A static public IPv4 makes your device reachable from the internet. Reachable does not mean unprotected. Speedroute uses WireGuard encryption, hub-level firewall rules and per-device key authentication.
The Speedroute security model
| Layer | What it does | Managed by |
|---|---|---|
| Tunnel encryption | ChaCha20/Poly1305 — all traffic encrypted | Speedroute |
| Authentication | Per-device Curve25519 key pairs | Speedroute + customer |
| Port scanner visibility | WireGuard silent — no response to unauthenticated packets | Speedroute |
| Inbound port control | Hub firewall — restrict on request | Speedroute (configurable) |
| Source IP restriction | Restrict to monitoring centre / aggregator IP | Speedroute (configurable) |
| Device credentials | Must be changed before deployment | Installer |
Installer security checklist
| Action | Why |
|---|---|
| Change default router password | Default credentials are the most common attack vector |
| Change default NVR password | Default NVR credentials are widely exploited |
| Restrict inbound ports | Minimise attack surface |
| Request source IP restriction | CCTV: monitoring centre only. BESS: aggregator only. |
| Keep NVR firmware current | Most compromises exploit known patched vulnerabilities |
Ready to solve CGNAT permanently?
Request your free IPv4 Guide and we will follow up with the right solution for your installs.