ARC and a VPN - alternative solution?


I’m guessing that most of the posts I’m reading here that talk about using using Roon remotely without ARC are employing VPNs deployed on routers/firewalls and giving access to the LAN in general

I don’t have that facility so I’m toying with another solution and was hoping for thoughts from the more technically minded in the community

My headless Debian based roonserver is administered via SSH and is manually connected to NordVPN as indicated by:

# nmcli con show --active
NAME  UUID                                  TYPE  DEVICE 
tun0  xxxxxxxxxxxxxxxxxx                    tun   tun0

If I now install ARC am I right in saying that because the connection between my phone out in the world and my Roonserver at home runs over tun0 , my security concerns are mitigated as per the other VPN solutions mooted, regardless of what mischief ARC/Roon inflict on my router with UPnP?

Thanks for any input

Actually this doesn’t work anyway as the VPN breaks port forwarding

You need software to help create a proper vpn, like Tailscale.

NordVPN uses VPN-like technology to route outbound traffic away from your ISP so they can’t snoop on you and report you to copyright enforcers. It’s not really a VPN.

You need software to help setup a virtual private network between your device and your home. Look into software like Tailscale

I used split tunneling on my ExpressVPN Windows app. I bypassed the handful of Roon services that use the internet. Seems to be working okay.

Thanks Danny, I didn’t know that about NordVPN, which is quite big here in the UK

I will certainly investigate Tailscale or similar (must have a linux CLI app, for example)

The question for me then becomes can I run ARC over an encrypted tunnel such that port forwarding works? For me running a VPN at the periphery means a new router which I’d rather avoid, so I’m looking to run Tailscale or whatever on my Roonserver itself and hope ARC can be coerced into connecting from out in the world

If you use VPN then you don’t need port forwarding. Tailscale gives you access to selected subnet(s) from your home network. Roon ARC will then work like in your home network.
You don’t need new router for that.

1 Like

Think I have a working solution now using AirVPN which allows for very simple configuration of port forwarding

Connected on the Roon server using Hummingbird from the AirVPN Suite (CLI) and UPnP on the router did the rest once the appropriate port was forwarded

ARC now works from outside my LAN across the AIrVPN tunnel


Would it be possible for you to give me a guide on this? I’m on AirVPN - Roon is on Windows machine - but I couldn’t get it to work using AirVPN port-forwarding (my Plex server works fine).

I’m a novice when it comes to all of this, so if you can help, I’d appreciate an ‘idiot’s guide’!


I don’t use Windows so a lot of what follows is speculation but this is how I would approach it

Turn on UPnP on your router. If you are worried about your router exposing UPnP to the WWW, you can check with various online tools ( Shields Up! for example) that it is implemented securely

Turn off AirVPN in Windows and manually port forward on your router (see Roon Port Forwarding but note that you don’t have to use port 55000, Roon will randomly select one for you). Then check in Roon > Settings > Roon ARC. Make sure the port number is the same one you have manually forwarded and you should also see your Core there with your LAN IP (192.168.x.x I would think)

At this point Roon should tell you ARC will work. If it doesn’t then there’s something else “wrong” with your config and/or network that I wouldn’t be able to troubleshoot

Assuming you get the OK from Roon, disable/discard the port forwarding rule you just created, connect to AirVPN and look again in Roon ARC Settings. Now Roon should tell you ARC will fail and you should also see the Roon core has now been assigned a new (VPN) IP. Mine is in the 10.x.x.x range so I’m guessing yours would be too

Now, go to your Client Area at and forward the same port number as stated in Roon ARC settings, go back to Roon ARC settings and refresh and now it should work

Test by using your phone to connect ARC when on mobile data

Aside from the fact that I am running Roon on linux and connect to AirVPN using a command line tool/SSH the above is a refined version of what I did

If we use VPN like tailscale connect to home network, will the traffic to ARC automatically go through VPN instead of port forwarding?
I am a little bit concerning open port on internet.

Thank you for helping and giving great instructions, I apprecaite it. However it didn’t work :frowning:

I can get it to work when AirVPN is off. I then disabled UPnP (I couldn’t delete the automatically setup TCP port forward rule on my router.)

You were exactly right about the IP change from 198 to 10, however when I went to open the port forward number in the AirVPN “Port Forwarding (web)” it said the port I chose was already open - I have two other port forward numbers but they are much lower numbers). I tried another 55*** number with the same message of it already being open.

I then got AirVPN to choose the number by leaving the port number option blank it chose 12***, then went and opened that port forward number in my router, put that number in Roon Arc settings and hit reload, but to no avail.

Do you have any other suggestions?

If you expose your LAN to WWW by running VPN on the router, you don’t need ARC or port forwarding as once your phone connects to the VPN it is, in effect, on the LAN so can be used as an output device by Roon without ARC

I understand this is not the recommended setup though because of latency issues which ARC usually manages

My router shows no forwarded ports when I configure using UPnP, but I accept that it might simply be that these are hidden from me by the router web UI

If Roon is listening on port 12xxxx and AirVPN are forwarding 12xxxx and you have a TCP VPN config (ARC uses TCP not UDP) and UPnP on the router it should work. In essence that is what I have and it does work

Thinking about this a bit, I’m not sure you have to worry about port forwarding at all

If you establish a VPN from inside your network then the connection between your PC and the AirVPN server is established already and providing you are forwarding the correct port in the Air VPN Client Area it should just pass through your router on the established connection I believe