I’ve only tried with an iPhone X so far.
There is a VPN solution for Roon that does work. You will require quite a bit of knowledge about routing and VPN technology to make it work.
So the problem is Roon wanting to address clients who reside on the same subnet as the Roon server. If you try a VPN tunnel it will work you will be able to launch the Roon Control program but what you will notice is that the audio zones are missing. The reasons that the audio zones are missing is that Roon (and this was my assumption) needs full control of the device via the TCP/IP connection. So the trick is to make the remote Roon user appear to be on the same subnet as the server.
So this is how I did it.
1.) I built a SoftEther VPN Server on a Windows 10 box behind my firewall.
2.) I opened up the required ports on the firewall to support the VPN
3.) I created a VPN Soft client and loaded it on another computer which resides outside of the Roon server subnet
4.) I used the VPN soft client to login to my network remotely, the attached VPN client was assigned an IP address on the same subnet as my Roon Server resides on.
5.) Once connected via the VPN the Remote User was assigned an IP address on the same subnet as my Roon server.
6.) When I started the Roon Control Program on the Remote User side of the VPN it works flawlessly.
7.) Next, of course, we all want to see if we can access the Roon application from our smartphones. I used a VPN connection from my iPhone 7 to my Roon sever via the SoftEther connection and that worked as well. The issue with the VPN over the Cell network is that you have to be on an LTE connection for it to work.
You cannot stream this over your phone while driving it will not work, or should I say it will work for about a few hundred feet then fail. If you are sitting on a park bench and feel the need to stream music it will work.
1 Like
Don’t you risk problems with IP conflicts?
Also, why would you need split tunnel?
No, as it just grabs an IP for the VPN device from your LAN’s DHCP server.
Split Tunnel: Mobile isn’t very stable without it. It takes longer to find the core without it and loses it quite often.
Is your DHCP server also running in your NAS?
In my Synology Router. Where VPN Plus is running.
My mistake, read Synology and missed it was a router. 
No worries I would think it would be achievable from the NAS as well. I just don’t like exposing my data store (NAS) to the world.
I get that but it’s pretty much the same with the vpn server in your router.
Minus the open ports to my NAS.
Yes but your VPN clients would have exactly the same access unless you restrict them, which you could do in your NAS as well. So it’s more down to trusting your router being more secure for exploits.
FWIW, I share the same feeling.
Does this need ROCK specifically to work, or should it work with ordinary Roon server?
It worked perfectly fine in Ubuntu Server with the normal Roon Core for me and there’s nothing that is ROCK specific.
As long as you setup OpenVPN Server & Clients correctly it will work. Depending on setup you may need to add static routes (i.e. to sub net used for VPN client). All this is possible with Roon Core and OpenVPN Server in Linux, MacOS and Windows.
Connecting remotely to a Roon Core via an Amplifi Teleport works fine. Have not had success via OpenVPN
1 Like
i got an OpenVPN bridged (TAP) connection. and from my PC in office i can access to roon-core at home.
the problem is that even with this configuration the office-roon-client sees home-network endpoints, but for unknown reasons do not show the PC system output. so, i can control music at home, but cannot play anything locally in office 
there’re some other posts reporting same problem, but it’s not clear if someone has solved it.
i did not try to connect with a phone (android) though.
I managed to access Roon with OpenVPN and Tunnelblick with MAC os Sierra, TAP mode configuration.
I can see the local PC as private zone.
Ciao
Sounds like firewall issues to me, especially if a company computer.
1 Like
yes, it was a firewall problem 
i have disabled the firewall, and now roon works over VPN! so happy about this.
i just have to struggle a little bit to find out how to set rules in windosw 10 firewall to let roon be discovered over the vpn network, but … it works
How did you get Roon to work over VPN? I haven’t been able to yet, in spite of having a good VPN working. Also, the advice I read from Roon was it was not possible. Is there a post you used to do it?
Thanks.
Note: I edited a couple of points so if you got an email, this is the corrected version:
@marshalleq: I did get it to work. You have to use a layer-2 VPN, so L2TP over IPSEC if you are Cisco guy, or specifying in OpenVPN Server and your client to use a “TAP” interface rather than a “TUN” interface. A “TAP” interface is layer-2, which essentially puts you on the local subnet. I had to allocate a small range of the same subnet that my server sits on as part of my VPN pool (so say your server is on 10.0.1.40/24, then you’ll need to set you VPN pool to be say a /28 within that same subnet . So like 10.0.1.60/28 – if you don’t know how to do subnetting, use an online site – just google “subnet calculator” and pick an IP Pool that you’re comfortable giving up to your VPN Pool. The trick is that this is just your pool. When you send DHCP information to the client, you send it a /24. The smaller subnet is just your pool (the IP’s you’re reserving for VPN use).
You’ll also have to adjust your existing DHCP for devices in that subnet so they don’t give out the IP’s you get when you VPN in – I recommend you just pick that highest, last /28 within your subnet which won’t likely get assigned unless you have a ton of devices.
Also, make sure that IGMP and other multicast traffic is permitted between the devices that are VPN’ed into your network.
Finally, you’ll need to allow clients to egress your network through your default gateway once they VPN in (no split routing). That way they can pull up the metadata and do any of Roon’s entitlements/license check stuff. So you’ll need to make sure they get a NAT (PNAT or otherwise) rule to egress the network.
And of course allow traffic between VPN devices and local devices if your VPN appliance/endpoint automatically locks that down. Some will not allow VPN peers to communicate and you’ll want them to be able to communicate.
Last part is that you’ll have to configure your client to use the IP address of your DB rather than the NETBIOS/WINS name (ie. ROONSERVER, or whatever you call it on your network if you’re a Windows user) because that won’t work for things like Mac’s and iPhones and iPads.
You’ll also need a fast connection because you’re sending the entire file over the network. Good luck, it’s a real pain in the butt and was ultimately useless as it only works if I’m somewhere that has a fast network.
6 Likes