How to Secure Remote Access to Surveillance Cameras with a VPN

Q: Is WireGuard better than OpenVPN for camera streaming?

For real-time video, yes. [WireGuard](https://www.wireguard.com/) has significantly lower latency and higher throughput than OpenVPN, with a much smaller codebase (~4,000 lines vs ~100,000). It also reconnects faster when switching networks. See [VPN Protocols Compared](/en/security/vpn-protocol-comparison) for benchmarks.

The safest way to access surveillance cameras remotely is through a VPN tunnel — never by forwarding ports on your router. A VPN encrypts all traffic and keeps camera feeds off the public internet, eliminating the attack surface that tools like Shodan exploit to index exposed cameras worldwide.

Setting up remote camera access? The first instinct is usually to forward port 554. But search "RTSP" on Shodan and you'll find tens of thousands of cameras with zero authentication, fully exposed. That's enough to convince anyone: VPN or nothing.

With a service like NordVPN, you can access your cameras through an encrypted tunnel without exposing any ports to the outside world.

This article covers how to set up secure remote access to surveillance cameras, from risk analysis to step-by-step configuration. If you're new to VPNs, start with What Is a VPN? first.

Why Remote Camera Access Is Dangerous

Let's understand specifically why port forwarding is risky.

The Danger of Port Forwarding

What happens:

Port 554 is discovered by Shodan or mass scanners. Attackers constantly scan the entire internet
Brute-force attacks crack authentication. Many IP cameras ship with admin/admin defaults and have no account lockout
RTSP streams are intercepted. Both video and audio can be eavesdropped
Cameras get recruited into botnets. The Mirai malware specifically targeted IP cameras

Why VPN Solves This

A VPN fundamentally changes the architecture.

Once connected via VPN, you're effectively on the same local network as the cameras. No camera ports are exposed to the internet, and all traffic is encrypted.

VPN Solutions — Architecture and Options

Three main VPN architectures work for remote camera access.

Approach	Difficulty	Cost	Best For
NordVPN Meshnet	Low	NordVPN subscription only	Personal / small-scale (easiest)
Self-hosted WireGuard	Medium	Server cost or free (home)	Technical users who want control
Tailscale	Low	Free tier available	Already using Tailscale

Let's walk through each.

NordVPN Meshnet for Secure Camera Access

NordVPN Meshnet lets you create direct peer-to-peer connections between your devices without setting up your own VPN server. This is the easiest way to access cameras remotely.

After community pushback against a planned deprecation in 2025, NordVPN reversed course and committed to keeping Meshnet alive and open-sourcing it — a strong signal for long-term viability.

How Meshnet Works

Traffic flows directly between devices without going through NordVPN's servers. NordLynx (WireGuard-based) protocol keeps latency minimal. For a detailed protocol comparison, see VPN Protocols Compared.

Setup Steps

1. Install NordVPN on your home PC

bash

# Linux (Ubuntu/Debian)
sh <(curl -sSf https://downloads.nordcdn.com/apps/linux/install.sh)
nordvpn login
nordvpn set meshnet on

2. Check your Meshnet device name

bash

nordvpn meshnet peer list
# Home PC: home-pc.nord

3. Access from your remote device

Enable Meshnet in the NordVPN app on your phone or laptop, then access the camera via your home PC.

bash

# Access home camera from remote PC (via Meshnet)
ffplay -rtsp_transport tcp \
  "rtsp://admin:password@home-pc.nord:554/Streaming/Channels/101"

Or, if you're running a surveillance dashboard on your home PC, just navigate to http://home-pc.nord:8080/hls/cam01/index.m3u8 in your browser.

Meshnet Advantages

No server needed: No VPN server to build or maintain
No port forwarding: NAT traversal is handled automatically
P2P connection: Bypasses NordVPN servers for minimal latency
Up to 60 devices: 10 of your own + 50 from other users

Self-Hosted WireGuard VPN

For more control, or to avoid a NordVPN subscription, you can run your own WireGuard VPN server.

Server Configuration (on the same network as cameras)

bash

# Install WireGuard
sudo apt update && sudo apt install -y wireguard

# Generate key pair
wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key
chmod 600 /etc/wireguard/server_private.key

ini

# /etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <server_private_key>

# Enable forwarding to cameras on LAN
PostUp = iptables -A FORWARD -i wg0 -o eth0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -o eth0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# Phone / remote PC
PublicKey = <client_public_key>
AllowedIPs = 10.0.0.2/32

bash

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

Client Configuration (remote phone/PC)

ini

# /etc/wireguard/wg0.conf (client)
[Interface]
Address = 10.0.0.2/24
PrivateKey = <client_private_key>
DNS = 1.1.1.1

[Peer]
PublicKey = <server_public_key>
Endpoint = your-home-ip:51820
AllowedIPs = 192.168.1.0/24, 10.0.0.0/24
PersistentKeepalive = 25

The AllowedIPs = 192.168.1.0/24 specifies the camera LAN subnet. After connecting, you can access 192.168.1.64:554 (the camera's local IP) directly.

For more on WireGuard configuration and SSH hardening, see the SSH Security Hardening Guide.

Zero Port-Forwarding Solutions

Some scenarios don't allow any port forwarding — apartment shared connections or CGNAT environments, for example.

Option 1: NordVPN Meshnet (covered above)

Meshnet handles NAT traversal automatically via P2P. No port forwarding needed.

