Remote Access Without Port Forwarding

The usual way to set up remote access to our macOS CCTV software SecuritySpy running on your Mac is via port forwarding (see Installation Manual – Remote Access). This method allows direct incoming connections to SecuritySpy from the Internet, and is enabled by some configuration in your router (which, for most routers, SecuritySpy can do automatically). This method is great for most users, as it usually allows high-performance remote access with minimal configuration.

However, some users may want to consider other methods for the following reasons:

  • Port forwarding only works when your ISP gives you a true public IP address, which is not always the case, especially with cellular or satellite internet connections (e.g. 4G, 5G, Starlink).
  • If you have two routers between the Mac and the Internet (e.g. your ISP router plus your own router), port forwarding configuration is difficult – the usual solution is to switch one of these routers to bridge/passthrough mode, but this isn’t always possible.
  • ISP routers sometimes prevent users from setting port forwarding rules.
  • Institutions with very strict network policies may have a blanket ban on allowing any kind of incoming connections from the Internet.

If you can’t use port forwarding for any reason, the solution is to set up a VPN or Tunnel (sometimes called a proxy) via a third-party service in order to access your system. A number of these solutions are described below, with setup instructions.

The two VPN solutions described below are “peer to peer” systems: a central server sets up the connection between clients, who then communicate directly (in the minority of cases where this is not possible, the system falls back to relaying data via the server). On the other hand, with tunnel/proxy solutions, the data is always relayed via a central server.

Many tunnel/proxy providers apply data transfer limits, so you should take steps to minimise your bandwidth usage when accessing remotely, such as avoiding viewing live video in web browsers where streaming is done using high-bandwidth JPEG encoding, avoiding large file downloads, and generally using the connection sparingly.

All installation and setup must be done on the Mac running SecuritySpy. You will also need to enable SecuritySpy’s HTTP web server (even though the connection to SecuritySpy is via plain HTTP, this connection is happening within the Mac itself – when data leaves the Mac to travel over the Internet, it is encrypted by the VPN/Tunnel software).

Virtual Private Network (VPN) Solutions

VPN client software is installed on the SecuritySpy Mac and on all devices you want to use for remote access. All devices on the VPN can communicate freely with each other, via their VPN IP addresses, just as though they were on the same physical local network. Devices are not accessible outside the VPN.

VPN Solution 1: Tailscale

  • A basic account that connects up to 20 devices is free
  • Easy setup with great Mac support
  • Client authentication is done via account details: each client needs to log in to your VPN account, or their own VPN account to which you can share devices
  • All major platforms supported (macOS, iOS, Windows, Linux)
Click here for Tailscale setup instructions

1. On the Mac running SecuritySpy, sign into Tailscale using a Google, Microsoft or GitHub account, and follow the instructions to download and install their app from the Mac App Store.

2. Open the app, agree to the required permissions that you will be asked for, and log in.

3. During the setup process you will be asked if Tailscale should start automatically – assuming you want SecuritySpy to be accessible at all times, select this option.

4. You should see a Tailscale menu in the top-right of your Mac’s menu bar – it looks like this:This menu shows the VPN IP address that has been assigned to your Mac, for example:

5. On any device from which you wish to access SecuritySpy, install Tailscale, log in using the same account, and you will be able to access SecuritySpy using the Mac’s VPN IP address as shown in menu above, along with the HTTP port that SecuritySpy is using. In this example, the URL for access would be

VPN Solution 2: Zerotier

  • A basic account that connects up to 25 devices is free
  • Easy setup with great Mac support
  • Client authentication is done via the central control panel; clients don’t need account details
  • All major platforms supported (macOS, iOS, Windows, Linux)
Click here for Zerotier setup instructions

1. Head to Zerotier and sign up for an account, or log in with an existing Google, GitHub or Microsoft account.

2. Click the Create A Network button, and a VPN network will be created for you – make a note of the Network ID that will be displayed. You can choose a custom name if you like.

