Connect to ARC with Tailscale

Connect to ARC with Tailscale

We know that many of you have had difficulties connecting to ARC for a multitude of reasons.

ARC currently relies on port forwarding to reach your phone outside your home network - we’ve heard from many users that this won’t work because of their particular network setup or the restrictive policies of their internet and cellular providers. Specifically, those of you with complex network configurations or ISPs who make users share IP addresses behind CG-NAT are blocked from ARC connectivity without buying new routers or ponying up more cash to buy a static IP.

We are happy to say that after much testing, we have found a solution that is both free and easy to install which should immediately resolve many of these issues—Tailscale.

What is Tailscale?

Tailscale is a VPN service that makes the devices and applications you own accessible anywhere in the world, securely and effortlessly. Tailscale uses a technology called WireGuard to create private, encrypted subnetworks over the internet. This allows devices in separate locations with completely separate internet connections to reach one another as if they were on the same WiFi network.

If you’ve been unable to reliably connect to ARC using port forwarding, please read this guide to learn how to set up Tailscale as a workaround.


So much simpler if I could just use 443 externally via cname/dns
example: (SSL 443)
then internally I can redirect that to my roonlabs server nnn.nnn.nnn.nnn:5051 etc

all modern software allows this - and makes our life easier…

(now off to see about tailscale and the prospect of spending even more money on this solution)

1 Like

I already have DDNS (dynamic DNS) setup for my home. Rather then making me use a different VPN than the one already running well on my phone, Roon should let me point to the URL for my DDNS service. This is not an either/or solution. If people want to use tailscale that’s fine, but I (and many others) already have VPN running on our devices outside the home, so changing to a new VPN service is not a real solution. It was a long proces to research and choose a paid VPN service that is truly private, secure, and fast.


I’ve been using Tailscale (between my iPhone and Mac Mini) and port forwarding for months; didn’t realize Tailscale made port forwarding unnecessary. In any event, it’s a great service.

I’ve had success with Tailscale and also Wireguard with PiVPN.

Possibly a good solution all round would be to run DietPi instead of Roon Rock (unless you have a Nucleus device).

On DietPi I’ve had Roon Server running, PiVPN, PiHole and more. No problems at all.

It’s good to see Roon suggesting this as an approved solution.

Is Roon working on a way so port forwarding and/or VPN aren’t required? Similar to Plex/PlexAmp

1 Like

I generally thought you’d never officially support Tailscale and if we used it we wouldn’t be supported.

Oh my how this is music to my ears! Thanks for supporting. Been using Tailscale for months for remote desktops and found that it work for Arc after seeming a few posts.

Remember it’s free to use. So I hope it helps many others. And, if you have/use something else that you can access your network using a Subnet Router then you’ll be golden and should already be using it this way to eliminate errors.

1 Like

Do you have to have the app on the iPhone? I’m curious on trying this again.

Yes, I’ll try to find and link my other post about it.

I believe you need the app on both your Roon server and on the device with Arc. (That’s what I have, anyway.)

If you’re using Windows, MacOS or Linux, you can install Tailscale on it and set up the device as a subnet router, then you install Tailscale on your phone and connect.

For people with Rock/Mock setups; you’ll need a separate device to act as a subnet router. That can be; a NAS, AppleTV (now supports VPN), another computer that can install Tailscale on it.

My example; I have a spare NUC8i5 and I run Hackintosh. This allows me to set it as a subnet router and also allows me to Remote Desktop into my network should I need to change settings or test something. I have a NAS which is also setup as a subnet router and finally my AppleTV is one too. I can switch between them at any time should one go down.

Another option is a RasberryPie, great for low power consumption (which also makes the AppleTV a good choice too). I’m sure many will share their setups and best practices. It doesn’t need to be expensive and it’s a great way to learn something new too!

It’s nice to see Roon invest in solving ARC connection issues. This seems like a poor solution, though. This is particularly true for less-technical folks and for people who invested in a single-box solution, like a Nucleus or ROCK who now need another always-on/always-connected device to use ARC.

Other products in the market, both music and non-music, solve this scenario by falling back to a cloud-based proxy when a direct connection isn’t available. This is typically transparent to the user and doesn’t require additional software or even awareness that it’s happening.

If ARC connectivity is the issue that it appears to be, and the effort on this Tailscale solution suggests it is, then why doesn’t Roon do something similar? It just seems to me that this is Roon’s problem but is being pushed onto users with a reasonably complicated DIY VPN approach. This is, unfortunately, just one more reason that I can’t recommend Roon to people I know. I’m not confident it’ll work without a lot of energy and expense.


Has tailscale improved with battery consumption? I have iPhone 15 pro max.

@ipeverywhere wrote about the other options like you mention when ARC was released. Pinging him so he can provide a better explanation of the headwinds that option entails.

It’s fine on my 15 Pro.

I have this need as well.

I had to ask my ISP for a static ip (extra charge) to get ARC to connect.
Does this new feature with Tailscale mean I can give up the static IP?
Is there a way to test it before I do?

Been using Tailscale since it came out. I’m on Starlink (CG-NAT) so nothing else will work for inbound. Works like a charm! this guide will be very useful for non-technical folks. Thanks for putting it together.

1 Like

I was able to configure my Synology NAS as a tailscale subnet router such that when I plug in the IP of my ROCK in a browser, I get the web interface of ROCK (with system information and such) but when launching the Roon app, Roon can’t seem to find the ROCK. Any suggestions?

I’m hesitant to call this the panacea to connection issues due to: (i) the user experience; (ii) privacy concerns; and (iii) the cost/bandwidth involved.

Going through a cloud relay like you suggest would ultimately add an additional round trip latency to the whole ordeal which is never fun when browsing through large libraries that constantly need to be sending requests to pull new data (album art, track listings, etc…). While sure Roon could create cloud relays in all the major metros, that is certainly gonna add significant infrastructure cost, even if Roon were to use an IaaS solution. A globally distributed CDN like CloudFlare or CloudFront simply wouldn’t work in these situations, because each user has their own live unique data. It would need to be a true “TURN” relay (though operating on a custom protocol).

Also, I’m in the camp of not wanting my data to hop between an extra bounce on someone else’s computer, no matter how much I trust them. Vulnerabilities have the potential to arise no matter what you do, so adding an extra layer where stuff could be sniffed or vectors of attack generally are not ideal. Besides, part of the joy of self hosting is being able to avoid the watchful eyes of third parties.

Given how many of us stream high bandwidth hi-res audio, operating relays like you suggest would be pretty cost prohibitive, or otherwise experience-degrading if Roon were to bandwidth limit. Especially for heavy users, I can imaging them chewing through hundreds of TBs of data over the course of every month, easily adding up to $10,000+ in hosting bills alone. Doesn’t make business sense to run that.

Tailscale is ultimately a free platform that solves most of these issues. These kinds of overlay networks are cropping up more and more now too, and at the end of the day it’s just Wireguard. If you were doing any other kind of hosting for infrastructure at home, you would either need a VPN solution or you need to port forward. The same is true if you’re a corporate network - there is no real difference here.

The one thing I think could be improved would be allowing the user to specify arbitrary hostnames and ports, in the event that some autodiscovery doesn’t work. Otherwise, I think the idea of running a Tailscale subnet router isn’t even that big of a deal. A $100 mini PC on Amazon can do the job very competently, or even a small SBC.

1 Like

I like your approach to use Tailscale for best connection between Roon server and ARC client. It must be possible for the developers of Roon ROCK to incorporate Tailscale into ROCK. That would be much easier then working with a subnet router.