Does Roon Work With Cloudflare Warp+?

If the Warp app is running on all the computers on my local network, will that confuse Roon? Will it confuse Roon’s connection to services like Qobuz?

If yes, is there a fix/workaround?

This largely depends on how you stream music and how your local network is set up.

TL;DR version - If you’re not streaming from a local NAS or server, but rather ONLY from cloud streaming services like TIDAL / Qobuz, then it’s unlikely to affect performance. This largely assumes a very simple network layout with a single “routing” device that provides numerous services like NAT, DHCP, DNS forwarding, etc.

What are you trying to achieve using WARP and 1.1.1.1?

If Warp is running on literally all computers, including your core, remotes and endpoints, then it will definitely interfere.

It’s my understanding that Warp is more than a dns service: Introducing WARP: Fixing Mobile Internet Performance and Security. It sounds like a VPN to me.

@Andrew_Webb, in my experience Qobuz doesn’t run into problems when you’re running Warp.

And I can’t think of any reasons why it would cause problems for any devices connected to your local network.

1 Like

Lots of confusion here.

Nepherte is correct that WARP is in fact a VPN service, but wrong to jump to such a hasty conclusion that it will automatically interfere. With cloud-streaming services like TIDAL and Qobuz, David_Nightingale is correct that is should not. mikeb has good reasoning behind why a different DNS provider would be any different is on the right path, but to say that WARP is a DNS service is also incorrect.

VPN and DNS often go hand-in-hand, and are not the same thing. You can be using very good VPN service, even roll your own, but if you’re not ALSO taking care to ensure your DNS traffic is either a) tunneled (which it very often isn’t unless you’ve done this explicitly), or b) opted to explicitly configure a different set of DNS servers to use with options like DNS over TLS (DoT) or DNS over HTTPS (DoH), notwithstanding the use of DNSSEC, DNSCrypt, and the like, your DNS queries (the websites/services you visit/use) may be exposed to your ISP/WAN operator. Not all of these are mutually exclusive, and not all of these work with each other harmoniously. Consider them options for different scenarios. Some work together well, some don’t.

Yes, WARP (a VPN service by Cloudflare, based on a Wireguard…their version of it anyway) also uses 1.1.1.1 DNS servers (a DNS service…also provide by…you guessed it! Cloudflare). Seems natural for a company that offers cloud-based networking services to dogfood their own services when launching…other services. Please don’t conflate the two as the same thing. They are not. One is a VPN tunneling service, the other a DNS service. They can work together to create an excellent way to shield yourself from a snooping ISP/WAN operator, but must be used together. Generally speaking, WARP attempts to force DNS traffic to 1.1.1.1.

What needs to be understood here is the context of running Roon within a local network environment, that is to say (essentially), a “NAT’d” local area network. Specifying a DNS server on a device (often regardless of the operating system), will provide that device a way to query DNS servers for entries it doesn’t already have cached. If the DNS server itself doesn’t have an answer it is often configured with a “forwarding address”, basically a way to reach out on behalf of the device that made the original query, and get back an answer it can then add to it’s own cache (and the device that made the original query often does the same).

I think what @Andrew_Webb is trying to understand is if running the localized WARP client on each computer will interfere with the operation of using one endpoint as a server, one as a player, and one as a control (perhaps these are all the same device). Unless there are multiple devices involved and other services on the NAT’d LAN network have been explicitly disabled, VLANs are in use (perhaps with different subnets) with no firewall ACLs to allow traffic over certain ports, OR if firewall ACLs have effectively been configured to DENY traffic over certain ports, it’s unlikely using WARP will affect cloud-streaming services like TIDAL, QOBUZ, and others.

However, if local file streaming from a NAS or other network storage device/endpoint using protocols such as CIFS/SMB, FTP, or others is needed, the use of the WARP VPN client may in fact interfere.

Again, it’s all about context. @Andrew_Webb’s questions has multiple answers depending on what is needed now and possibly in the future.

