them the most secure options. With a cloud relay, the agent connects outbound so there are no open inbound ports on your router. Cameras are never directly reachable from the internet — only the relay cloud endpoint is, and access is controlled by stream tokens.
Is VPN or cloud relay better for cameras?
It depends on your use case. VPN is better for single-viewer personal setups where you control every viewing device and want free self-hosted access. Cloud relay is better when you have multiple viewers, need browser playback, want to share streams with others (family, clients, AI pipelines), or are accessing from networks that block VPN traffic. For professional or developer use cases, cloud relay is the more practical choice.
Can I access IP cameras without a static IP?
Yes. Cloud relay services like TheRelay do not require a static public IP because the agent connects outbound from your LAN to the cloud infrastructure — the cloud has the stable public endpoints, not your home connection. DDNS is an older workaround that maps a hostname to your dynamic IP for port-forwarding setups, but cloud relay removes this dependency entirely, including support for CGNAT connections.
What is the safest remote camera app?
For privacy-sensitive environments, the safest approach is one where your video is not routed through a third party's infrastructure without your explicit control. A self-hosted VPN keeps video entirely on your own network path. A transparent cloud relay where you control the stream credentials (like TheRelay) is the next best option. Vendor apps from Hikvision, Dahua, or similar route your video through the manufacturer's servers, which is less private and introduces data sovereignty concerns depending on where those servers are located.
Does port forwarding work behind CGNAT?
No. CGNAT (Carrier-Grade NAT) is used by many ISPs — particularly mobile/cellular providers and some residential broadband — to share a single public IP address across many customers. If your router does not have a unique public IP address, port forwarding rules on your router have no effect because inbound traffic cannot reach you. Cloud relay and vendor apps both work behind CGNAT because they use outbound connections only.