Personally I do think it's probably the best option, but if you know a little bit about networking you can connect the nvr to the public ip address of the remote site on a random port, port forward that connection to the internal ip address of the camera on the remote site, and connect that way.
You ARE exposing the camera to the outside world then, but having it on a non standard port is one layer of protection, and make sure it's secured with a very good password.
Tbh you'd need a good understanding of networking to do this anyway to make sure you've locked down all the other ports like ssh & telnet too to secure the camera.
I think you mean well, but the problem with insecure devices isn't that people are just using simple passwords, and selecting an "unhackable" password would fix it, these devices will have vulnerabilities within the code they are running that will remain unpatched long after a properly patched environment (like if you stay on top of patching your Linux or Raspberry Pi systems). Many will have vulnerabilities which allow an attacker to CIRCUMVENT your "unhackable" password, so do not port forward, regardless how well meaning Will.I.Am might be, it's a recipe for hacked cameras and NVR's!
You don't need a vpn to connect to remote cameras. Objectively, that's a fact.
You still need open ports in your system for a vpn too but (as I did say in my post) it's still the preferred and more secure method of connecting between remote sites for anything, not just cameras.
Don't slip into the dangerous assumption that it's totally secure though. Nothing is, everything has vulnerabilities so it's good to always be paranoid and keep things updated regardless of if you're connecting directly or through a vpn tunnel.
It's also worth considering that on a remote site that's unmanned and has just a single camera, someone who gains physical access gains access to that network. If it has a persistent vpn tunnel then that gives them a nice encrypted tunnel back to the main network.
A port forwarding setup would mean that all they would have would be access to the network containing a single camera and a router.
Vpns aren't a silver bullet - it would still need to be set up as a one way only link that wouldn't allow someone who hooked a laptop in to the port the camera is plugged into to access the rest of the network.
Ultimately, remote site links are a job for people who know their way around a firewall and a routing table.
You are over thinking it, the odds of someone breaking into a random building to jack into your remote network to hack your main network over a VPN -- nearly 0.
The odds that someone could hack a hardened OpenVPN server -- sure its possible, but keeping it patched mitigates to some degree.
The odds that someone hacks into the VPN connection by breaking your encryption key, certificate and any passwords as well -- really close to 0.
The odds that port forwarding to an insecure device and letting everyone on the internet take their turn at it will lead to a hacked zombie camera -- virtually 100% given enough time.
The odds of hacking a previously secure camera due to lack of manufacturer patching - very, very high
The odds of having an insecure web server running on port 80, incidentally the port the camera interface is likely to be on and therefore the port you most likely need to port forward too -- very high.
The camera will be outside from what I can see, there'll be no breaking and entering required.
A vpn provides better security for the camera at the cost of reduced security for the network at the other end to the tunnel (unless it's set up properly and it's not just assumed that throwing a vpn at it makes everything more secure)
It's all about which site's security is ultimately more valuable.
99.9% of webcam "hacks" are caused by default passwords, and result in people being able to view the camera. The choice world be between taking all possible precautions on the remote site by securing all unused ports, using a non standard application port to evade automatic scans, and having good security credentials to protect that one camera, or create a (small, but new) vulnerability in the home network by having a permanent vpn open to a remote site wuth a network point outside the building that exposes the device running the vpn service.
Each to their own, but I'd rather keep the bigger fish safer, non standard ports with good credentials and an auto password lockout are hardly leaving the front door open with a neon sign inviting undesirables in to shag your Mrs.
The easier option all round would be a small recorder on the remote site that could be vpn'd into when you want to view it, which could then be secured with a password protected certificate the way a vpn should be (certainly one that's being used for secure p2p communication) rather than an automatic router to router link.
