Mobile Use: Roon 1.8/2.0 via VPN vs. Roon Arc

Whilst it isn’t a new thing, but a VPN setup on a phone (in my case an iPhone) allows me to access my Roon Core from the Roon app. I can also have my phone as the endpoint. Via Lightning to USB, plugged into a vehicles head unit gets me lossless and charges the phone.

I prefer a simpler, single app solution rather than more apps on my phone.

Surely a VPN is the way forward rather than 2 apps and port forwarding.

Implement off-lining of content via the normal app to the endpoint (or Roon Core to resolve that resent issue).

Am I missing something, as this seems the more sensible approach.

Thoughts welcome but be nice to one another.

1 Like

Most vpns to allow Roon to see the devices as endpoints need to run the vpn on the core itself So they are in the same subnet as the vpn connected devices which rules out a big chunk of users who use Rock or Nucleus or other servers that are not general pc or Nas. Also most vpns do not forward the broadcast traffic Roon requires to play to endpoints without a lot of configuring and head scratching. I could always get Roon app to connect via vpn but it would never be seen as a device I could play to. Setting up a vpn to work properly with Roon is no easy task for most users look how many problems come with just port forwarding and that’s way simpler to configure.

If they built in their own vpn into the core then perhaps it would work better, but that would mean licensing existing solutions and come at a cost and overheads on the core. I do thing something like this or another form of tunnelling like tailscale will eventually replace what is used now, but even tailscale only works for ARC it won’t work for regular Roon app to play to.


I am not tech wizard, I just know enough

I found it very simple to setup a VPN to my router. This allows me to see my whole network. Doing it this way puts you on the same subnet but in my case also puts you on a separate VLAN to the network. Meaning firewall fules can be set for further security.

You have a UDM don’t you, it’s vpn is pretty good and it’s a point to point one, but my Unifi USG one int and doesn’t work other than connect. They are not all the same and not all routers have the capability. Running it on another computer compounds problems they are navigable if you know what your doing.

1 Like

Yes, agreed that networking components would need to be suitable.

Yes, I have the UDR. But I’m sure there’s a way for those with the USG. The below video may help you.

For the cost of the UDR, I can only recommend you get one. Built in AP, 2 ports with POE for more APs. Full (nearly) UniFi UI control.

Whilst port forwarding isn’t technically a VPN, my view of what Arc is and does is similar to having a VPN, in a way. Therefore, isn’t it feasible that a VPN server could be baked into Roon on the core and/or a cloud based VPN.

My view is, and reason for my post was if you’re able to setup a VPN to your home network, and whilst it works, would this make more sense than having Arc.

Yes, the offline function of your own library is great, but again that could in future be added.

In general, it really isn’t that straight forward to get Roon Remote working over VPN. Especially if you didn’t manage to get port forwarding working in the first place.

If it works out of the box with your UDR, that’s great. But it doesn’t work out of the box with th VPN options on the USG (I have one). I did manage to get it working in the end, but you essentially have to forego on any officially supported UniFi approach.

1 Like

Most people running ARC are using UPnP without intervention, which supports the rationale for this approach. For those who struggled with port forwarding, and I don’t mean issues such as Carrier Grade NAT etc., would find a VPN equally challenging to set up.

I have a cloudkey2 already so it duplicates features on the the more recent routers so what I have mostly and it would then make it all redundant and I would be throwing away money. I would go for the pro if I ever feel the need to upgrade but I could do without the cost. I don’t need a vpn for everyday use but I can use the usg one if I want to for access to my network it just doesn’t work for Roon as I said without using non supported methods. The way it works on the UDM is very different and you also have their own app to make the bridge connection which then helps it work with Roon.

The Wifiman does work to a degree. However I had to manually configure the VPN to get it to work with Roon. The Wifiman way didn’t appear to work.

Agreed the UPnP/Arc method is simpler for most users.


