ARC with Tailscale port forwarding not required - IF Roon will listen on the IP, and ARC lets me specify the IP

I use tailscale and thus don’t need to set up any port forwarding on my firewall - IF Roon will listen on the IP, and ARC lets me specify the IP.

@danny do you intend to let us specify the IP address to listen on, and the IP address to connect to?

If you want to do the automatic IP detection stuff, great - but I still need to be able to select either of the two IPs that my Roon core has.

1 Like

Roon bind()s to 0.0.0.0, so letting you select the “listening” IP doesn’t make a lot of sense. I think you may be having a discovery issue, but it’s hard to tell without a more detailed understanding of the network.

Perhaps that’s the case - clearly you’re more informed than me. I only have the information that Roon presents:

What I’ve found is that after I connected to the Roon cover over the local network, I was then able to take my phone off the network and only connect via Tailscale. Seems to be working fine.

ARC originally could see (directly? or told by Roon server?) my core, but said that it wasn’t available outside of my network. That doesn’t make sense, because Tailscale is my network and I can ping, connect, etc. It requires connecting over the 100.x.x.x tailscale IP, not the 192.x.x.x local IP.

It is working well so far, after I made that initial connection! Very cool.

Selecting the “listening” IP may not make sense (although, I absolutely argue it does - it’s more secure to listen only on the tailscale interface rather than 0.0.0.0), but it certainly makes sense for the client application to specify the IP to connect to. My phone has a route to my core’s 100.x.x.x IP, so nothing wrong with being able to set it.

It’s important because in a “VPN” Roon Cloud will not know the VPN external IP of Core.

I asked this during early access and the scenario is straightforward.

I have a VPN which is multiple networks. My Client lives on a private network of the concentrator. The Core is “exposed” via address space where it lives. These two things can route to each other and the network will allow an incoming connection to Core at this special VPN address. However, I need to tell Roon Cloud about this IP (so it can tell ARC) because there is no way you’re going to discover it on your own.

The VPN is protected to authorized users only which is why I can expose Core across the VPN even when I don’t want to expose it across the Internet.

I set-up my VPN and firewall rules today. Browsing is reliable. Playback is not. I’m still troubleshooting. Looks to be a bit of funk with the firewall. But… I have a bigger question?

@brian Why does this work? Without putting the client on my test network… what’s the bootstrap procedure here? Does ARC just blindly try to attach to all internal / external addresses that Roon Cloud learns? That seems somewhat dangerous as well as, potentially, slow startup process if it’s trying to connect to a stale address.

I’d prefer to hard set what addresses ARC is allowed to attempt to connect to.

But, in the end, very happy its working.

I’m on Starlink (and therefore behind CGNAT), and Tailscale + ARC is working on my iPhone even though the Roon ARC settings in the main Roon app say it’s “not ready” (not surprisingly) as long as I initially setup the Roon ARC app while connected to my local network first. My Roon core is running in Docker on a Synology NAS. I have a RPi 4 running Tailscale with a subnet route to my local network. To make sure this wasn’t just a fluke, I tried deleting ARC and reinstalling it, and then tried to go through its first time setup with wifi off and connected to Tailscale. It saw my core but couldn’t connect to it. Reconnected to wifi to do the initial setup, then force closed ARC so I’d have a fresh restart. Turned off wifi and turned Tailscale back on. Now ARC connects fine and is playing both local and Qobuz tracks. I haven’t downloaded or played any of these tracks with ARC before, so I’m pretty sure it’s not pulling from cache or something.

I haven’t tested this very thoroughly but it seems like this might be a decent workaround for us CGNAT folks.

As a test, I just rebooted both my iPhone and the core Docker container. Turned off wifi and Tailscale on my phone. Launched the ARC app, and it connected and started playing fine after a few seconds.

I’m hoping to set up something like this using a Synology NAS to run a subnet router with an NUC running Roon ROCK. This would be to get around having CGNAT on my household fibre connection.

I’m starting to believe that it’s pretty straightforward to achieve but not quite ready to get started!

Spoke way too soon. It’s not working. Browse all day long. No music plays. Just spin and the. It reports poor connection. I’ll write a support request when I have time. Just confused how browsing works but playback does when I assumed, to the network, it’s the same request / response.

I went the Tailscale route and it worked. I’ve started a thread here.

https://community.roonlabs.com/t/tailscale-implementation-with-arc-to-circumnavigate-isp-cgnat/215356

1 Like