Right. I would never have any device like a camera be directly connected to the internet and instead cut off that device from the internet in my router software and only access it from outside via a VPN.
Not that this whole screw-up should be excused in any way or downplayed.
I bought one of their security cameras to act as a nursery cam last year, which I could later convert into a home security camera.
The 'in house' software, unifi-video, was discontinued 3 months after I got it set up. All of the apps I use to connect to the system have been pulled from the app store, and you now have to use their camera controller for the one camera, vs the software Im running on my linux box.
Their controller is much more limited, and many, many security camera installers were caught off guard with no path forward for their customers. It's a nightmare of a shitshow and I would never in a million years recommend Ubiquiti as a company at this point.
I now use the camera in direct rtsp mode. This way it can be used by any rtsp tool including video recording and the lot. For the nursery camera I just use IPCams on iOS on an iPad.
Yep, I also use their cameras as baby monitors. RTSP mode to VLC on an old chromebook as an always-on monitor.
The Protect app works pretty well now assuming you have a controller to connect to, but the time between the Video app shutting down and Protect actually working properly was very frustrating. I would never trust the Protect app to stay connected while I'm asleep, though. It's definitely not stable enough for that.
The very first night I got the camera set up was the night that there was a level 3 outage and major internet snafu, making it so that I couldnt actually get into the app to view the camera. RTSP mode sounds pretty good at this point with only one camera.
(Ignoring the fact that Ubiquity marketed these cameras as having a speaker, when, in fact, you cannot send audio to the camera, only that it makes noise on its own)
I guess the concern here is if your VPN was provided by Ubiquiti then you might have an issue.
My approach has been an isolated (read basically no internet) LAN, bridged by a small PC running hardened and locked down Linux. There's no egress from the LAN. VPN access to this LAN goes via the PC under my control, which itself has access to the wider internet via its second interface.
This approach is nice as I don't have to trust any router vendor or proprietary software vendor to be competent, by relying on their equipment to control internet access for devices. Although I recognise this is probably inconvenient for users, none of this is really too impractical - a bit of adverse publicity for cloud and "internet connected", and I could see properly firewalled, egress blocked networks taking off...
(I am more concerned about egress than ingress, because it's the biggest gap most people forget about, and most people just rely on NAT to stop ingress, forgetting any device can phone home anywhere, and they're not monitoring... I don't even allow DNS on that network. IoT that can't handle this just doesn't get in the door)
Not that this whole screw-up should be excused in any way or downplayed.