My next question - new to Roon, so apologies for the multiple posts (but just wanted to keep topics separate).
I’ve been reading things here and there about ‘Roon having a backdoor’ and ‘Roon have root permissions’. e.g. this thread..
So I guess some of these claims may not be accurate. And I know that most software/tech we use requires a level of blind trust.
But being new and before I make a final decision to start paying I think it’s worth asking.
Is there anyone which some technical knowledge of the inner workings who could give an unbiased and honest opinion on the above.
(Probably more importantly), what recommendations does Roon give to securing my Roon server. The 2 I can think of is Arc to port 0 to prevent incoming requests from anyone other than Roon/Tidal/Qobuz. And secondly, run server on a dedicated computer rather than my laptop.
I don’t post on here much but I used to. If any of my post is wrong someone will correct me.
Roon ARC tries to use UPnP to configure open ports on the router for the incoming connections from the client. If you don’t intend to use ARC or feel its not safe, turn UPnP off at your router. This prevents Roon from opening any ports as well as any other UPnP things you might have accidentally deployed on your network. This is better than port 0 as that setting has a tendency to not stay 0.
Other recommendations… Roon is expected to be isolated to your internal network with the one exception being ARC. If you don’t trust your internal network then I don’t know if I’d run Roon at all. But, in the many years I have been running Roon, Roon was not the problem. I run Roon on a dedicated machine because of convenience not for any real security reasons.
mjw
(Here I am with a brain the size of a planet and they ask me to pick up a piece of paper. Call that job satisfaction? I don't.)
3
I don’t think you’ll find Roon has a backdoor. Rather, Roon, which is not simply an app on your PC, but a cloud service, too, can have diagnostics enabled by Roon support staff. Your Roon server needs to be online to enter this state, i.e., when it connects to Roon’s servers, and only then will it upload the logs.
So, no one has remote access to your computer. Moreover, you can view exactly what is uploaded by viewing the logs yourself.
@ipeverywhere has answered the other part of your question correctly. If you want to use ARC without port forwarding, Tailscale works well.
Another point to consider is Roon use certificates when negotiating a secure connection.
Sounds like I’m probably overthinking. And I agree totally with the point ‘if I don’t trust my local network then don’t use Roon’.
I was thinking of disabling UPnP, but will check if anything else using it. Of course if it is, then I should asking the same question to those services as well
I did run Little Snitch just to see what it does call and it seems all standard.
The vast majority of pings are to local devices. A few to some Cloudflare and Google servers - but nothing out of the ordinary.
The only interesting observation of was the frequency its calling devices and getting incoming requests from devices in my local network - I guess just getting state of the endpoints. But it is very frequent:
