Issues connecting remotely with Security Spy iphone App when my home MAC is using a VPN
Had this issue before when running the NORD VPN app on my MAC (not the router). Could not solve it. So, I got a new ASUS router RT-AX88U (just wanted it) and loaded the NORD VPN on my Router now instead of the App on my MAC. This is my setup.
ASUS Router with port forwarding of 8001 to my internal MAC IP and NORDVPN installed on the router.
MAC running Montery with the latest version of Security Spy on my MAC. Security Spy on MAC has both HTTP and HTTPS web servers enabled and Auto port Forwarding for HTTPS only checked. The DDNS viewcam.me Tests ok and works.
From my iphone (with the latest SS app) I can easily connect to SS and view my cameras with no issues.
However, once I enable the MAC traffic to go through the NORDVPN on the router, I can no longer connect to SS remotely from my iphone, unless I am still on my home WiFi. Once I leave my WiFi, I can not connect.
Any suggestions?
Thanks
Jim
Comments
-
Forgot, SS web HTTPS security level is "1- Require TLS 1.2 or later"
-
I had similar issues when I swapped router hardware. Make sure port forwarding is set correctly in the router settings.
-
Since the Port forwarding works when the router VPN is off, I assume that it is correct. Is there something different about the Port Forwarding setup for when the VPN is on?
Thanks
-
With VPN turned on at the router, you are connected to the VPN provider's network rather than directly to the Internet, and therefore port forwarding won't work because Nord specifically blocks this functionality ("Since we do not provide any port-forwarding, no incoming connections can go through." – Do you offer any open ports?).
Instead, what you could do is to use Tailscale or Zerotier to set up your own private VPN for SecuritySpy access. This will then work whether you are connected directly to the Internet, or connected via Nord. This is described here: Remote Access Without Port Forwarding.
-
Ben
Once again, much thanks!!! This makes sense now, NORD has been blocking the incoming traffic. I will begin researching what you provided.
Thanks
Jim
-
Ben
I think I will try Tailscale. Do I understand this right?
While surfing the web from my MAC my traffic will be routered through the NORD VPN, however, any traffic related to SS will route through the Tailscale?
Thanks
Jim
-
Hi Jim - when connected to the Internet via Nord, all packets that are sent/received over your Internet connection go via Nord's servers. In this situation, if you then access SecuritySpy via Tailscale, you are using a VPN within a VPN. The Tailscale traffic will go via Nord's servers (like all other Internet traffic), but this shouldn't matter to Tailscale; all Tailscale needs is any kind of working outgoing connection to the Internet.
Tailscale will attempt to set up a peer-to-peer connection between devices by using certain clever techniques (in which case you have SecuritySpy <-> Nord server <-> client), but if this isn't possible, its traffic will also go via Tailscale's servers (in which case you have SecuritySpy <-> Nord server <-> Tailscale server <-> client).
It may be better to employ split tunneling to give SecuritySpy direct access to the Internet so that you can use port forwarding - this would be faster and more reliable (as it's simpler and there is therefore less to go wrong). But I think this requires that you run Nord on your Mac rather than on your router, and you mentioned above that you tried this and had problems.
-
UPDATE:
Since no real VPN allows Split tunneling on MAC Montery, I decided to go down the Tailscale path.
And... It works!!!! Thanks Ben!
Couple of questions:
- I currently have my router port forwarding both 8000 and 8001 to SS, is this ok? I did Enable both the HTTP and HTTPS web servers in SS.
- My SS app on my phone now shows an "Unlocked" symbol next to my server name. What exactly does this mean?
- Do you know if the IP that Tailscale sets up for my MAC will change? Dont want it to change when I'm on the road and not have access to my SS.
Thanks
Jim
-
Hi Jim,
Great! To answer your questions:
- You don't need the port forwarding rules anymore if you are going to continue to use Tailscale permanently for SecuritySpy connections. Keep these only if you are going to use port forwarding from time to time.
- This means that the app is seeing a non-encrypted (non-SSL) connection. But this is nothing to worry about because your data is actually being encrypted by the VPN - it's just invisible to SecuritySpy. So this is expected.
- The IP address will remain the same as long as the Mac is a member of your Tailscale network (for more information, see How Tailscale assigns IP addresses).
