Part I: Architecture Overview

There are numerous articles teaching you how to set up your own home security system (CCTV) with raspberry pi and its camera. Unfortunately, they all follow the same architecture: connect your camera to your Pi and install some software there; whenever you want to watch the video stream, you need to access the web page hosted on your Pi, which is not an easy and secure task for a few reasons:

Most ISPs don’t assign static IP addresses to household subscribers, which means you need an updated IP every time you connect away from home, the most frequent use case. Otherwise, you can choose to use some software call DDNS (Dynamic DNS, or Dynamic Domain Name Server), whose job is to automatically point a web address (i.e. domain name) to an always-changing IP address. Sadly, DDNS is not very reliable, at the same time not free. Even if you have a static IP address for your home router, or you choose to use DDNS, you cannot access your Pi directly with that address. This is because most home routers also function as an NAT (Network Address Translation) gateway, which is like a mini-firewall. We will not cover what is NAT here, however, what you need to know is that, with NAT, an external user cannot talk to your internal server (your Pi) without the server first talking to him first. There are ways to circumvent this, like opening a port on your router, but that’s like turning off the firewall, making your home network less secure. You won’t want to do this! Most of the case, the data is not encrypted, which means when you are watching your baby, someone else on the Internet can watch at the same time! Bad! The processing power of a Pi is limited. Although the overhead is minimal, you probably still do not want to run a web server on the same box as your video capture Pi.

To better illustrate, here is the architecture of a traditional Pi-based CCTV system:

When I got the idea to build a CCTV system, I have several criteria in mind:

Secure. The system will not need to compromise current security measures, including NAT. Besides, all data transmitted via the Internet should be encrypted, given the sensitive nature of our video stream. Stable. The system should not rely on a component that changes frequently, e.g. the dynamic IP or DDNS. Scalable. I should be able to easily add nodes to the system to expand my CCTV from the living room to the hallway.

Here is how the cloud-based system works: my Pi will stream the video to a fixed-IP server in the cloud through VPN tunnel, without needing to open a port on my firewall because this is an outbound connection (my Pi trying to talk to an external server first). VPN ensures everything is encrypted and secure. The video ingest server, with both fixed public and private IP, listens on VPN interface only and serves the stream on a stable endpoint. The web server then consumes the stream and provides a web UI, secured with SSL.

In Part II, I will detail every component with a step-by-step tutorial.