You have IP cameras on your local network. You want to access their RTSP streams from the internet — from a remote office, a cloud server running OpenCV, or an AI application. But every guide you find tells you to open port 554 on your router and forward it to your camera.
That works — but it's a terrible idea for anything beyond a home lab. Port forwarding exposes your camera directly to the internet, and IP cameras are notoriously poorly secured. There's a better way.
This guide covers 4 methods to access RTSP cameras remotely without opening ports, with honest pros, cons, and real setup instructions for each.
Contents
Why Not Just Port Forward RTSP?
Port forwarding RTSP (port 554) seems like the obvious solution. You log into your router, create a rule mapping external port 554 to your camera's internal IP, and you're done. So why avoid it?
- Security: Your camera is now reachable by anyone on the internet. Hikvision, Dahua, and many other camera brands have had severe CVEs — remote code execution, authentication bypasses, and credential leaks. Shodan regularly indexes thousands of exposed cameras.
- ISP restrictions: Many ISPs block port 554 inbound. Business ISPs often block all non-standard ports. You may not even be able to get this working.
- Dynamic IPs: Your public IP changes, breaking any integration that relies on a fixed endpoint.
- Multiple cameras: Each camera needs a different external port (554, 555, 556...), making management complex and fragile.
- Corporate/apartment networks: You may not have access to the router at all.
In short: port forwarding works for a quick test, but it's not a solution you'd put into production. Here are the real alternatives.
Method 1: Cloud Relay Agent
Cloud Relay Agent (TheRelay)
A lightweight agent runs on your LAN, reads RTSP from your cameras, and tunnels the streams to a cloud server via a single outbound encrypted connection. You access the streams via cloud endpoints — no inbound ports, no router access needed.
✅ Pros
- No port forwarding or router access
- Works behind any firewall or NAT
- Works on corporate or apartment networks
- Camera credentials never leave LAN
- Encrypted transport (SRT + AES)
- Token-based access control
- Stable cloud endpoint (no dynamic IP issues)
- Multi-protocol: WebRTC, RTSP, HLS, RTMP, SRT
- Works with any RTSP camera
- Setup in under 30 seconds
❌ Cons
- Monthly subscription cost ($2/stream/mo)
- Streams route through cloud (small latency add)
- Requires internet on the agent machine
How to Set It Up (TheRelay)
-
Create account Sign up at app.therelay.net — free to start.
-
Install the Agent on your LAN Download the agent for Windows (.exe) or Linux (.sh installer). Run it on any machine that can reach your cameras on the same network.
-
Add your cameras Paste your RTSP URLs in the dashboard. The format is typically:
The agent reads the stream locally — credentials never leave your network.rtsp://username:password@192.168.1.100:554/Streaming/Channels/101 -
Create an access token Generate a token to control who can access the stream. Scope it to a specific camera or your entire account.
-
Access from anywhere Use the cloud endpoint in any player or integration:
# VLC vlc rtsp://therelay.net:554/camera/{id}?token={token} # ffmpeg ffmpeg -i "rtsp://therelay.net:554/camera/{id}?token={token}" ... # OpenCV (Python) cap = cv2.VideoCapture("rtsp://therelay.net:554/camera/{id}?token={token}")
Best for: Developers, integrators, anyone who needs a reliable production-grade solution. Works in 30 seconds, scales to hundreds of cameras, no networking expertise required.
Method 2: VPN Mesh Network
VPN Mesh (WireGuard / Tailscale / ZeroTier)
Create an encrypted mesh network that connects your LAN and your remote machine as if they were on the same network. Your remote device gets a virtual LAN IP and can reach the camera directly.
✅ Pros
- No port forwarding required (outbound only)
- Encrypted point-to-point tunnel
- Low latency (direct path when possible)
- Free self-hosted option (WireGuard)
- Full LAN access for all devices
❌ Cons
- Requires installation on every client device
- Complex to set up and maintain
- Doesn't work for public/API access
- Harder to share with third parties
- Single point of failure (VPN server)
Setup with Tailscale (Easiest VPN Option)
- Install Tailscale on the machine next to your cameras:
curl -fsSL https://tailscale.com/install.sh | sh - Run
tailscale upand log in - Install Tailscale on your remote machine and log in with the same account
- Find the Tailscale IP of the local machine:
tailscale ip - Access RTSP using the Tailscale IP:
rtsp://user:pass@100.x.x.x:554/stream
Best for: Personal use where you control all client devices. Not suitable for sharing streams with external developers or third-party integrations.
Method 3: Reverse Proxy over SSH Tunnel
SSH Reverse Tunnel + nginx RTSP Proxy
A machine on your LAN opens an SSH tunnel to a cloud VPS, forwarding a local port to the VPS. nginx on the VPS proxies RTSP through the tunnel.