Is it not worth Roon considering a one app approach though, if for some, access to Roon Core is achievable. I listened to what Enno said on the Darko podcast. To me making 2 apps doesn’t make sense. I guess for ease overall.

Roon requires (mostly) a L2 VPN which is a bit more resource intensive and less flexible in its deployment.

ARC works, mostly, with any VPN connection that gives you “web” access to your core. I put web in quotes because it looks sort-of-kind-of like you’re accessing a website to the network. But, that gives you a lot more flexibility in your choice of architecture and VPN.

1 Like


The Internet is asymmetrical. That is, just because you can talk to me does not mean I can talk to you. The port forwarding punches permanent holes in NATs and firewalls to allow connections to flow in a direction not normally allowed by residential set-ups / routers.

Any connection will have such an issue. Putting a “vpn server” on Core will have this issue. How would you get to it? You’d need a port forwarding configuration.

Cloud is not because of its cost related to streaming. Same reason ARC wasn’t released as a cloud service but needs direct access to core.


I assume you are not using an iPhone as your endpoint. I’m not a network expert, but I’m not a newbie either. The type of VPN connection (i.e. a TAP interface) needed to make this happen when the VPN gateway and the Roon Server are on different machines is not available on iOS. At least I have found no way to circumvent this restriction on my iPhones. So what you found “very simple”, others may find impossible.

It is certainly possible to get it working on iOS. I managed to do it with WireGuard. But overall, it’s just too much of a hassle.

1 Like

@Nepherte Interesting. I don’t run wireguard on my server (OpenVPN on synology) and I was not aware that it could now route multicast traffic. I had always heard that wireguard didn’t play nice with multicast discovery protocols. Glad to know it’s fixed. Still, if you found it a “hassle” – and you seem pretty savvy – it doesn’t sound like a solution I’d try to deploy to users who can’t manage to even get port-forwarding working on their network!

Yes, I can via my routers VPN connect to my core with my iPhone and remotely on mobile data use my phone as an endpoint. It can be very flakey at times and with a good signal it’s perfect.

Agreed. Arc does make it simpler in use. I just have multiple music related apps on my devices that I try where I can use the the VPN and Roon. I hide away the other apps unless needed, i.e. no signal and I have off-lined content from other services.

With my limited networking knowledge (Google is my friend) I am under the belief that with my Unifi UDR, a VPN setup inside of it allows me to remotely connect to my network as if I was actually on it. Dispensing the need to enable port forwarding rules or altering firewall rules. A conduit to my network.

With a VPN I can use Arc without port forwarding being needed. Is it not possible to change Arc from what it is, into a VPN tool to access the core. I’m sure this would require reinventing the wheel. Just thinking out loud.





Core is behind your router. How would you connect to the “Core VPN” behind your router? You’d need port forwarding which defeats the whole VPN thing since port forwarding works today as designed.

The reason you can connect to your UDR VPN is because the UDR sits on the internet not behind it. When you configure VPN on UDR it opens a port on the WAN interface to listen for incoming connections. Roon, sitting behind your router, can’t do this (UPnP does this as part of ARC if you have this enabled).

See the difference?


Fully understood. Thanks.


I do not have any port forwarding in place.

My understanding is that Roon Core wouldn’t need to have the VPN server on it, but could be ran on something else (RPi, PC). Having it on the Core (baked in) would be better in terms of less hardware being needed.

I made a mistake in an earlier post. My UDR automatically set firewall rules.
Firewall rules are only needed to allow the inbound VPN.

I appreciate Arc using UPnP (or manual setup) is probably the easiest way for the majority to have access to Roon. Instead of reinventing the wheel, which Arc didn’t, they could have made the wheel better.

I’m quite a determined individual and self-teach myself a lot. Would it be possible to say install Ubuntu Server or desktop, then Linux Roon Server and then a VPN server. Then clone the machines image. Hey-presto, you now have an installable image. Yes, manual firewall rules would need to be added to the router, just as easy I think as port forwarding.