You want to watch your security cameras remotely and you have done enough research to know that port forwarding is a bad idea. Now the question is: VPN or cloud relay?
Both approaches avoid exposing your camera firmware directly to the internet. Both can work behind CGNAT (at least some of the time). But they work in fundamentally different ways, and each is better suited to different use cases. This article breaks down the real differences so you can make an informed decision.
Table of Contents
How VPN Works for Cameras
A VPN for camera access works at the network layer. It creates an encrypted tunnel between your viewing device and your camera network, effectively placing your remote device on the same LAN as the cameras.
The two most popular options in 2026 are:
WireGuard (self-hosted)
WireGuard is a modern, lean VPN protocol built into the Linux kernel. You run a WireGuard server on a machine that has a stable public IP — either on your LAN (if you have a static IP or port-forward the WireGuard UDP port) or on a cheap cloud VPS acting as a relay node. Each client device gets a keypair and config file. Traffic is encrypted with ChaCha20.
Tailscale (managed WireGuard)
Tailscale wraps WireGuard with a managed key distribution service and a sophisticated NAT traversal engine. Install the Tailscale daemon on a machine on your camera LAN (or directly on a Linux NVR), and on each device you want to view from. Tailscale attempts peer-to-peer connections using STUN-like hole-punching; if that fails, it falls back to Tailscale's DERP relay servers. For personal use it is free.
VPN Pros and Cons for IP Cameras
Pros
- Full network access — cameras, NVR, ONVIF, PTZ all reachable
- Peer-to-peer routing means lower latency when NAT traversal succeeds
- Tailscale free tier covers personal use well
- Self-hosted WireGuard is entirely free and open source
- No ongoing cost for small deployments
- Strong end-to-end encryption
Cons
- VPN client must be installed on every device you view from
- Cannot share stream access with guests or third parties
- Corporate, school, and hotel networks often block VPN traffic (UDP 51820)
- No protocol conversion — you get raw RTSP
- Browsers cannot play RTSP natively
- Tailscale DERP relay fallback adds latency comparable to cloud relay
- Managing VPN keys/configs across many users does not scale
How Cloud Relay Works
A cloud relay works at the stream/application layer. A lightweight agent runs on your LAN, connects outbound to the cloud infrastructure over standard HTTPS/WSS, and maintains a persistent tunnel. The cloud servers then expose endpoints that anyone can connect to using standard protocols — without any VPN client installed.
TheRelay's agent ingests RTSP from your cameras on the LAN and makes each stream available at cloud endpoints:
- WebRTC — browser and mobile, sub-second latency
- RTSP — for NVR software, VLC, OpenCV, FFmpeg
- HLS — for web video players and CDN delivery
- RTMP — for OBS and streaming software
- SRT — for broadcast and low-latency ingest pipelines
Cloud Relay Pros and Cons
Pros
- No install required on viewer devices — works in any browser
- Works on corporate, school, and hotel networks (outbound HTTPS only)
- Shareable token URLs — grant stream access without VPN setup
- Protocol conversion built in — WebRTC, RTSP, HLS from one source
- API-friendly cloud RTSP/HLS endpoints for CV pipelines and integrations
- Agent uses outbound connection — no inbound firewall rules
- Works reliably behind CGNAT
Cons
- $2 per stream per month — not free
- Video hops through a cloud server — adds 20–80ms latency vs direct
- Does not give network-layer access to camera's ONVIF/PTZ ports
- Requires the agent process to stay running on your LAN
The Browser Problem with VPN
This is one of the most commonly overlooked practical issues with VPN-based camera access. Even with Tailscale running on both your camera server and your laptop, you still cannot watch the camera in a browser.
Browsers do not support RTSP. The RTSP protocol was never standardised in the browser security model. To play an RTSP stream in a browser you need something to convert it to either WebRTC or HLS first — both of which require additional server-side software (Nginx + nginx-rtmp, mediamtx, FFmpeg piped to HLS segments, etc.).
A cloud relay handles this conversion as part of the service. With TheRelay you get a WebRTC browser endpoint automatically — no transcoding stack to maintain on your end.
If you need your cameras viewable in a browser tab — for a wall dashboard, sharing with family, or embedding in a web app — VPN alone does not solve the problem. You either need a cloud relay, or you need to run your own media server that transcodes RTSP to WebRTC or HLS. The cloud relay option is considerably simpler.
The Sharing Problem with VPN
Imagine you want to let a client, a family member, or a security monitoring service view one of your camera streams. With VPN, you would need to:
- Add them as a Tailscale user in your tailnet (they need a Tailscale account)
- Configure access controls (ACLs) so they can only reach the camera, not your whole network
- Make sure they have Tailscale installed and connected
- Hope their corporate firewall does not block Tailscale
With a cloud relay, you share a stream URL (with a token). They open it in a browser. Done. No accounts, no installs, no firewall issues.
For developer and integrator use cases, cloud relay RTSP/HLS endpoints can be plugged directly into NVR software, OpenCV scripts, ffmpeg pipelines, or monitoring platforms — all without those systems needing VPN access to your camera network.
Code Comparison: OpenCV with Each Method
Accessing a camera via Tailscale VPN
Once Tailscale is installed and connected on both the camera server and the machine running the script, you use the camera's Tailscale IP (100.x.x.x range):
import cv2
# Tailscale gives the camera server a 100.x.x.x IP
# The machine running this script must also have Tailscale connected
RTSP_URL = "rtsp://admin:password@100.64.0.12:554/stream1"
cap = cv2.VideoCapture(RTSP_URL)
while cap.isOpened():
ret, frame = cap.read()
if not ret:
break
cv2.imshow("Camera", frame)
if cv2.waitKey(1) & 0xFF == ord('q'):
break
cap.release()
cv2.destroyAllWindows()This works — but requires Tailscale installed and connected on the machine running the script. If you are running this in a cloud VM, Docker container, or CI pipeline, adding Tailscale to that environment is a non-trivial dependency.
