Connect to ARC with Tailscale

Connect to ARC with Tailscale

We know that many of you have had difficulties connecting to ARC for a multitude of reasons.

ARC currently relies on port forwarding to reach your phone outside your home network - we’ve heard from many users that this won’t work because of their particular network setup or the restrictive policies of their internet and cellular providers. Specifically, those of you with complex network configurations or ISPs who make users share IP addresses behind CG-NAT are blocked from ARC connectivity without buying new routers or ponying up more cash to buy a static IP.

We are happy to say that after much testing, we have found a solution that is both free and easy to install which should immediately resolve many of these issues—Tailscale.

What is Tailscale?

Tailscale is a VPN service that makes the devices and applications you own accessible anywhere in the world, securely and effortlessly. Tailscale uses a technology called WireGuard to create private, encrypted subnetworks over the internet. This allows devices in separate locations with completely separate internet connections to reach one another as if they were on the same WiFi network.

If you’ve been unable to reliably connect to ARC using port forwarding, please read this guide to learn how to set up Tailscale as a workaround.

So much simpler if I could just use 443 externally via cname/dns
example: myroon.mydomaincert.com (SSL 443)
then internally I can redirect that to my roonlabs server nnn.nnn.nnn.nnn:5051 etc

all modern software allows this - and makes our life easier…

(now off to see about tailscale and the prospect of spending even more money on this solution)

I already have DDNS (dynamic DNS) setup for my home. Rather then making me use a different VPN than the one already running well on my phone, Roon should let me point to the URL for my DDNS service. This is not an either/or solution. If people want to use tailscale that’s fine, but I (and many others) already have VPN running on our devices outside the home, so changing to a new VPN service is not a real solution. It was a long proces to research and choose a paid VPN service that is truly private, secure, and fast.

I’ve been using Tailscale (between my iPhone and Mac Mini) and port forwarding for months; didn’t realize Tailscale made port forwarding unnecessary. In any event, it’s a great service.

I generally thought you’d never officially support Tailscale and if we used it we wouldn’t be supported.

Oh my how this is music to my ears! Thanks for supporting. Been using Tailscale for months for remote desktops and found that it work for Arc after seeming a few posts.

Remember it’s free to use. So I hope it helps many others. And, if you have/use something else that you can access your network using a Subnet Router then you’ll be golden and should already be using it this way to eliminate errors.

Do you have to have the app on the iPhone? I’m curious on trying this again.

Yes, I’ll try to find and link my other post about it.

I believe you need the app on both your Roon server and on the device with Arc. (That’s what I have, anyway.)

If you’re using Windows, MacOS or Linux, you can install Tailscale on it and set up the device as a subnet router, then you install Tailscale on your phone and connect.

For people with Rock/Mock setups; you’ll need a separate device to act as a subnet router. That can be; a NAS, AppleTV (now supports VPN), another computer that can install Tailscale on it.

My example; I have a spare NUC8i5 and I run Hackintosh. This allows me to set it as a subnet router and also allows me to Remote Desktop into my network should I need to change settings or test something. I have a NAS which is also setup as a subnet router and finally my AppleTV is one too. I can switch between them at any time should one go down.

Another option is a RasberryPie, great for low power consumption (which also makes the AppleTV a good choice too). I’m sure many will share their setups and best practices. It doesn’t need to be expensive and it’s a great way to learn something new too!

It’s nice to see Roon invest in solving ARC connection issues. This seems like a poor solution, though. This is particularly true for less-technical folks and for people who invested in a single-box solution, like a Nucleus or ROCK who now need another always-on/always-connected device to use ARC.

Other products in the market, both music and non-music, solve this scenario by falling back to a cloud-based proxy when a direct connection isn’t available. This is typically transparent to the user and doesn’t require additional software or even awareness that it’s happening.

If ARC connectivity is the issue that it appears to be, and the effort on this Tailscale solution suggests it is, then why doesn’t Roon do something similar? It just seems to me that this is Roon’s problem but is being pushed onto users with a reasonably complicated DIY VPN approach. This is, unfortunately, just one more reason that I can’t recommend Roon to people I know. I’m not confident it’ll work without a lot of energy and expense.

Has tailscale improved with battery consumption? I have iPhone 15 pro max.

@ipeverywhere wrote about the other options like you mention when ARC was released. Pinging him so he can provide a better explanation of the headwinds that option entails.

It’s fine on my 15 Pro.

I have this need as well.

I had to ask my ISP for a static ip (extra charge) to get ARC to connect.
Does this new feature with Tailscale mean I can give up the static IP?
Is there a way to test it before I do?

Been using Tailscale since it came out. I’m on Starlink (CG-NAT) so nothing else will work for inbound. Works like a charm! this guide will be very useful for non-technical folks. Thanks for putting it together.

I was able to configure my Synology NAS as a tailscale subnet router such that when I plug in the IP of my ROCK in a browser, I get the web interface of ROCK (with system information and such) but when launching the Roon app, Roon can’t seem to find the ROCK. Any suggestions?

I’m hesitant to call this the panacea to connection issues due to: (i) the user experience; (ii) privacy concerns; and (iii) the cost/bandwidth involved.

