[Update 8 Nov 2022: although the below solution still works, ngrok have put up their prices significantly since this post was written. We now have a new post that describes some alternative solutions, many of them free, so we recommend you refer to this one instead: Remote Access Without Port Forwarding.]
In order to connect to any server over the Internet (such as SecuritySpy’s built-in web server for remote access to your CCTV system), the server must be exposed to the Internet via a public IP address.
Most standard home and commercial Internet connections (Fibre, ADSL, Cable) provide a public Internet address, which makes setting up remote access to SecuritySpy fairly straightforward, as described in the Remote Access section of the SecuritySpy Installation Manual.
However, Mobile/Cellular Internet connections (i.e. those that use a 3G, 4G or 5G modem to connect wirelessly over the cellular network) are becoming increasingly common, as their speed and reliability increase and costs decrease. Unfortunately, most mobile Internet connections do not provide a true public IP address, but rather provide a private address within the Internet provider’s network (this is called Carrier-Grade NAT). Therefore it is not possible to set up remote access in the same way. Typically, this is the case with Satellite-based Internet connections as well.
Some mobile Internet Service Providers (ISPs) can provide a true public IP address for an extra fee, but not all do.
The solution to this problem is to use a service called ngrok, which allows you to set up a secure tunnel to your server in order to provide access to it from the Internet. Here’s how it works:
Setting Up ngrok
- Open a ngrok account via this page: https://dashboard.ngrok.com/user/signup
- This gives you an “auth token”
- Download the ngrok software from this page: https://ngrok.com/download
The download is a zip filed called “ngrok-stable-darwin-amd64”, which should go into your Downloads folder – if you double-click on this zip file, it expands to a “ngrok” executable tool. We suggest that you move the ngrok tool to your Applications folder, but you can put it anywhere and it will work in the same way.
Open Terminal (you’ll find it in /Applications/Utilities/) and type the following commands:
cd /Applications
./ngrok authtoken <YOUR_AUTH_TOKEN>
./ngrok http 8000
In Terminal, it will then display a line like this:
Forwarding http://fd6a8bf7.ngrok.io -> localhost:8000
This means that the URL http://fd6a8bf7.ngrok.io now maps to SecuritySpy’s port 8000 on your Mac. You can use this URL any web browser (or use the hostname fd6a8bf7.ngrok.io in our SecuritySpy iOS app) in order to access SecuritySpy from anywhere over the Internet (note that the exact hostname will be different in your case).
Running ngrok Automatically Upon Startup
If you want the tunnel to SecuritySpy running all the time, even if you restart your Mac, do the following:
- Open TextEdit and create a new document
- Select the Make Plain Text option from the Format menu
- Enter the Terminal commands as described above
- Save this text file to your Documents folder with the name ngrok.command
Then, open Terminal, and copy and paste the following command, which sets the correct permissions for the script file you have just created:
chmod +x ~/Documents/ngrok.command
Finally, go to System Preferences, open the Users & Groups panel, click the Login Items tab, and drag and drop the ngrok.command file into the list of login items. It should look something like this:
Notes
- The tunnel remains operational only while the Terminal window is open and running the ngrok process; you can hide the Terminal window but do not close it.
- There are different ngrok account levels; the free service will give you a URL that is different each time you start the tunnel, so is only useful for testing purposes. The basic service (currently at $5 per month) provides reserved domains and custom subdomains to give you consistent URLs, and is the one that most users will want to go for.
- If you prefer to connect using secure HTTPS, ngrok provides an HTTPS URL for this purpose, however in all cases the actual connection to SecuritySpy is via the standard HTTP port (default 8000). When using the HTTPS URL, the ngrok process running on your Mac encrypts all data before sending it via ngrok’s servers, so unencrypted data is not transferred over the Internet.
- If you are using our SecuritySpy iOS app, you will need to go to Settings > SecuritySpy on your iOS device, and set the “Live H.264 Video” option to OFF.
The subscription to ngrok sadly now costs considerably more than it did in 2019 – the required pro licence now in 2022 is $20 per month! A free easy to set up alternative to ngrok, that solves the same problem, is to set up tailscale – the personal licence is free and does the job admirably.
I needed a solution like this, when my home was switched from a static ipv4 address to a dynamic ipv6 address, and my mobile phone service only runs on ipv4.
PS: I am not affiliated with tailscale in any way. I just think this might be a useful solution to others stuck with a similar problem.
Hi Jon, thanks for the tip! Yes, it’s unfortunate that ngrok has put up the price of their basic package by 4x since we wrote this post. Tailscale looks great – we will investigate this as a possible alternative to replace our ngrok recommendation.
Upon further inspection, it seems that Tailscale isn’t always going to be a direct replacement for port forwarding, since both client and server need to have the Tailscale software installed, and be connected to the same Tailscale network, in order for a connection to be established. This is perfectly good if you are only going to be accessing SecuritySpy from specific machines on which you can install Tailscale, but it won’t work for accessing from an arbitrary machine that doesn’t have Tailscale installed. So I think we need to continue the search for an ngrok replacement – current possibilities are Packetriot or Cloudflare Tunnel.
“This is perfectly good if you are only going to be accessing SecuritySpy from specific machines on which you can install Tailscale, but it won’t work for accessing from an arbitrary machine that doesn’t have Tailscale installed.”
True. In order to do that I had already set up up autossh port forwarding from the mac mini running security spy, to a dual stack vps running an nginx reverse proxy. That worked fine for accessing the web interface from any machine in the world, including on my iphone and ipad. But the small screen of an iphone is really begging for the ios app, and that unfortunately couldn’t get past the nginx proxy web host to access the security spy instance — the app complained that it wasn’t talking to the security spy server directly. That’s where tailscale comes in. It is a very elegant solution to accessing my mac mini security spy instance from an iphone, from anywhere in the world.
Thanks for the information. We’re looking at some options to make the connection to the iOS app more proxy-friendly, so we hope to support methods like nginx in the future.