3. On the SecuritySpy Mac, and on all other devices you want to connect to your VPN, download and open the Zerotier app. You will see its menu in the top-right of your Mac’s menu bar – it looks like this:

This menu has the following options:

Select the Join New Network option, and enter the Network ID that you obtained from step 2. You should then see the network displayed in the menu (called SecuritySpy in the above example). Repeat this on all devices.

4. In the Networks section of the Zerotier web portal, click on the network to edit it, and scroll down to the Members area. You should see a list of devices that you have connected, but they will not yet be authorised. Enable the checkboxes next to each device to authorise them:

5. You will see here that each device has been assigned an IP address on the VPN. This address is also displayed in the Tailscale menu under Network > Managed Addresses. This is the address that you will use in clients in order to access your SecuritySpy server. In the above example, the SecuritySpy Mac has the VPN IP address, so other VPN clients can access SecuritySpy at the URL

Tunnel / Proxy Solutions

Client software on the SecuritySpy Mac makes an outgoing connection to the proxy server. The proxy server accepts incoming connections from any device on the Internet, which are relayed to the SecuritySpy Mac.

Tunnel Solution 1: Pagekite

  • Reasonable fees (e.g. $60 gets you 1 year with 200 GB data quota)
  • Extremely easy setup
  • A domain name is provided; you do not need your own
  • Restrictive data transfer limits mean that this is only suitable for light/infrequent use
Click here for Pagekite setup instructions

1. Setup is as easy as opening a Terminal window and executing the following two commands in turn – the first downloads the pagekite script, and the second starts the tunnel (choose a name that is meaningful to you, rather than yourname):

curl -O
python3 8000

When you start the tunnel for the first time, follow the account creation and setup prompts – this only has to be done once. Your SecuritySpy server will then be accessible at the secure URL

2. To have the tunnel start automatically when the Mac boots up:

  • Open TextEdit and create a new document
  • Under the Format menu, select the Make Plain Text option
  • Copy into the document the second command from above (the one that starts python3…)
  • Save this to your Documents folder using the file name pagekite.command
  • Open a Terminal window and execute the following command to make this file executable:

chmod +x ~/Documents/pagekite.command

  • Go to System Preferences > Users & Groups > Login Items, click the padlock item to unlock the settings, and drag the pagekite.command file into the list of login items.

3. Note that the Terminal window that is running pagekite must be left open for the tunnel to be operational.

Tunnel Solution 2: Packetriot

  • A free account provides a randomly-assigned (but permanent) domain and 1 GB monthly data, or a basic account at $5/month gives you a reserved domain and 1 TB monthly data
  • Moderate setup difficulty; not very user-friendly
Click here for Packetriot setup instructions

1. Head to Packetriot and create an account using an email address and password (don’t login via an existing Google account, as this makes configuration a bit more difficult).

2. From the Download pages, under the Manual Downloads section, download the macOS package. This downloads a folder that contains two important files: a pktriot executable, and a pktriot.plist file that can be used to start Packetriot automatically at system reboot.

3. Right-click on the pktriot executable, select the Open option, and click the Open button. This authorises the executable to be allowed to run, and only needs to be done once.

3. In a new Terminal window, enter the following commands in turn, each followed by the return key:

cd ~/Downloads/pktriot-0.14.1  (or whatever the path is to the pktriot folder you just downloaded – your version number may be different)

mv pktriot.plist /Library/LaunchAgents (do this only if you want Packetriot to start automatically upon Mac reboot)

mv pktriot /usr/local/bin (this moves the pktriot executable to the right place)

cd /usr/local/bin (this sets the directory in Terminal in preparation for running the below commands)

sudo mkdir -m 777 /etc/pktriot (this creates a folder for the Packetriot settings file – you will be asked for your macOS user password)

./pktriot configure

This takes you through some configuration options, including login details, region, and configuration file location, for which you should choose the path starting /etc (option 1).

