How to make Roon work everywhere without VPN

This seems to good to be true.

Try it out. And tell us if it’s working.

1 Like

Read the comments on the YouTube page. This is not secure at all.

I may be being a bit unfair, but people who look and sound like this are massive red flags for me. Too much hype, too much clueless.


Well, i can’t debate that. But a very important point. However main thing now is to verify if it’s working with Roon.

There are also competitors to this solution.

Twingate is also a VPN, like Tailscale and Zerotier, see

I think this is misleading without substantiating. The biggest gripe, it would seem, is that for a zero knowledge solution, trust is given entirely to a third party. But then, how many people use Dropbox or other service providers for hosting their data?

As already stated, there are alternative solutions, and some may be self-hosted.


It seems to me that there is a big difference between someone gaining access to your cloud files and someone gaining access to your entire network.

It’s your data, so it doesn’t matter where it is if someone gains unauthorized access. Nonetheless, you haven’t explained what you mean by “… is not secure at all.”

1 Like

If you guys like to discuss cybersecurity and VPN, create a thread and have fun.

As many like to have full Roon access all over, and not just using Arc, I hope this solution will work. Looking forward to hear from someone who already tried.

At the moment I’m using Wireshark with OpenWRT on IOS. That’s enough for me. I also used IpFire and IPsec. Which was fine.

If someone states that the product you posted a link to “is not secure at all”, I’d say that this is on-topic, especially since you haven’t used it.

Me too!

1 Like

Tailscale works according to my experience, others have posted that Zerotier works as well, so that it is very likely that the same can be done with Twingate. Just give it a try if you are interested.


I have not used TwinGate, but in general ZeroTrust solutions are a much better, more secure option than a VPN. This is another alternative that is also a free to use ZeroTrust solution. CloudZiti has a free plan and OpenZiti requires you host the infrastructure, but is free forever with unlimited data transfer.

Short version - VPNs typically get you on a network, and you likely have more access than you need on the other side which is a huge risk. Also, VPNs have open ports on the internet which are actively targeted and compromised.

True ZeroTrust solutions like CloudZiti/NetFoundry only allow highly limited encrypted access to a cryptographic identity. Basically you install and agent on both sides, it connects outbound only on both sides to an overlay network, where Roon endpoint can talk to Roon Core over an encrypted tunnel and nothing else is even available. You not only specify the ports and protocols, but also the host. Basically, nothing is available until you explicitly grant it.

I am building a vacation home and this is how I will connect back to my main him where the Core will reside. Much more secure than any VPN, and no open ports on your routers firewall. Also, really easy to setup a Plex server, or anything else you might want to access when away from home.

1 Like

Dammit, 2am and now I want some coffee. :drooling_face: :coffee:

1 Like

How would you load that onto Rock on a Nuc? I’d give it a go…

That is impossible. I think won’t be supported ever. You need to use something else. We may hope for Sonictransporter to support it if it’s a success. Best option is to use a NAS. For testing almost anything I guess.

Whatever. You keep your most important stuff in the cloud if you want to. I won’t.
Dropbox isn’t a backup solution, it’s a file-transfer/sharing solution.

1 Like

Yeah, this. Saying “don’t use a VPN, use Twingate” is like saying “don’t drive a car, drive a Honda,” which makes NetworkChuck sound, well, kind of ignorant. Twingate–like Tailscale and Zerotier–relies on a third party to set up the connection, which is questionable in terms of security, but also allows you to connect when, say, your home Internet connection is behind CGNAT, which would prevent you from setting up your own VPN server.

Furthermore, his “(traditional) VPN is insecure” arguments are also pretty weak, given that all the segmentation he needs can be done with other, more-traditional VPN arrangements as well.

…unless you configure your VPN server non-foolishly, in which case it gets users only the access that is desired. This isn’t rocket surgery. But admittedly it does take a little more thought than checking the box to enable the OpenVPN server in your router.

Targeted, yes, though it’s easy enough to listen on a non-standard port if you think that will help. Compromised? I’m not aware of any compromises of the OpenVPN protocol, or that server software, nor of the protocol or server for Wireguard–nor does a Google search find any. Now, of course, if you configure your VPN server stupidly–password-only authentication with an insecure password, for example–that’s on you.

VPN is safer than nothing for sure and in general a good solution.

That being said the Federal Government has banned using VPNs and mandated a Zero Trust architecture for accessing applications.

Search on VPN once you are on the above link.

There have been many vulnerabilities with OpenVPN software, as there is with most software.

I am not vouching for TwinGate but in general, the world is moving towards Zero Trust because of least privileged access by default and identity based access. Unfortunately Zero Trust has become a marketing buzzword but it is a journey the security world is moving towards.

1 Like

There’s a lot that could be said about that link, but for the sake of brevity:

  • The security needs of the U.S. Government are not the same as those of a typical home or even small business.
  • Searching that document for “VPN” doesn’t find a prohibition on their use, though it does require a security posture that would make them obsolete.
  • “Zero Trust” as it’s used in that document doesn’t appear to have anything to do with the so-called “Zero Trust” VPN systems under discussion in this topic, so it’s questionable how relevant that is to this topic.

I said “compromise”, not “vulnerability,” though I admittedly didn’t define that term carefully. I mostly had in mind allowing an attacker to bypass authentication and access the network, though remote code execution would also qualify.

Not to mention quite the misnomer, because there’s a whole lot of trust–in protocols, in code, and in actors–still going on.

But when it comes to the subject of this topic–accessing your Roon instance remotely–there are three basic ways to do it:

  • Open port 55000, and trust Roon to authenticate and secure access appropriately, and to have built their software in such a way that unauthenticated access is unlikely
  • Run your own “traditional” VPN (e.g., OpenVPN/IPSEC/Wireguard) server
    • You’re running everything, so in principle this is is likely to be the most secure option. But since you’re running everything, you’re responsible for configuring it securely and keeping everything up-to-date, which may be easier said than done.
    • This does require an open port to the VPN server, as well as either a static IP address or dynamic DNS, to allow you to reach your server remotely. And if you’re behind double-NAT or carrier-grade NAT, it’s going to be much more difficult–if it’s possible at all–to get this to work.
    • Ordinarily (i.e., with default configurations) this will give you access to your entire network when you’re connected.
  • Use one of the newfangled, so-called “zero trust” VPNs like Tailscale, ZeroTier, or Twingate
    • No ports to open, no static IP, no dynamic DNS; the provider handles all that for you
    • Little to no network configuration needed on your part
    • Will give you access only to the hosts/resources that are connected to that ZT VPN–and anything else you can reach through them
    • But you’re giving the keys to the kingdom to that VPN provider–I assume it’s on this basis that @Andrew_Webb calls this “not secure at all.” But since they make a business of this, presumably they have some incentive to keep secure and up to date.

There’s no such thing as perfect security; everything’s a series of tradeoffs. But the decisions should be made on the basis of the relevant facts.


NetworkChucks video was sponsored by Twingate. I’ve been in touch with Twingates, Tony Huie. I’ll put to him some questions if any of you have any and report back on his answers.

I too prefer self hosting over this but it does work. No it’s not a VPN killer, it makes setting one up and using it a little easier for those who may not be as comfortable as self hosting.

So fire away.

I still use the below though, it doesn’t need to be on a RPi either. If you use Roon Server for Linux, it’ll run on the same machine with little impact. It also works.