Correct me if I'm wrong, but don't VPNs require port forwarding as well? Can't you just set a strong password for Blue Iris instead of having to go through all the challenges with using a smart phone + VPN + Blue Iris? The app is already problematic enough without the VPN (sometimes the app opens and doesn't automatically connect)
How is a VPN more secure than port forwarding?
- Thread starter Clucky
- Start date
Well set up port forwarding and watch how quickly you start having attempts at it.
In layman's terms, opening a port for a VPN service is much different than opening a port for an unsecure device like a camera or NVR or straight to BI.
In fact, by default routers and computers have ports open like 22 (SSH for secure remote access), 25 (SMTP for email), 80 (HTTP for web browsing), and 443 (HTTPS for secure web browsing), etc. are common open ports. Go to your computer firewall and you will see many more open ports. All for a specific purpose.
With something like OpenVPN, the open port is like offering your home address but the router/OpenVPN then confirms those knocking have a key (the encryption key of the VPN service) and is still protected by the firewall/antivirus; whereas opening a port that goes straight to BI/NVR/Camera is offering your home address and the front door is open with free access to go to town on getting in.
BI is great, but it doesn't have the millions of users like other programs, so a vulnerability could be sitting there longer before it is realized than say with Windows. And we shut off anti-virus for BI, so.....follow that path - port forward is not a good idea...
In another thread, someone used Censys Search to search for PCs that presented the Blue Iris login page and found almost 22,000 in the US and a total of about 32,000 worldwide. These are port-forwarded and many have been hacked.
In layman's terms, opening a port for a VPN service is much different than opening a port for an unsecure device like a camera or NVR or straight to BI.
In fact, by default routers and computers have ports open like 22 (SSH for secure remote access), 25 (SMTP for email), 80 (HTTP for web browsing), and 443 (HTTPS for secure web browsing), etc. are common open ports. Go to your computer firewall and you will see many more open ports. All for a specific purpose.
With something like OpenVPN, the open port is like offering your home address but the router/OpenVPN then confirms those knocking have a key (the encryption key of the VPN service) and is still protected by the firewall/antivirus; whereas opening a port that goes straight to BI/NVR/Camera is offering your home address and the front door is open with free access to go to town on getting in.
BI is great, but it doesn't have the millions of users like other programs, so a vulnerability could be sitting there longer before it is realized than say with Windows. And we shut off anti-virus for BI, so.....follow that path - port forward is not a good idea...
In another thread, someone used Censys Search to search for PCs that presented the Blue Iris login page and found almost 22,000 in the US and a total of about 32,000 worldwide. These are port-forwarded and many have been hacked.
Yes a traditional VPN requires an open port. The difference is that the VPN service requires an valid encryption key before traffic can pass through.
Think of it this way, the port forwarding always takes the incoming traffic and sends it to the desired destination. When that destination is a device that doesn't use an encryption key, that device will automatically accept ALL traffic. This means the only "security" that you have is whatever is built into the firmware/software of the device. When you are talking about most IOT devices, the firmwares are riddled with exploits and backdoors. When you use a traditional VPN service, the incoming traffic has to include the correct encryption key before that traffic can pass through. Without that valid encryption key, the traffic is simply dropped automatically. (In much the same way that incoming traffic to a firewall/router without any open ports is simply dropped by the network).
So using a VPN with a properly setup encryption key is MUCH more secure than simply port forwarding traffic to an unsecure port on your network.
Think of it this way, the port forwarding always takes the incoming traffic and sends it to the desired destination. When that destination is a device that doesn't use an encryption key, that device will automatically accept ALL traffic. This means the only "security" that you have is whatever is built into the firmware/software of the device. When you are talking about most IOT devices, the firmwares are riddled with exploits and backdoors. When you use a traditional VPN service, the incoming traffic has to include the correct encryption key before that traffic can pass through. Without that valid encryption key, the traffic is simply dropped automatically. (In much the same way that incoming traffic to a firewall/router without any open ports is simply dropped by the network).
So using a VPN with a properly setup encryption key is MUCH more secure than simply port forwarding traffic to an unsecure port on your network.
Port forwarding is only as unsafe as the service you are exposing.
VPN servers are designed with cybersecurity as a top priority and most modern VPNs are generally considered safe by security experts, especially when the VPN server is kept up to date and uses modern best practices for cryptography-related settings.
Blue Iris's web server does not prioritize cybersecurity at the same level as a VPN server. It is not even close if we're being honest. That said, I personally trust Blue Iris's web server enough to forward a port to it and not bother with the VPN (because it IS an added hassle, there's no denying that). I would never do that for your typical IP camera or NVR appliance.
VPN servers are designed with cybersecurity as a top priority and most modern VPNs are generally considered safe by security experts, especially when the VPN server is kept up to date and uses modern best practices for cryptography-related settings.
Blue Iris's web server does not prioritize cybersecurity at the same level as a VPN server. It is not even close if we're being honest. That said, I personally trust Blue Iris's web server enough to forward a port to it and not bother with the VPN (because it IS an added hassle, there's no denying that). I would never do that for your typical IP camera or NVR appliance.
Last edited:
All of the security decisions are based on risk vs. hassle. For myself over the years, the anti-virus software has caused a lot more hassle than any virus has caused. The one virus I know I picked up blew right through the anti-virus software, and I quit using it about 10 years ago. My decision, likely condemned by almost everybody else.
So what's the risk of leaving a port open to a dedicated BI machine, and the likelihood of it happening?
1. The BI machine gets ruined and you have to rebuild it from scratch.
2. Some code infecting the BI machine turns it and all of your cameras into bots.
3. Some code infecting the BI machine gets into other computers on your network, resulting in stolen personal and banking information.
4. The BI machine gets ransomware and maybe spreads it to other machines on your network.
Everybody gets to make their own risk vs. hassle determination, I won't try to tell them what to think. My defense against #1 and #4 is to keep backups. The network setup defends against #2 and #3, but I realize there could be holes that could be exploited. And I'm not trying to defend having a port open, because I don't have a port open.
VPNs do not necessarily require port forwarding depending on which VPN client and where it's hosted.
For example, Tailscale requires no port forwarding regardless of where it is hosted (router, firewall, OS client, etc.)
For example, Tailscale requires no port forwarding regardless of where it is hosted (router, firewall, OS client, etc.)
Tailscale (and zerotier which is a similar product) are great especially if your ISP doesn't give you a dedicated ipv4 address. Easier to set up than traditional VPN, and usually it "just works". But they can have speed issues on some networks if their normal firewall traversal methods fail because they fall back to a relatively slow proxied connection. Pfsense routers seem to be a problem due to the NAT method they use by default. I read about it in tailscale documentation and don't entirely understand, but it is fixable at least. pfSense settings to enable direct connections · Tailscale Docs
I host Tailscale on pfSense and all I did was create the hybrid outbound NAT rule. Works automagically!
Then it uses P2P, which is as unsafe as servers that manage the connections. I'd guess that it has more risk than the "traditional" VPN, but the risk for both has a lot of zeros to the right of the decimal point.