✅ Pros
- No port forwarding on local router
- Full control over your infrastructure
- No third-party service cost (beyond VPS)
- Can work for any TCP protocol
❌ Cons
- Complex setup — requires Linux expertise
- SSH tunnel breaks if LAN machine reboots
- Requires a cloud VPS ($5-10/month minimum)
- RTSP proxying requires special nginx build
- No token-based access control out of the box
- Not practical for multiple cameras
Basic Setup
# On your LAN machine — open reverse tunnel to your VPS
# This forwards VPS port 8554 to camera at 192.168.1.100:554
ssh -R 8554:192.168.1.100:554 user@your-vps-ip -N
# Keep it persistent with autossh
autossh -M 0 -R 8554:192.168.1.100:554 user@your-vps-ip -N
# On the VPS — access the stream via the tunnel
ffplay rtsp://localhost:8554/streamBest for: DevOps engineers who want full infrastructure control and are comfortable managing Linux servers. Not recommended for multiple cameras or team access.
Method 4: Dynamic DNS + UPnP
Dynamic DNS (DDNS) + UPnP Auto-Forwarding
Use a DDNS service (like No-IP or DuckDNS) to maintain a stable hostname that tracks your dynamic IP. Use UPnP to automatically open the RTSP port on your router.
✅ Pros
- Free or low-cost
- Stable hostname despite dynamic IP
- No cloud service dependency
- Direct connection (low latency)
❌ Cons
- Still opens a port — same security risks
- UPnP is itself a security risk if misused
- Requires router access and UPnP support
- ISPs may block port 554
- Doesn't work on corporate/apartment networks
Best for: Home labs and personal projects where security is less critical. Not suitable for production or shared access.
Side-by-Side Comparison
| Method | No Router Access Needed | Works on Corporate Networks | Token Access Control | Setup Time | Production Ready |
|---|---|---|---|---|---|
| Cloud Relay (TheRelay) | ✅ Yes | ✅ Yes | ✅ Yes | ~30 sec | ✅ Yes |
| VPN Mesh (Tailscale) | ✅ Yes | ⚠️ Partial | ❌ No | ~20 min | ⚠️ Limited |
| SSH Reverse Tunnel | ✅ Yes | ✅ Yes | ❌ No | ~2 hours | ⚠️ Complex |
| DDNS + UPnP | ❌ No | ❌ No | ❌ No | ~30 min | ❌ No |
| Direct Port Forward | ❌ No | ❌ No | ❌ No | ~10 min | ❌ No |
Try TheRelay Free
Access your first RTSP camera from anywhere in under 30 seconds. No port forwarding, no VPN, no firewall changes.
Get Started Free →Frequently Asked Questions
Can I access an RTSP camera without port forwarding?
Yes. Using a cloud relay agent like TheRelay, your camera's RTSP stream is tunneled from your LAN to the cloud via an outbound-only encrypted connection. No port forwarding, no VPN, no firewall changes are needed. The agent on your LAN initiates an outbound SRT connection to the cloud server — the same way your browser opens HTTPS connections, requiring no inbound firewall rules.
Why can't I access my RTSP camera from outside my network?
RTSP cameras sit on a private LAN behind NAT (Network Address Translation). Your router blocks all inbound connections by default — this is actually a security feature. To reach an RTSP camera from the internet without port forwarding, you need a technique that works from the inside out, like a cloud relay or VPN.
Is it safe to port forward RTSP (port 554)?
It works but it's not recommended for production. Port 554 exposes your camera's authentication interface directly to the internet. Hikvision, Dahua, and many other camera brands have had well-documented CVEs including unauthenticated access, remote code execution, and credential exposure. Using a cloud relay with encrypted transport and token-based access control is significantly safer.
Does RTSP work over the internet without port forwarding?
Standard RTSP cannot traverse NAT without port forwarding or a tunnel — it's a stateful protocol that requires inbound connections. However, cloud relay services like TheRelay accept the RTSP stream from your LAN agent and re-expose it as an internet-accessible endpoint. You still consume RTSP (or WebRTC, HLS, SRT) at the cloud end, without any port forwarding requirement on your LAN side.
What RTSP URL format should I use for Hikvision cameras?
Hikvision cameras use this RTSP URL format:
# Main stream (high quality)
rtsp://username:password@192.168.1.100:554/Streaming/Channels/101
# Sub stream (lower bandwidth)
rtsp://username:password@192.168.1.100:554/Streaming/Channels/102See the full Adding Cameras guide for Dahua, Axis, and generic RTSP URL formats.
Can I use OpenCV with cloud RTSP endpoints?
Yes. Once your camera is published through TheRelay, the cloud RTSP endpoint works with any standard RTSP client:
import cv2
cap = cv2.VideoCapture("rtsp://therelay.net:554/camera/{camera_id}?token={token}")
while True:
ret, frame = cap.read()
if not ret:
break
cv2.imshow("Camera", frame)
if cv2.waitKey(1) & 0xFF == ord('q'):
break
cap.release()