Side Note: I haven’t explained split-tunneling, or whether or not a certain ISP/WAN operator or if the VPN’s ISP/WAN operator allows certain VPN protocols to egress/ingress their border firewall for the sake of simplicity. There simply is no need to get into that level of detail here. I also opted to not get into specifics about local DNS resolution using something like Unbound because there isn’t a need because @Andrew_Webb didn’t ask about localized DNS services in the context of using a VPN service like WARP.

EDIT: Added parentheses / closed sentence.

2 Likes

Perhaps it would be simpler to ask the opposite question: is there any real benefit to using Warp/1.1.1.1 with an all-Mac home network consisting of Ethernet and Wi-Fi (via Orbi with Ethernet backhaul) served by gigabit fiber?
Services to consider, (other than Roon) are Plex, Backblaze, Dropbox, and some IOT stuff.

I was only trying Warp out because I got a free six months, and I was curious to see if I noticed any benefit. Call it idle curiosity.

Roon has so many problems on my system that I decided Warp was likely to be another layer of trouble, so it’s disabled on all but one non-Rooning machine, the one that serves Plex.

My recommendation with consumer-grade networking products/services is always to keep it as simple as possible. Often times in my own experience trying to blend a consumer-grade gateway with VPN services for an entire NAT’d network, without at least options for configuration of a DNS resolver, ends up in more problems than it’s usually worth. This isn’t even taking into account the security aspects of why consumer-grade network products/services are often full of gaping security holes. Be sure to use 1.1.1.1 as your primary DNS server. It’s not going to automatically encrypt or conceal your DNS traffic from your ISP/WAN operator, but purely for performance and some measure of blocking the creepy stuff ISPs/WAN operators do with redirection and selling your data to whoever. More on that below.

If you want to shield your web browsing and other DNS queries as well as any non-DNS egress/ingress traffic from a snooping ISP/WAN operator on the devices that use WARP, sure, just realize that the primary purpose of the service is first a VPN (to tunnel your traffic so it egresses/ingresses somewhere else) and second for DNS. You also need to be using 1.1.1.1 as your DNS provider on all your devices and preferably even going a step further and using a web browser like Firefox that offers proper DNS over HTTPS (DoH), eSNI, and other forms of protection like blocking fingerprinting, favicon tracking, and other options.

More to my point is that using it with Roon in your local network only with those cloud-streaming services like TIDAL and Qobuz ought to be irrelevant/transparent. That being said, the other services you mentioned may suffer, especially Plex, which often requires explicit port forwarding (i.e. a firewall ACL/rule to allow inbound traffic on a specific port), to allow for remote access to your server. I would not run WARP on the Plex machine, but I would still use 1.1.1.1 as my DNS provider.

The others you mentioned are typically able to traverse any connection that allows traffic over mostly TCP 80/443 (HTTP/HTTPS) which is pretty much any home network nowadays. They may do some weird ephemeral session connection stuff on the back-end (usually layer 7 type stuff like rate-limiting), but for the most part they are plug-and-play and will “just work” over any internet connection that allows even just basic web browsing.

That being said, the Orbi system you mentioned is a consumer-grade solution and although I haven’t used it myself, the way the cut sheet reads is very much the same as 99.9% of other consumer-grade network devices like Wi-Fi router/switch/WAP blended devices. It’s essentially a very simple gateway device, although it has some high-powered Wi-Fi functionality which looks pretty neat. That’s not going to change it’s simplified handling of DNS services though. It’s still only going to operate as a DNS forwarder at best and offers nothing in the way of DNS configuration beyond simply specifying which DNS servers you want to use.

If you want really customized DNS resolution to 1) avoid snooping by your ISP/WAN Operator and/or 2) your OWN resolver to cache DNS records locally for some reason (such as blocking ads and China?) and/or 3) to FORCE all DNS queries out of a specific interface/port using a specific protocol such as DNS over TLS (DoT)…you’re going to need a gateway that can handle all of that and provide that level of configuration. Both pfSense and OPNsense are options to explore if you want to go that route, but honestly, with the setup you’ve described, if I were you I wouldn’t bother since it seems uptime may be more important than security (apologies if this is an incorrect assumption).

