BI essentially has it's own Dynamic DNS style service, based on your license key. Follow the remote access wizard, it guides you through this and shows you the url.
Basically bookmark and go to "
blueiris.pro/go?XXXXXXXXXX" where XXXXXXXXXX are the first 5 and last 5 digits of your licence key.
You can then use this URL from a PC, IPAD ect.. to always get your WAN IP remotely. So a 2 step process if your IP changes.
The security risk with port forwarding is overstated., often confused with dynamic port forwarding, eg: UPNP, which I recommend you always disable (usually on by default). But interesting enough, most security professionals don't even class that as a key risk anymore.
Your cameras are a bigger security risk as is most home router firmware and your home printer (if network enabled), not to mention any iot devices not on guest.
Some mitigations (applicable to both VPN and Port Forwarding)
- use a dedicated device for BI (with a different user id and password to anything else on your network)
- strong passwords for BI
- Don't change\modify BI to run as an admin
- Whitelisting to your remote IP's if fixed (eg: proxy servers are work), or the range used by your mobile provider. Quick way to exclude people overseas, narrows the footprint
- At attacker is far more likely to exploit a vulnerability in a more readily available product such as Open VPN, so generally use a paid vpn not openvpn.
If you have sensitive material don't allow remote access of any kind (port forwarding or VPN)
Note though with port forwarding, while usernames and passwords are encrypted the video stream is not, you require STUNNEL or VPN for that.
Many other mitigation you can take, but the key is you are not exposing your entire PC or windows to the internet by allowing a single port for BI. An attacker must explicitly target a vulnerability in BI, then code an exploit specifically to BI.
