Roon ARC - Roon server is on my iMac - security risk

Hi , if I run Roon Server on my main iMac , and I enable ARC and port forwarding to my iMac , will my iMac now be discoverable by the world ?

IP address of Roon Server is obviously IP address of my iMac in this case so I am concerned about this

Obviously another way is to have a seperate dedicated Roon Core, separate to my Mac, with different IP address to my Mac

Kind of.

Assuming an IPv4 only home network, your Mac itself is not ‘discoverable’ as such but attempts to connect to you router using TCP on your ARC port will get forwarded to the Mac on which that port will be open and an initial connection will be made. However, once the connection is made, an authentication is required and if that authentication fails, the connection will be dropped. The outside agent still believes it is connecting to the router - not the device behind the router.

Thus, technically, nothing on the outside world is aware of your Mac specifically but it could, in principle, discover that there is a device accessed via your public ip address that has the ARC port open.

Whether or not you consider this to be a risk is up to you. The actual risk is the same (or possibly slightly lower due to obscurity) as that exposed by any Web server or any other publicly available server - including those of the banks and financial organisations that are looking after your money.

With IPv6 the situation is different. Every device connected to the Internet with IPv6 support is, and must be, visible to the Internet. There is no NAT involved. However, your router will now act as a secure gateway (running a firewall) only allowing connections attempts to the devices which it has been told to allow and only on the specific ports that it has been told to allow. This seems like a backward step in relation to IPv4 but the incomprehensibly huge scale of the IPv6 address space makes it impossible for rogue agents to perform a dumb ‘search’ for an ip address (and a port on that ip address) that offers a weakness. There are 7.92281625143e028 times as many possible IPv6 addresses as there are IPv4 addresses. Even if you have a priory knowledge of the address pool issues by Isps, a home user with perhaps 100 devices (most come nowhere near that number) is given a block of 2e19 addresses and can, in principle, allocate any of those to the devices on their network so even doing a brute force discovery on your own network is practically impossible.

In both cases, the risk of a single exposed port (with authentication) is extremely low. Just for comparison, I have a third party VOIP phone on my network which requires not 1 but 996 ports to be open at the router in its default configuration (I have reduced this considerably but it is still more than 1). In the UK, it will soon be impossible to get a POTS telephone line installed with all new landlines being VOIP.

In either case, an outside agent will not know the type of device it is connecting to unless that device tells it (e.g. Web servers tell the connecting client via the user agent field in the initial message exchange).

In short, using your Mac vs a separate Rock server does not increase the risk of a successful attack - but it could increase the *cost" of a successful attack because there is likely to be more important data on the Mac that could be compromised or lost.

6 Likes

Yes, ARC will work anywhere in the world.

No need to be concerned, Roons authentication process keeps the baddies out.

For IPv4, ARC itself, when outside your network does not connect to your Roon Server’s ip address. It connects to your router’s ip address. ARC does not know and can not use your Roon Server’s ip address when used remotely.

It can, but you need to have it working first by opening and forwarding the port on your firewall.
With a VPN, after it is properly configured you can close the port on the firewall to use ARC.

In my case i use wireguard on my router and route all traffic from my mobile clients over it including ARC.

I am aware that you need to know what you are doing and is not recommended for networking novices.

Using a VPN is not the same as using ARC remotely.

With the VPN your ARC is on the same private network as the server. Hence VPN - Virtual Private Network.

When used remotely and without a VPN, I stand by my comment. ARC does not know and can not use the Roon servers ipv4 address. ARC connects to your router. It is the router, and only the router, that knows about the Roon Server on the private network. That is is the ‘raison d’etre’ of port forwarding.

As I said in my original post, this is very different for IPv6.

1 Like

I would add to this and resummarize: the risk is only if the authentication of the services on that port can be successfully accomplished, and the risk is only with the services running on that authenticated port, unless for some reason the services running on that port introduce vulnerabilities through poor programming that can allow an attacker to navigate through that vulnerability to affect other things. All that said, there are much easier ways to accomplish the same effect.

Yes it is, the only thing that is different is the way the ARC client connects to the Roonserver with ARC.

And with a VPN this is not actually “remotely” on a technical level from the perspective of the ARC app, so it’s not the same

1 Like

So when i connect to the ARC port on the Roonserver from another network via a path over the internet, it is not the same.
Only the router not forwarding to the port is different…
I do not terminate ARC on the router and forward, but on the Roonserver directly.
Different route same result…

Sure, the result is the same, but Wade had described the technical mechanism, and the mechanism is completely different.

This, and the fact that the VPN creates a virtual private network, meaning that for an app it looks like it’s on a LAN, not using a routed remote connection. It’s a very fundamental difference.

From the workings of ARC point of view there is no difference how the connection is made.
VPN, the network at work, the internet, my 5G providers network but feel free to think there is a difference.

Sure, if you leave out every detail then there is no difference

1 Like

I already wrote that in my opening post, “dedicated” meaning RoonOS:

I think the idea was that Roon OS has no other tools installed that we know of, no ssh, no terminal, etc., and every update resets it completely. Meaning that even in the extremely unlikely event that someone got access to it, it would be much harder to do anything with it in order to gain access to anything else.

1 Like

I am running Ubuntu Desktop on a laptop and have installed Roon Server.

This Ubuntu install has ssh disabled, so it partly mimics RoonOS for now (but not fully mimic)

But Roon Server is running on this Ubuntu laptop without me even logging into any of the Ubuntu Accounts. Just laptop boot is enough for Roon Server to be working.

I’m not too worried but is there any way to make this more secure @Suedkiez ?

I will have Roon OS working in 2 weeks or so when Intel NUCs arrive, so that will be the ideal setup.

1 Like

Yes, install Ubuntu Server (LTS) only – no GUI – , and use the minimal installation setting, unchecking everything when the options are presented. If it suits you, you could also buy a Yubikey and require this whenever a password is entered.

Incidently, there’s nothing wrong with enabling SSH access, just disable password logins, and configure for certificate only, and disable root access.

3 Likes

Maybe a good point to talk about the merits of RoonOS 2.1 and in built Tailscale VPN. In EA currently. It’s easy to set up and it works.

2 Likes

Can you share info about these merits?

No port forwarding require

Tailscale being built in to RoonOS2,1/Rock doesn’t require the need for a second computer

Easy setup

It works

It’s secure

1 Like