The other part of the equation that hasn’t even been mentioned up to this point is how contrasting the use of VPN and DNS may impact the use of other services. Depending on what type of VPN is used (most commonly layer 2 or layer 3, but there are also layer 4 and 7 VPN options as well), the impact to localized “discovery” services like Bonjour, Avahi (both implementations of mDNS), as well as UPnP, may simply be degraded or not understand routing beyond a specific local route within the NAT’d subnet. I think that’s probably best saved for another conversation as this is getting long as is.

Let’s just say for now, I’d strongly recommend using a VPN and DNS service like WARP and 1.1.1.1, but at the end of the day, if it interferes with localized streaming of music to a Roon endpoint on you local network, simply turning those services off during that streaming and turning them back on when you’re not streaming may be simplest unless you’re willing to invest time into another routing configuration that can handle the complexities of both VPN and DNS for all clients on your local network while respecting (and explicitly permitting) localized protocols and services like the ones I mentioned above restricted to the NAT’d subnet(s).

In your example, you’re setting up a tunnel with Warp from your device (Android?) to Cloudflare. Qobuz will work because you simply want to stream music from Qobuz to your device without interacting with any of the other devices on your local network.

If you wish to use Roon and stream to endpoints on the local network, then the Warp tunnel effectively prevents you from doing that. There may be scenario’s where it might still work, such as split tunnels or if there’s no need to communicate with other devices on the local network.

I don’t have firsthand experience with Warp so you might be in those exceptional cases I listed, in which case it still works…

You’re asking the right question!

For avoiding georestrictions?
Clearly not because Warp doesn’t do that for you.

For privacy?
That would be a joke. Your IP address is still the same, they use their own version of wireguard (meaning not audited or publicly verified by the community), they keep logs, they’re in the US and their privacy policy states they will share logs and your personal info when requested by authorities. So…

I agree with @grff’s recommendation: configure the dns provider on your router (so that all devices on your network automatically start using it). You can pick one of google (8.8.8.8, 8.8.4.4), cloudflare (1.1.1.1) or quad9 (9.9.9.9). Those will all be fast and up-to-date.

Well, in my case your conclusion simply isn’t correct. In the screenshot I posted it’s my Roon core that’s connected through Warp and I have no issue playing music on any of my endpoints, irrespective of whether the endpoints are also connected to the internet via Warp. For example, I can play local content and stream from Qobuz to a Pi4 (not connected using Warp). I can also play local content and stream from Qobuz to both my iPad and iPhone (connected via Warp).

No, but I do. Maybe it would be helpful if somebody else could comment as I don’t think there’s anything exceptional about my setup.

Fair enough, I definitely respect first hand experience. That would imply it’s a split VPN tunnel, which I did put in the caveats as to why it might still work, mind you :slight_smile:

@DaveN Perhaps you can provide some insight into this question? What would be the advantage of using Warp (over let’s say simply configuring a dns provider)?

I suppose, alternatively, it could also be just DNS over ‘custom vpn tunnel using Wireguard’. Not sure why you’d want to do that but it’s a possibility.

In the context of Roon I don’t think there’s any real benefit over and above the fact that Cloudfare’s DNS is reliable so, as you mentioned, it’s probably no better than Google’s or Quad9. I use 1.1.1.1 on my router and devices because it’s often a bit quicker than 8.8.8.8, but that’s the only reason.

As for Warp: I do have it installed and running on my iPhone, as I’d rather have a bit more privacy than not, but I don’t routinely use it on my laptop (the device that runs my Roon core). I did turn it on to check how it works with Roon (hence the screenshots above), but if I want better security on my laptop (for personal banking etc) I use NordVPN. As an aside, NordVPN does cause problems with Qobuz in my setup, i.e. the connection to Qobuz will often drop and be hard (or impossible) to reestablish.

So, to answer the OP’s original point - will Warp work? - yes. To answer the subsequent question - is there any benefit over and above the fact that 1.1.1.1 is a reliable source of DNS? - no, at least not that I can think of.

Thanks, everyone.

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.