Trying to figure out how to safely remotely view my blue iris system.

Joegreen

Young grasshopper
May 5, 2018
54
18
I have purchased the blue iris app for ios and have been reading through the help section in blue iris about remote access. I have been searching though google on how to safely setup remote access. Looks like there are two ways one through ngrok and the other through some vpn to my router through port access. Im interested in the router setup route but cannot find any writeups on that walk through how to do the setup. Can anyone point me in the right direction or explain what i may need to safely setup my blue iris app so its functional and only i can view my cams? Thanks
 
Start with these:


Consider providing details on the make/model router you currently posess.
 
Having done vpns in the past, both pptp and later IPsec. Becuase my unifi gear supported it. I’ve now disabled in favour of tailscale. So much easier.

install on phone. Install on device in network (blue iris machine (windows?) Will do. And off you go.

You can fiddle with dns and subnet routing if needed. But other wise for simplicity, just use the new tailscale name of your blue iris machine
 
Buy a domain name from some where like Name Cheap. Using pfSense, set up the dynamic DNS client built in pfSense and hook it up by api to a DNS provider like Cloud Flare. Then create a wild card SSL Cert using LetsEncrypt. Then set up some A records with your DNS provider (Cloud Flare, ect.) including a Wild Card. Then set up pfSense's DNS resolver to resolve the sub domain name of your BI server to its IP address. Then set up HA Proxy in pfSense to listen to WAN address for your BI sub domain and Proxy Your Blue Iris sub domain over port 443. example would be:
That is the correct way to do it. Its also the hardest and maybe 1% here are working with an enterprise grade firewall.
 
Last edited:
If you’re mucking about with cloudflare, you might as well use an Argo tunnel.

but then, and whoamis complicated method, both least blueiris fronting the internet authentication.

a vpn or tailscale doesn’t.
 
While the "forwarding a port" method works and is easy to set up, it is also the least secure method of allowing remote access. The whole point of a wirewall/router is to prevent outside access to your local network by creating a "wall" that blocks outside access. By "forwarding a port" you are punching a hole in this wall that goes directly to your BI machine without any encryption keys, etc needed. A hacker can easily use this access along with other potential exploits to gain access to the rest of your network without much effort.

The much more secure solution is to use a self-hosted VPN service (or similar option) that allows access to the network. Using a VPN service still requires that you forward a single port, but it gets forwarded to the VPN service that requires a matching encryption key and correct login credentials before allowing any traffic to pass to your network. Obviously the use of an encryption key greatly increases the security of this solution and it's why we suggest this solution over a simple "port forwarding" solution which simply forwards all traffic using that port with zero security measures.
 
I apologize if what I wrote this morning @ 6:33am came off abrasive. I have to be out the door by 6:40 and I didn't mean for it to be like that. I was just in a rush but reading it back I feel I should clarify.

What I was trying to say is in order to do things like the big boys and have a seamless experience with the app like you would with Ring or what-ever paid service plus have enterprise grade security you pretty much need an enterprise grade firewall like pfSense. The next best thing would be running a VPN server on your network but that gets annoying and trying to get loved ones to understand the reason they couldn't connect with the BlueIris app was because they weren't connected to the VPN, which I call USER ERROR, but my love ones seem to think is the admin's fault, is draining.
 
Last edited:
  • Like
Reactions: rolly
OK i like the idea of tailscale as it seems pretty easy. I have installed tailscale on windows and ios and am logged in to each. How do I setup the app server to communicate?
 
The will be a magic dns name of each node the name should be accessible

I assume windows is the blue iris? Also in the tailscale iOS app if you click on the windows machine name you can get ip. That should be accessible from your phone if tailscale is running on both (active on iOS and you’ve run tailscale up on windows)