4. For paid accounts, under Subdomains in the control panel, you can reserve and assign a subdomain to your tunnel – for example Otherwise, for free accounts, check the Tunnels page to see what domain has been automatically assigned to your tunnel.

5. The following commands configures and starts the tunnel on your Mac (make sure to substitute in the correct domain for your tunnel, which is your custom subdomain if you have reserved one):

./pktriot tunnel http add --domain --destination localhost --http 8000 --letsencrypt

./pktriot start

You should see some output in the Terminal that indicates that the tunnel has started, like this:

This indicates that your SecuritySpy server is now available to the Internet at the URL

6. Since you started the tunnel here manually, it will only persist while this Terminal window is open. If you copied the pktriot.plist file to the /Library/LaunchAgents folder as described above, simply reboot your Mac and the tunnel will start automatically without requiring to be run in a Terminal window.

7. Other useful commands that will help when changing tunnel names or debugging are as follows:

./pktriot info (shows information about the current configuration)

./pktriot check (checks for setup problems and prints and short report)

./pktriot tunnel http rm --domain (removes a tunnel)

Tunnel Solution 3: Cloudflare

  • A basic account is free and offers lots of great features (described as “For personal or hobby projects that aren’t business-critical”)
  • You will need your own domain name – for many users this is ideal, but for others this adds unnecessary complexity
  • Moderate setup difficulty; knowledge about how domain names and DNS work would be useful
  • There are no published usage limits, but we would expect Cloudflare to ban users who they consider to be abusing their free accounts (e.g. with constant video streaming).
Click here for Cloudflare setup instructions

1. Register a domain name of your choosing via any registrar (we can recommend in the US and in the UK).

2. Sign up for a Cloudflare account – when asked, choose the free option.

3. Follow Cloudflare’s instructions to add your domain to your Cloudflare account. By default, Cloudflare will copy the domain’s existing DNS configuration, so make sure to remove any records that you don’t need, as these may conflict with the tunnel you are about to create.

This also involves setting the nameservers (DNS servers) on your domain to Cloudflare’s servers, which is done via the control panel provided by your domain name registrar. You may have to wait 24 hours after this step for the new nameserver setting to take effect on your domain.

4. Open the Cloudflare Zero Trust Dashboard. In the menu on the left, select Access > Tunnels, and create and name a new tunnel. Once created, you will see a section called Install and run a connector, which contains some commands that you will need to copy and paste into a Terminal window on your Mac.

Installation will take a few minutes, during which time you will be asked for your Mac password in the Terminal window and in some windows that pop up during the install process. Once installed, the connector should show up at the bottom of the page in the web browser. Here’s what this window should look like if everything went well:

5. Click the Next button, and you will then be asked for some options, as follows:

  • Domain – select the domain that you added to your Cloudflare account in the step above.
  • Subdomain – you can choose any subdomain you like as the endpoint of the tunnel (e.g., of you can leave this blank to have the domain itself point to SecuritySpy (e.g. In either case, Cloudflare will automatically add the relevant DNS entries to your domain, but it can only do so if there aren’t any existing entries that conflict – if you get a warning here, edit the DNS configuration for your domain in Cloudflare to remove conflicting entries.
  • Path – leave blank
  • Type – HTTP
  • URL – localhost:8000

6. Your SecuritySpy system should now be accessible via the address you set up in the above panel, which in this example is

2 thoughts on “Remote Access Without Port Forwarding

  1. Robert Spivack

    I believe your diagrams for Tailscale and Zerotier are misleading a bit?

    Both of these solutions are not a pass-through VPN where all the traffic flows through their central server.

    Instead, these are peer-to-peer VPN’s, once the session is established, the client computer is directly communicating over the Internet via an encrypted peer to peer connection to the destination Mac (running SecuritySpy) without traffic passing thru the hosted servers.

    The central servers used by Tailscale or Zerotier are only connection setup servers. They facilitate setting up the connection without problems imposed by no port forwarding and the need to traverse NAT type firewall/gateways at each end.


Leave a Reply

Your email address will not be published. Required fields are marked *