I have purchased the blue iris app for ios and have been reading through the help section in blue iris about remote access. I have been searching though google on how to safely setup remote access. Looks like there are two ways one through ngrok and the other through some vpn to my router through port access. Im interested in the router setup route but cannot find any writeups on that walk through how to do the setup. Can anyone point me in the right direction or explain what i may need to safely setup my blue iris app so its functional and only i can view my cams? Thanks
Trying to figure out how to safely remotely view my blue iris system.
- Thread starter Joegreen
- Start date
SpacemanSpiff
Known around here
Start with these:
ipcamtalk.com
ipcamtalk.com
Consider providing details on the make/model router you currently posess.
VPN Primer for Noobs
The internet is a force of nature; no video surveillance system made was designed to be exposed to those forces.. NEVER FORWARD PORTS to your NVR or Cameras, doing such things not only exposes you to severe security problems, but everyone else on the internet too.. Hackers dont want your video...
How to Secure Your Network (Don't Get Hacked!)
Many camera networks are unsecure, even those installed by professionals. This guide gives basic instruction in how to secure a camera network from the most common types of attacks. Perhaps the most important rule of securing a computer network is to not forward ports to unsecure services...
Consider providing details on the make/model router you currently posess.
psycik
Getting the hang of it
Having done vpns in the past, both pptp and later IPsec. Becuase my unifi gear supported it. I’ve now disabled in favour of tailscale. So much easier.
install on phone. Install on device in network (blue iris machine (windows?) Will do. And off you go.
You can fiddle with dns and subnet routing if needed. But other wise for simplicity, just use the new tailscale name of your blue iris machine
install on phone. Install on device in network (blue iris machine (windows?) Will do. And off you go.
You can fiddle with dns and subnet routing if needed. But other wise for simplicity, just use the new tailscale name of your blue iris machine
whoami ™
Pulling my weight
Buy a domain name from some where like Name Cheap. Using pfSense, set up the dynamic DNS client built in pfSense and hook it up by api to a DNS provider like Cloud Flare. Then create a wild card SSL Cert using LetsEncrypt. Then set up some A records with your DNS provider (Cloud Flare, ect.) including a Wild Card. Then set up pfSense's DNS resolver to resolve the sub domain name of your BI server to its IP address. Then set up HA Proxy in pfSense to listen to WAN address for your BI sub domain and Proxy Your Blue Iris sub domain over port 443. example would be:
That is the correct way to do it. Its also the hardest and maybe 1% here are working with an enterprise grade firewall.
That is the correct way to do it. Its also the hardest and maybe 1% here are working with an enterprise grade firewall.
Last edited:
psycik
Getting the hang of it
The Automation Guy
Known around here
While the "forwarding a port" method works and is easy to set up, it is also the least secure method of allowing remote access. The whole point of a wirewall/router is to prevent outside access to your local network by creating a "wall" that blocks outside access. By "forwarding a port" you are punching a hole in this wall that goes directly to your BI machine without any encryption keys, etc needed. A hacker can easily use this access along with other potential exploits to gain access to the rest of your network without much effort.
The much more secure solution is to use a self-hosted VPN service (or similar option) that allows access to the network. Using a VPN service still requires that you forward a single port, but it gets forwarded to the VPN service that requires a matching encryption key and correct login credentials before allowing any traffic to pass to your network. Obviously the use of an encryption key greatly increases the security of this solution and it's why we suggest this solution over a simple "port forwarding" solution which simply forwards all traffic using that port with zero security measures.
The much more secure solution is to use a self-hosted VPN service (or similar option) that allows access to the network. Using a VPN service still requires that you forward a single port, but it gets forwarded to the VPN service that requires a matching encryption key and correct login credentials before allowing any traffic to pass to your network. Obviously the use of an encryption key greatly increases the security of this solution and it's why we suggest this solution over a simple "port forwarding" solution which simply forwards all traffic using that port with zero security measures.
whoami ™
Pulling my weight
I apologize if what I wrote this morning @ 6:33am came off abrasive. I have to be out the door by 6:40 and I didn't mean for it to be like that. I was just in a rush but reading it back I feel I should clarify.
What I was trying to say is in order to do things like the big boys and have a seamless experience with the app like you would with Ring or what-ever paid service plus have enterprise grade security you pretty much need an enterprise grade firewall like pfSense. The next best thing would be running a VPN server on your network but that gets annoying and trying to get loved ones to understand the reason they couldn't connect with the BlueIris app was because they weren't connected to the VPN, which I call USER ERROR, but my love ones seem to think is the admin's fault, is draining.
What I was trying to say is in order to do things like the big boys and have a seamless experience with the app like you would with Ring or what-ever paid service plus have enterprise grade security you pretty much need an enterprise grade firewall like pfSense. The next best thing would be running a VPN server on your network but that gets annoying and trying to get loved ones to understand the reason they couldn't connect with the BlueIris app was because they weren't connected to the VPN, which I call USER ERROR, but my love ones seem to think is the admin's fault, is draining.
Last edited:
psycik
Getting the hang of it
The will be a magic dns name of each node the name should be accessible
I assume windows is the blue iris? Also in the tailscale iOS app if you click on the windows machine name you can get ip. That should be accessible from your phone if tailscale is running on both (active on iOS and you’ve run tailscale up on windows)
I assume windows is the blue iris? Also in the tailscale iOS app if you click on the windows machine name you can get ip. That should be accessible from your phone if tailscale is running on both (active on iOS and you’ve run tailscale up on windows)