· Connect to roon server remotely without port exposing - Zero trust.
I’m trying roon and I can’t make it connect through when I’m not in my home network or connecting to my L2TP to my main MikroTik router (not ideal) I wanted to give a zero trust domain like xx.domain.com that redirects to http://localIPv4:80 which works but roon apps are unable to understand this? Seems that works with a roon ARC that plans on exposing a port with I have zero intention of doing. Hoping there is a more mature option.
Tell us about your home network
· I have room server running on a VM in a proxmox that is bonded 2gbps with a NAS that has all of my music. Then all of it has internet connection with a main MikroTik CCR1009
MikroTik offers a solution called Back To Home, which is based on the WireGuard protocol and requires minimal configuration. If you prefer a router-level solution, this can be a good option:
Alternatively, you can use Tailscale directly on the client side. We provide step-by-step guides for setting it up on various devices here:
Regarding your setup:
· I have Roon Server running on a VM in Proxmox that is bonded 2 Gbps with a NAS that has all of my music.
Please note that virtualized Roon Server setups (including Proxmox VMs) are not officially supported. While they may work in some cases, we’re unable to guarantee stability or provide full troubleshooting support for issues that arise in virtualized environments.
If you have any further questions, feel free to let us know.
To set expectations clearly: there are only two supported ways to access a Roon Server remotely.
Port forwarding (Roon ARC default model)
This exposes a single port and allows ARC to connect directly to your Roon Server.
VPN-based access to your home network
This can be:
WireGuard (including MikroTik Back To Home)
Tailscale (WireGuard-based, zero-config)
L2TP/IPsec (what you’re currently using)
There is no third option.
Roon clients cannot operate through HTTP redirects, reverse proxies, DNS-based “zero trust” gateways, or domain-to-local-IP mappings. Roon requires direct Layer 3 network reachability to the server.
While L2TP can work, it’s worth noting:
L2TP without IPsec is unencrypted and insecure
L2TP with IPsec is encrypted but significantly less efficient and higher-latency,higher load to the CPU on the router(not related to your use case but worth mentioning)
WireGuard (used by Tailscale and Back To Home) is:
fully encrypted
faster
simpler to maintain
better suited for mobile clients like ARC
That’s why WireGuard-based solutions are generally recommended today.
Summary
ARC cannot work via domain redirects or reverse proxies
Remote access requires either port forwarding or VPN
You already have a working solution (L2TP), so there’s nothing broken
WireGuard is recommended purely as a modern, simpler alternative, not a requirement
If you’re satisfied with your current L2TP setup, you can continue using it.
Please let us know if we can clarify any details about NAT traversal. In general, remote access isn’t officially supported for Roon (only ARC) due to inherent limitations with mDNS and device discovery. However, many users have configured the setup it sounds like you intend to build yourself.
The Support section is subject to topic timers, but if you create a post in Tinkering or Roon Software Discussion, the thread will remain open and be more visible for other experienced users to weigh in.