Option 2: Tailscale

bash

# Install Tailscale on your home server
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up --advertise-routes=192.168.1.0/24

# Install Tailscale on your remote device too
# → Automatic mesh VPN connection

Tailscale's free Personal plan supports up to 100 devices and 3 users. The --advertise-routes flag advertises the camera subnet, allowing remote access to LAN cameras.

Option 3: Cloudflare Tunnel

For exposing a web dashboard (HTTP) without port forwarding, Cloudflare Tunnel can add HTTPS termination.

bash

# Install cloudflared
sudo apt install cloudflared

# Create tunnel
cloudflared tunnel create surveillance
cloudflared tunnel route dns surveillance cameras.example.com

# Configuration
# ~/.cloudflared/config.yml
# tunnel: <tunnel-id>
# credentials-file: /root/.cloudflared/<tunnel-id>.json
# ingress:
#   - hostname: cameras.example.com
#     service: http://localhost:8080
#   - service: http_status:404

Note: Cloudflare's Service-Specific Terms restrict serving video content through their CDN unless you use Cloudflare Stream. Low-resolution thumbnail grids are fine, but full HD streaming is better served by a VPN solution.

Security Best Practices

A VPN alone isn't enough if everything else is weak. Here's a comprehensive security checklist for surveillance camera systems.

Camera Hardware

Change default passwords immediately. Millions of cameras worldwide still use admin/admin
Keep firmware updated. Camera vendors release vulnerability patches regularly
Disable unused services. Turn off UPnP, P2P cloud features, and Telnet if not needed
Isolate cameras on a dedicated VLAN. Don't mix them with office PCs on the same network

Network Configuration

Disable UPnP on your router. Cameras may auto-open ports without your knowledge
Block cameras from accessing the internet. Use firewall rules to prevent outbound traffic from cameras
Assign static IPs. Avoid stream interruptions from IP changes via DHCP

VPN Operations

Log VPN connections. Track who accessed what and when
Remove stale VPN peers. Revoke access for departed employees immediately
Enable 2FA. NordVPN supports two-factor authentication. For why SMS-based 2FA isn't enough, see SMS 2FA Risks

For risks when accessing cameras from public WiFi, see the Public WiFi Safety Guide. For broader privacy considerations, check the Developer Privacy Guide. And if you're setting up NordVPN for the first time, the NordVPN Setup Guide walks through the full process.

FAQ

Is port forwarding safe if I change the default port from 554?

No. Changing the port number is security through obscurity — scanners like Shodan and Masscan enumerate all 65,535 ports. The underlying protocol (RTSP) is still unencrypted and unauthenticated. Always use a VPN instead.

Can I use a free VPN for camera access?

Free VPNs typically don't support the features needed for camera access (static IPs, Meshnet, split tunneling). They also come with bandwidth caps and privacy concerns. For camera security, a paid solution like NordVPN or a self-hosted WireGuard server is the way to go. See Why Free VPNs Are Dangerous for details.

Does NordVPN Meshnet work without a NordVPN subscription?

Yes — Meshnet is free for all NordVPN account holders, even without an active VPN subscription. You just need a NordVPN account. The P2P mesh functionality doesn't require a paid plan.

How much bandwidth does remote camera streaming use?

A single 1080p H.264 stream at 30fps typically uses 4–8 Mbps. With 4 cameras, that's 16–32 Mbps of upload bandwidth from your home network. H.265 (HEVC) cuts this roughly in half. WireGuard adds minimal overhead (~60 bytes per packet).

Can I access cameras on CGNAT without port forwarding?

Yes. CGNAT (Carrier-Grade NAT) prevents port forwarding entirely, but solutions like NordVPN Meshnet, Tailscale, and Cloudflare Tunnel use NAT traversal or relay servers to establish connections without any port forwarding.

Is WireGuard better than OpenVPN for camera streaming?

For real-time video, yes. WireGuard has significantly lower latency and higher throughput than OpenVPN, with a much smaller codebase (~4,000 lines vs ~100,000). It also reconnects faster when switching networks. See VPN Protocols Compared for benchmarks.

Should I put cameras on a separate VLAN?

Absolutely. Camera VLAN isolation prevents a compromised camera from reaching other devices on your network (PCs, NAS, printers). Configure your router/managed switch to create a dedicated VLAN for cameras with firewall rules blocking inter-VLAN traffic except through the VPN server.

Wrapping Up

Here's how to secure remote access to surveillance cameras:

Never forward camera ports. They get indexed by Shodan and targeted by Mirai-style botnets
VPN is essential. Encrypted tunnel access keeps camera feeds off the public internet
Easiest option: NordVPN Meshnet for serverless P2P connections
Most flexible: Self-hosted WireGuard VPN
No port forwarding possible: Tailscale or Meshnet

Don't forget camera-level security: change default passwords, update firmware, and isolate cameras on a VLAN.

NordVPN

The world's leading VPN — fast, secure, and easy to use

6,400+ servers across 111 countries
NordLynx protocol (WireGuard-based)
Threat Protection Pro (ads & malware blocking)

How to Receive, Convert, and Stream RTSP Camera Feeds with FFmpeg — RTSP fundamentals
Building a Multi-Camera Surveillance Dashboard with FFmpeg — Dashboard setup
VPN Protocols Compared: WireGuard vs OpenVPN vs IKEv2 — Protocol deep dive
NordVPN Review — Detailed NordVPN evaluation