ARC - port forwarding vs Tailscale - security advantage?

Hi all, I have now setup ARC on a NUC running ROCk.

I got my ISP to disable CGNAT for this to be a success.

ROCK seems secure and my router is an up to date (firmware) Asus, for security. Not running old firmwares.

Is there any security advantage in disabling port forwarding - and using the Tailscale method instead?

What are the security advantages, if any?

It’s fully encrypted over Tailscale and doesn’t open up your router which port forwarding does. With port forwarding there is a risk that if Roon has vulnerabilities they could be exposed by bad action software to gain access to your network and data but this would require the software coming in from outside such as bad email attachment etc, bad sites. As long as your security aware should not cause a problem. Using Tailscale is a more secure way to connect but it also has more latency. Someone could get access to your account if you’re not following good password security etc. No methods are 100% guaranteed secure as they all have some human interaction which is the main weakness in any security system.

1 Like

Does Tailscale have 2 factor authentication to the account?

Roon itself doesn’t which seems sub optimal.

There may be a small security advantage - due to the authentication to the tunnel performed by tailscale (rather than on your Roon Server) combined with the need to supply the correct encryption keys.

However, this security advantage may be offset by reliability issues. Some have reported that tailscale does not work in some situations where port forwarding does work. I don’t know if the particular cause was identified - it is unlikely to be the encryption/decryption overheads since, at audio streaming data rates, this is unlikely to place much demand upon either Tailscale tunnel endpoint device.

Also, the use of Tailscale adds yet another element in that the Tailscale servers have to be working - and they are not under your control.

A working Port Forwarding setup (with, if not using uPnP, suitable DHCP reservations for the Roon server so that it’s ip address on your local network does not change) is always likely to be more reliable than the Tailscale solution - just because it is simpler.

Finally, the encryption/decription that has to take place on ether end of the Tailscale tunnel does not come for free. It may be marginal but it will mean that more processor power is required at each end which may affect the battery life of your mobile.

1 Like

Roon does have 2fa you just have to enable it.

4 Likes

In 6 months of using not had single issue with Tailscale being down. Advantage for me it allows me to control other areas of my home stuff away from home.

How is this done? I don’t see it anywhere.

Go to the Roon website, log in, enable 2FA:

3 Likes

I’ve been testing out the tailscale with my NUC. It’s pretty reliable more than how Mac mini used tailscale.

Does anyone notice heat from the phone or decrease in battery life?

Thanks! This was the piece I was missing. :+1:

1 Like

My understanding is that tailscale is much safer than a port forward approach. I’d recommend looking into this a bit more to understand the security implications better. I use tailscale for arc access and it works really well.

@Abrahams_Bogere Tailscale does add a battery penalty but it isn’t huge. I tend to turn it on when I need it and off when not using it.

Lawrence systems is a reliable source that I use for this sort of thing, so you may find this link helpful:

3 Likes

Thanks for that. Yeah that’s what I did essentially today. It works very well. The integration seems a bit straightforward.

I am trying to mess with the sound quality though. What’s your experience with this compared to streaming apps itself?

It does use a little more battery but this has improved I feel They are always updating the app and this has been mentioned in the notes. Arc heard the phone up not Tailscale but will depend on what your doing. If you’re using lots of DSP it’s good to take its toll on the cpu of the phone.

1 Like

Current EA mentions improved battery use. Which could, should lower phone heat up issues.

As ever YMMV

The 2FA isn’t even used for logging into ARC.

Only used for logging into Account website and Forum.

The authentication between ARC and your Roon server happens via the Roon cloud and hence the account from the website.

1 Like

It’s all linked these days. If you login for first time on any server or app and have 2fa on it will ask for the code.

I have Tailscale installed on my NUC. How do I set everything up to use ARC with Tailscale.

What operating system are you using on the NUC?

Thanks for helping me. Windows 11.