Accessing a camera via TheRelay cloud endpoint
With TheRelay, the cloud RTSP endpoint is a regular internet URL. No VPN client on the consuming machine:
import cv2
import os
# Cloud RTSP endpoint from TheRelay dashboard
# Use environment variable — do not hardcode the token
RTSP_URL = os.environ.get("THERELAY_RTSP_URL")
# e.g. rtsp://stream.therelay.net/your-stream-token
cap = cv2.VideoCapture(RTSP_URL)
while cap.isOpened():
ret, frame = cap.read()
if not ret:
break
cv2.imshow("Camera", frame)
if cv2.waitKey(1) & 0xFF == ord('q'):
break
cap.release()
cv2.destroyAllWindows()This script runs identically on your laptop, a cloud VM, a Docker container, or a Raspberry Pi — anywhere that has internet access, with no VPN install required.
Full Comparison Table
| Feature | VPN (Tailscale) | VPN (WireGuard) | Cloud Relay (TheRelay) |
|---|---|---|---|
| Install on viewer device | Required | Required | Not required |
| Browser playback | No (RTSP only) | No (RTSP only) | Yes (WebRTC) |
| Works on corporate networks | Sometimes blocked | Often blocked | Yes (outbound HTTPS) |
| Shareable stream access | No (requires tailnet) | No (requires config) | Yes (token URL) |
| Protocol support | RTSP (raw) | RTSP (raw) | WebRTC, RTSP, HLS, RTMP, SRT |
| Works behind CGNAT | Often (DERP fallback) | No (needs public IP) | Yes |
| Latency | Lower (P2P) | Lower (P2P) | Slight cloud hop |
| Network-layer LAN access | Yes (PTZ, ONVIF) | Yes (PTZ, ONVIF) | Video relay only |
| API / cloud integration | With VPN on API host | With VPN on API host | Native cloud endpoints |
| Cost | Free (personal) | Free (self-hosted) | $2/stream/month |
| Setup complexity | Medium | High | Low |
Which to Use for Your Use Case
Use VPN (Tailscale) when:
- You are the only viewer and you control all devices you view from
- You need full LAN access for ONVIF management, PTZ control, or NVR software
- Cost is the deciding factor and the free tier covers your needs
- You are comfortable installing and maintaining Tailscale on all viewing devices
- You do not need browser-based playback
Use cloud relay (TheRelay) when:
- You need to share camera access with others — family, clients, staff
- You want browser-based viewing without any client install
- You are building integrations — CV pipelines, NVR platforms, monitoring dashboards
- The viewing devices are in environments that block VPN (corporate, hotel, cellular)
- You need multi-protocol support (WebRTC for browser, RTSP for NVR, HLS for web player)
- You are behind CGNAT and Tailscale's DERP fallback is adding unwanted latency
The honest summary: VPN is a solid free option for personal single-viewer setups. Cloud relay is the better choice as soon as you have multiple viewers, need browser access, or want to integrate camera streams into applications or pipelines. The two are not mutually exclusive — some users run Tailscale for full LAN management access while using TheRelay for stream distribution to viewers and integrations.
View your cameras from anywhere — no VPN needed
TheRelay gives you WebRTC, RTSP, HLS, RTMP, and SRT endpoints for every camera on your LAN. Browser-ready. API-ready. Behind CGNAT.
Start Free TrialFrequently Asked Questions
Is VPN or cloud relay faster for camera streaming?
When Tailscale successfully establishes a peer-to-peer connection (which it does in many but not all network configurations), latency is lower than a cloud relay because video does not travel through an intermediate server. However, when Tailscale falls back to its DERP relay servers due to failed NAT traversal, latency becomes similar to a cloud relay. For live surveillance — which is typically viewed with 1–3 seconds of latency regardless of method — the difference is rarely perceptible.
Can Tailscale stream an RTSP camera to a browser?
Not directly. Tailscale gives you network access to the camera's RTSP port, but browsers cannot play RTSP natively. To play RTSP in a browser you need a transcoding step — either a media server running on your LAN (like MediaMTX, Frigate, or a custom FFmpeg pipeline) that converts RTSP to WebRTC or HLS. Cloud relay handles this transcoding automatically as part of the service.
Do I need a VPN for IP cameras?
No. VPN is one way to achieve secure remote access to IP cameras, but it is not the only way. Cloud relay services like TheRelay provide secure remote camera access via outbound-only agent connections, with no VPN client required on the devices you view from. The choice between VPN and cloud relay depends on your specific needs around sharing, protocol support, and infrastructure complexity.
Is cloud relay more expensive than VPN?
Tailscale is free for personal use (up to 100 devices, 3 users). TheRelay costs $2 per active stream per month. Self-hosted WireGuard on a $5/month VPS adds a small cost. For most professional deployments — where you have more than a few cameras and multiple viewers — the operational simplicity, browser support, and multi-protocol flexibility of a cloud relay comfortably justify the cost versus managing VPN access for every viewer.
Can I use both VPN and cloud relay together?
Yes, and this is a reasonable setup for advanced users. Run Tailscale for full LAN access when you need it (ONVIF camera management, NVR configuration, PTZ control), and use TheRelay cloud endpoints for stream distribution to multiple viewers and integrations. Each tool does what it is best at.