Please excuse the wall of text, I can get carried away when talking about network stuff, it’s kinda my thing.
TL;DR
Option 1: DDNS + OpenVPN; more secure, easy to manage
Option 2: Port Forwarding; less secure, harder to lock down
Other:
Reverse Proxy + CloudFlare WAF; much more advanced, not free, but more flexible
Remote access software (TeamViewer, LogMeIn); free, dead-simple to setup, secure, no port forwarding needed
Option 1
Like @ThePolishedTurd suggested, set up a client-server VPN. I too have a TP-Link router. It couldn’t be simpler to set up and if set up properly, very secure.
First, to avoid the issue of having a dynamic IP address, you can set up DDNS on a TP-Link router as well. Log into your router on a web browser and go to Advanced → Network → Dynamic DNS. You can use NO-IP or DynDNS if you already have an account, but I find that the TP-Link service works just fine. You’ll have to create a TP-Link account or log in if you already have one. Click (+) Register to register a new DDNS address of your choice. Then click on bind and your router will update the DNS record whenever your IP address changes.
Now to set up the OpenVPN sever. Go to Advanced → VPN Server → OpenVPN. Check the enable box to turn on the service. You can leave the service port as the default, or if you want to add a little mroe obscurity, you ca select a different port. Enter a subnet and mask that clients that connect to the VPN will be placed in. For example, if you use the default 192.168.1.0/24 subnet for your home network, you could use 192.168.100.0/24 for VPN clients. It could be anything else that you like as well, this is just an example. Make sure Client Access is set to “Internet and Home Network”, otherwise you wont be able to connect from outside your home network. Click on “GENERATE” to generate a certificate for the VPN. This is what your client will use to authenticate itself to your VPN server. Finally, click on “EXPORT” to download the config file. This will give you an .ovpn file that you import on your client to make connecting easier.
Now we need to edit the config file to use your DDNS instead of your IP address. Open the .ovpn file in a text editor and replace the ip address in the line remote x.x.x.x 1194
with your ddns address e.g. remote foo.tplinkdns.com 1194
. Save the file.
Now you just need to import this config file into the client of your choice, I know android has a client. There are desktop clients as well. I think you can figure that part out.
Option 2
You can use PAT/port forwarding to allow connections from your public ip address/DDNS to a client on your local network. This is indeed less secure than the VPN route, because by default, anyone on the internet will be able to use the PAT rule. I would strongly recommend using firewall rules to lock this down to known IP addresses, however if you’re using a mobile connection to connect, this can be very difficult, as you’ll never know what IP address you’ll have.
Other
If the cameras have a web interface, and you own a domain, you could set up an WAF on Cloudflare for free and then host a reverse web proxy on your local network. This is what I do, but it’s more advanced and I won’t get into it here.
Also, maybe just look into another remote access software like TeamViewer or LogMeIn? There are lots of great free options out there, that are as simple as installing a program on a host machine, no port forwarding necessary.
Thank you for coming to my TED Talk.