The conventional wisdom says: if you want to access your Mac remotely, you need a VPN. Set up WireGuard, install Tailscale, configure your network — then you can connect securely.
But here's the thing: for the specific use case of accessing your own Mac from your iPhone, a VPN is overkill. And in some ways, it's worse than the alternatives.
Let me explain why Mac remote access without a VPN is not only possible but can actually be the better choice.
What a VPN Actually Does (and Doesn't Do)
A VPN creates an encrypted tunnel between two devices (or between a device and a network). Once connected, your iPhone acts as if it's on the same local network as your Mac. You can then use any tool that works on a LAN — SSH, VNC, SMB file sharing, etc.
What a VPN does:
- Encrypts traffic between your device and the VPN endpoint
- Makes your devices appear to be on the same network
- Bypasses NAT and firewall restrictions (traffic goes through the VPN server)
What a VPN does NOT do:
- Encrypt traffic end-to-end (the VPN server can see your traffic)
- Simplify the tools you use on top of it (you still need an SSH client, VNC client, etc.)
- Eliminate all configuration (you still need to set up keys, enable services, manage the VPN itself)
That last point about E2E encryption is important. With most VPN setups, the VPN server — whether it's Tailscale's coordination server, your own WireGuard server, or a commercial VPN — can theoretically see the traffic that flows through it. In practice, Tailscale's architecture uses direct peer-to-peer connections with WireGuard encryption, so the Tailscale coordination server doesn't see traffic content. But this is a property of Tailscale's specific implementation, not of VPNs in general.
The Alternative: Encrypted Relay
An encrypted relay is conceptually simpler. Here's how it works:
- Your Mac connects outbound to a relay server (no port forwarding needed)
- Your iPhone connects outbound to the same relay server
- During initial device pairing, the two devices exchange encryption keys directly
- All traffic between them is encrypted end-to-end — the relay routes opaque blobs
The relay server is like a postal service that delivers sealed envelopes. It knows *that* you're communicating, but it can't open the envelopes.
This is the architecture used by Seasalt, iMessage, Signal, and many other modern communication tools. It's not new or exotic — it's actually the standard approach for modern secure communications.
Why No-VPN Can Be More Secure
This seems counterintuitive, but consider the attack surface:
With a VPN:
- VPN server software needs to be kept updated
- VPN credentials need to be managed
- If using a third-party VPN (Tailscale, etc.), you're trusting their infrastructure
- The services on top of the VPN (SSH, VNC) have their own security configurations
- More components = more potential vulnerabilities
With an E2E encrypted relay:
- The relay server is simple — it routes packets, nothing else
- Even if the relay is compromised, the attacker gets encrypted blobs
- Key exchange happens once during physical pairing (or verified out-of-band)
- Fewer components, fewer configuration knobs, smaller attack surface
I'm not saying VPNs are insecure. WireGuard in particular is excellent. But the *total system complexity* of "VPN + SSH + key management + service configuration" has more places where things can go wrong than "install app, pair devices, done."
The Port Forwarding Problem (Why VPNs Became Popular)
To understand why VPNs are the default recommendation, remember what they replaced: port forwarding.
Before easy VPN tools existed, the standard advice for remote Mac access was:
- Enable Remote Login (SSH) on your Mac
- Forward port 22 on your router
- Use dynamic DNS for your changing IP
- Connect from an SSH client
This is genuinely insecure. An open port 22 on the internet gets hit by automated scanners within minutes. Even with key-based auth, you're one vulnerability disclosure away from trouble. For more on this, see our SSH from iPhone guide.
VPNs solved this by keeping all ports closed. Great. But encrypted relays also keep all ports closed, with less infrastructure to maintain.
Who's Using Relay Architecture
- Seasalt — Uses an encrypted relay for terminal, file, and screen sharing between Mac and iPhone. E2E encrypted with keys exchanged during device pairing.
- Apple's iMessage / FaceTime — Same basic architecture. Apple's servers relay E2E encrypted messages.
- Tailscale — Actually uses a relay (called DERP) as a fallback when direct P2P connections fail. The DERP relay sees WireGuard-encrypted traffic.
- Signal — All messages go through Signal's servers, encrypted end-to-end.
- Cloudflare Tunnel — Routes traffic through Cloudflare's edge, but the tunnel itself is encrypted.
The pattern is clear: modern tools treat the network as untrusted and use end-to-end encryption regardless of the transport.
Performance: VPN vs. Relay
For terminal access, both approaches are fast. Terminal data is tiny — a few kilobytes per second. You won't notice a difference.
For screen sharing, latency matters more. A VPN with a direct peer-to-peer connection (Tailscale with a direct path) will generally be lower latency than a relay, because the relay adds an extra hop. But for screen sharing over cellular, the bottleneck is usually the cellular connection itself, not the relay.
For file transfers, throughput matters. A relay does add overhead — your data goes through an extra server. For large file transfers, a direct P2P connection is faster. But for typical developer use cases (downloading a config file, uploading a build artifact), the difference is negligible.
When You Actually Need a VPN
VPNs are still the right choice when:
- You need to access multiple services on a remote network (not just your Mac)
- You're working in a corporate environment with VPN-based access policies
- You need to access services that only listen on localhost or a private network
- You want a general-purpose secure network, not just Mac access
For the specific case of "I want to access my Mac from my iPhone," a purpose-built tool with E2E encryption is usually simpler and sufficient.
Setting Up VPN-Free Remote Access
If you want to try the relay-based approach with Seasalt:
- Install Seasalt on your Mac — it runs as a menu bar agent
- Install Seasalt on your iPhone from the App Store
- Sign in with the same account on both
- Tap "Start Pairing" — a verification code appears on both devices
- Confirm the codes match
That's it. No VPN server, no port forwarding, no SSH key management. Terminal, file browser, and screen share are available immediately.
For a broader comparison of all remote access approaches, including VPN-based options, see How to Access Your Mac Remotely From Your iPhone.
Try Seasalt Free
If you need persistent, encrypted terminal and file access from your iPhone to your Mac — with zero configuration and no open ports — that's exactly what Seasalt is built for.
macOS 13+ · Apple Silicon & Intel · No credit card required
Frequently Asked Questions
Is remote Mac access without a VPN secure?
It depends entirely on the tool. An end-to-end encrypted relay is actually more secure than most VPN setups, because the relay operator cannot see your data. Port forwarding without a VPN is insecure. The key factor is whether the tool uses E2E encryption, not whether it uses a VPN.
Why not just use a VPN for remote access?
VPNs work, but they add complexity and overhead. You need to maintain the VPN server or trust a third-party service, keep both devices connected, deal with split tunneling, and accept the battery drain of an always-on VPN on your phone. For accessing a single Mac, purpose-built tools with E2E encryption are simpler and often more secure.
What is an encrypted relay and how does it work?
An encrypted relay is a server that routes traffic between two devices without being able to read it. Both devices connect outbound to the relay (no port forwarding needed). During initial pairing, the devices exchange encryption keys directly. All subsequent traffic is encrypted end-to-end — the relay only sees opaque encrypted packets.
Can my ISP or network admin see what I'm doing with relay-based remote access?
They can see that you're connected to a relay server (just like they can see you're connected to a VPN), but they cannot see the content of your sessions. With E2E encryption, the data is unreadable to anyone except your two devices.