The usual way to set up remote access to our CCTV software SecuritySpy running on your Mac is via port forwarding (see Installation Manual – Remote Access). This method allows direct incoming connections to SecuritySpy from the Internet, and is achieved by configuring your router (which SecuritySpy can do automatically for most routers). This method is great for most users, as it usually allows high-performance remote access with minimal configuration.

However, some users may want to consider other methods for the following reasons:

Port forwarding only works when your ISP gives you a true public IP address, which is not always the case, especially with cellular or satellite internet connections (e.g. 4G, 5G, Starlink).
If you have two routers between the Mac and the Internet (e.g. your ISP router plus your own router), port forwarding configuration is difficult – the usual solution is to switch one of these routers to bridge/passthrough mode, but this isn’t always possible.
ISP routers sometimes prevent users from setting port forwarding rules.
Institutions with very strict network policies may have a blanket ban on allowing any kind of incoming connections from the Internet.

If you can’t use port forwarding for any reason, the solution is to set up a Virtual Network or a Tunnel (sometimes called a proxy) via a third-party service in order to access your system. A number of these solutions are described below, with setup instructions.

A Virtual Network, as opposed to a physical network, is a Software-Defined Networking (SDN) solution that creates an overlay network on top of existing network infrastructure, spanning across multiple physical networks and the Internet. Members of this virtual network can communicate with each other as if they were on the same physical network.

With a Tunnel solution, the data is relayed via a third-party server acting as an intermediary. Note that many providers apply data transfer limits, so you should take steps to moderate your bandwidth usage when accessing remotely, such as minimising live video streaming, avoiding large file downloads, and generally using the connection sparingly.

Which solution you choose generally comes down to the following question: do you have a fixed set of devices from which you want to access your SecuritySpy server? For most users, the answer to this question is yes, and in this case a Virtual Network is the best solution. On the other hand, if you want your SecuritySpy server open to the Internet for anyone to (attempt to) access, then a Tunnel solution provides this.

In terms of security, both solutions offer encrypted Internet communication, however the Virtual Network solution is considered more secure because clients have to first be a member of the network in order to even attempt connections to the server, which adds an extra layer of security. Note that in either case, the connection to SecuritySpy itself is via its plaintext HTTP web interface (not the secure HTTPS interface), so this must be enabled in SecuritySpy’s web settings. This is because the encryption is handled by the virtual network / tunnel solution itself, not by SecuritySpy.

Virtual Network (SDN) Solutions

Client software is installed on all devices, allowing them to communicate freely with each other as if they were on the same physical network. The system assigns each device a virtual IP address. Devices are only accessible to others within this virtual network, not from outside. The central server primarily helps set up direct connections between devices, rather than relaying data itself.

Continue reading →

[Update 8 Nov 2022: although the below solution still works, ngrok have put up their prices significantly since this post was written. We now have a new post that describes some alternative solutions, many of them free, so we recommend you refer to this one instead: Remote Access Without Port Forwarding.]

In order to connect to any server over the Internet (such as SecuritySpy’s built-in web server for remote access to your CCTV system), the server must be exposed to the Internet via a public IP address.

Most standard home and commercial Internet connections (Fibre, ADSL, Cable) provide a public Internet address, which makes setting up remote access to SecuritySpy fairly straightforward, as described in the Remote Access section of the SecuritySpy Installation Manual.

However, Mobile/Cellular Internet connections (i.e. those that use a 3G, 4G or 5G modem to connect wirelessly over the cellular network) are becoming increasingly common, as their speed and reliability increase and costs decrease. Unfortunately, most mobile Internet connections do not provide a true public IP address, but rather provide a private address within the Internet provider’s network (this is called Carrier-Grade NAT). Therefore it is not possible to set up remote access in the same way. Typically, this is the case with Satellite-based Internet connections as well.

Some mobile Internet Service Providers (ISPs) can provide a true public IP address for an extra fee, but not all do.

The solution to this problem is to use a service called ngrok, which allows you to set up a secure tunnel to your server in order to provide access to it from the Internet. Here’s how it works: Continue reading →

The Ben Software Blog

Video capture software for the Mac

Tag Archives: ngrok

Remote Access Without Port Forwarding

Virtual Network (SDN) Solutions

Remote Access via Mobile/Cellular/Satellite Internet