Going through a cloud relay like you suggest would ultimately add an additional round trip latency to the whole ordeal which is never fun when browsing through large libraries that constantly need to be sending requests to pull new data (album art, track listings, etc…). While sure Roon could create cloud relays in all the major metros, that is certainly gonna add significant infrastructure cost, even if Roon were to use an IaaS solution. A globally distributed CDN like CloudFlare or CloudFront simply wouldn’t work in these situations, because each user has their own live unique data. It would need to be a true “TURN” relay (though operating on a custom protocol).

Also, I’m in the camp of not wanting my data to hop between an extra bounce on someone else’s computer, no matter how much I trust them. Vulnerabilities have the potential to arise no matter what you do, so adding an extra layer where stuff could be sniffed or vectors of attack generally are not ideal. Besides, part of the joy of self hosting is being able to avoid the watchful eyes of third parties.

Given how many of us stream high bandwidth hi-res audio, operating relays like you suggest would be pretty cost prohibitive, or otherwise experience-degrading if Roon were to bandwidth limit. Especially for heavy users, I can imaging them chewing through hundreds of TBs of data over the course of every month, easily adding up to $10,000+ in hosting bills alone. Doesn’t make business sense to run that.

Tailscale is ultimately a free platform that solves most of these issues. These kinds of overlay networks are cropping up more and more now too, and at the end of the day it’s just Wireguard. If you were doing any other kind of hosting for infrastructure at home, you would either need a VPN solution or you need to port forward. The same is true if you’re a corporate network - there is no real difference here.

The one thing I think could be improved would be allowing the user to specify arbitrary hostnames and ports, in the event that some autodiscovery doesn’t work. Otherwise, I think the idea of running a Tailscale subnet router isn’t even that big of a deal. A $100 mini PC on Amazon can do the job very competently, or even a small SBC.

I like your approach to use Tailscale for best connection between Roon server and ARC client. It must be possible for the developers of Roon ROCK to incorporate Tailscale into ROCK. That would be much easier then working with a subnet router.

I don’t want to debate this too much. I’ll say a couple of things and then hear what you have to say, if you want to respond, but I don’t think this should be a debate between users. It’s just my opinion and I hope Roon and HK hear it.

There are media products like Plex which try to do P2P and move to cloud relay if they can’t. There are video conferencing products like FaceTime and Zoom which do the same. There are video gaming platforms, such as Xbox and PlayStation which also use cloud relays when necessary.

These platforms vary in terms of the amount of data they relay and the latency requirements, but they all make it work, and they do it transparently. A FaceTime user doesn’t know if their video call is going through a relay or not. Neither do users of the other products and scenarios. None of those experiences require third party hardware or software nor do they require the expertise to set up a VPN-type solution.

We can discuss how you might build something like this. You’ve suggested that a variety of approaches wouldn’t work. They would. Cloud platforms from Amazon, Microsoft, Google and others allow for geoscale and distribution as well as elasticity. An approach like a Node-based relay would scale very well - it’s a reasonably simple problem to maintain a directory of connections and to connect the dots between a client and a home-based server. They’ve already got the directory portion of the problem solved because they are maintaining a mapping between users and home server IPs. Encryption can’t reasonably be claimed to be a blocking factor since there is an enormous amount of prior art on which to base an end-to-end encryption strategy.

If you, personally, want to opt out of an end-to-end encryption approach, you should have the ability to do so. You should be able to turn that feature off and either port map manually or use a VPN-type solution. I don’t want to suggest that people with privacy concerns should be forced to use a relay. They shouldn’t.

The best approach to reasoning about cost is not to throw a large number out and say “…adding up to $10,000+ in hosting bills.” The aggregate cost is not as interesting as the cost per user. Non Lifetime users pay at least $12.49USD/month". If you add a feature like a cloud relay, you’d want to think about it in terms of the impact to per-user revenue (that accrues to aggregate, but you’d start with per-user). You could start by coming up with a cost range specifically for a person that uses a cloud relay. My guess is a couple of USD worst case per month for a highly active ARC user. Many users don’t use ARC. Of the ones that do, many don’t need a relay. Those folks subsidize the folks that do need and use a relay. By the time you’re done, it’s a relatively small amount per user.

Does Roon want to spend more money each month? Of course not! Where we may differ is around whether or not the best business strategy requires them to do so. For me, ARC is a partially complete product that doesn’t work particularly well and, for many users, requires a do-it-yourself add-on solution. I work with, not for, a high-end A/V retailer where the consultants differ on whether or not to recommend Roon. Some don’t because they don’t want to take on the support burden, which they need to do given the nature of their clientele. They can’t sell a Nucleus and say “if you buy this, you can use Roon in your home and ARC when you’re away.” They can only say, “you’ll be able to use Roon in your home but you may need another computer if you want to use it while you’re away.” And if they do that, they end up in the support role for both devices - the Nucleus is an appliance that for most people will just work. The ARC device won’t be anything like that.

I said more than I expected - and we are perhaps just going to have to disagree I’ll say, sincerely, that I appreciate anything else you want to say even if you strongly disagree but I’m not going to post further on it here. This is feedback for Roon, not content I entend for debate with other users.