Roon should create a steady secure tunnel instead of relying on port forwarding

No, there is no need for a “big pipe” to the Roon datacenter with Tailscale. Each Tailscale node creates a direct connection to each other for transferring data- even if both nodes are NAT’d and do not have UPnP enabled. It’s basically magic.

But that’s the thing… Tailscale is networking & security magic. And I don’t expect the people at Roon to be experts in the voodoo that the Tailscale developers are to re-create it. Which is why they used industry standard protocols like UPnP which work well most of the time but are not awesome by any means.

I think Roon is correct though that the vast majority of their customers will happily ignore these security concerns and enjoy the Roon experience on the road, at work, etc. For the rest of us, we’ll do the needful and configure VPN’s or whatever.

As someone who has helped many people listen to Roon remotely in the pre-2.0/ARC world: I believe that ARC+UPnP is sufficient for most Roon users. For those who are more tech and security savvy, they’ll continue to hack things with various VPN solutions- but it will be easier now. I still see people talking about using OpenVPN with ARC which IMHO is just insane, but people will use whatever the path of least resistance is I guess.

I should mention there is a very good reason why Roon did not go with a VPN technology for ARC: iOS only allows a single VPN to be active at any given time. So anyone who wants to use a different VPN (for home or work) would not be able to use RoonARC at the same time and have to deal with constantly switching between VPNs. That IMHO would be a far worse user experience.


Great discussion Aaron, thanks!
You touched a field (VPN config inside iOS), I can’t further argue as I’m lacking of expertise here. However, for me it is not about having global VPN settings in iOS. This would be the wrong way. Tunneling and security must be handled inside the app itself. Whether this is allowed from Apple et al. I don’t know. Maybe someone else can enlight me here.

Roon could implement their own “tailscale like” architecture. The way tailscale gets around NAT and discovers public IPs is all open source libs and baked into the web standards. However, troubleshooting it is a bit of a bear.

It’s also a large leap from what they accomplished in 1.0. I suspect ARC would have seen further delays had they tried to do this day one. But, I think its worth investigation for a next-gen ARC architecture.


This is how modern VoIP protocols work. They use a similar discovery to tailscale for peer-to-peer secure communication. So, yes, its all available to do this inside the app even if you’ve got an active VPN profile running.

You should think of it as a very limited scope VPN or secure tunnel used by a single application for peer-to-peer communication. It is brought-up and torn-down only as the application needs it.


@Aaron_Turner @ipeverywhere thanks for pointing me towards Tailscale. Love to deep dive their solution which I was not aware off til now;-)

Personally, I would have held out for a “solution” that sync’ed playlists to the mobile device along with appropriately lossily transformed (with the user allowed to choose an appropriate transformation) versions of the tracks in the playlists, and would not require an Internet connection to play them. After all, it’s a brand new mobile app, it could have done anything. I’m sure that there would also have been complaints about that approach.

I’m OK with what Roon decided to do. It just not what I wanted as a mobile solution. And it seems almost pointless given the prior existence of VPN tunnels, which achieve pretty much the same thing. Perhaps it’s a step toward a more far-reaching transformation of Roon that we don’t know about yet.

@ipeverywhere – you and I had this discussion already here:

Brian chimed in with more however, you may have missed it:

to reduce the soapboxing and focus on the meat of your message.


Hi Aaron, Is it possible you could elaborate on how this works?

I have a CGNAT and a USG3 router, I’m fairly technically capable, how do I utilise the magic that is Tailscale?

To @danny and @ipeverywhere
I need to challenge this a bit;-) because: if I look back, how Roonlabs marketing department advertised (I tend to write: hipped) the new version with words like: “our biggest and most revolutionizing update ever”. Then expectations are set high and you need to deliver!

The technical implementation followed by the massive troubles caused on the user-side are not inline with what marketing promised.

When I then read, that some of you guys have already talked about those problems, why the hell does the company release such a complex ARC product? Some useres were claiming they wait since years for this functionality -we can challenge this on a separate debate- why not making it right from day one, even if it take some month more?

With such problems on launch, Roonlabs may face the risk of loosing credits in its community. And that hurts me, because I’m a big Roon fan!

First, let me acknowledge that you and everyone here at Roon Labs are in agreement that everyone who had problems is important and we’d like to see the number of people who have problems as low as possible… even zero.

That said, you seem to be guessing incorrectly on the scale of things.

We are seeing over 100k ARC connections up and running as expected, and this forum has a few hundred complaints.

We see more non-working ARC router configurations outside the forums, but the number still puts a success rate of greater than 99%. Even the number of users that have switched to 1.8 Legacy is measured in the low 100s of users, and those are mostly being driven by older operating systems that can’t be updated.

I think your goals are correct, but I absolutely disagree with your interpretation of the situation. But then again, I have the advantage of seeing the big picture.

I have to ask, were you personally affected or did your situation go smoothly?


I’m part of the gang affected by doubling NAT;-)
For me, it was easy to add two port-forwarding rules. But then I asked myself, how my mother would overcome this? I hit then the forum, and saw the steady comming-in complaints about having problems to get connection from outside(and it is going on). I was not impressed, that this will happen and started to try to help here and there.

However, you argue with facts known to you and of course not to me. Hence, I cannot further comment on them, I simply have to trust you.

That all said: Roonlabs could do a way better job in implementing easy and secure remote access. You proofed me, when your CTO already talked about alternatives.

Thanks for taking the time writing with me.



Tailscale was used with this APP - Channels (a TV Video DVR) by embedding Tailscale in the APP so your entire device need not be VPN…just the APP.

The above is in beta test and not implemented…but it seems a good fit or at least an option, for ARC

Hey Andy,

Have you visited yet? You don’t need to install anything on you USG3- just install the client on your Roon core (or other computer on your home network that can talk to the core) and your phone.

Basically, with Tailscale it creates a peer-to-peer “mesh” VPN between every device. You don’t need a dedicated “VPN server exposed on the Internet” like with OpenVPN because of the network magic that Tailscale does.

Uh, no it is not embedded “just in the app”. That’s not how Tailscale or the core technology (Wireguard) works.

You can do interesting “tricks” with things like Linux network namespaces, policy routing, containers and stuff like that to tightly couple the two, but Tailscale is at its core a VPN and is seen by the operating system as a network interface.

Maybe I’m misunderstanding what they did. Here’s the explaining note (the APP is DVR):

Normally when you setup Tailscale or other VPN, you install the VPN software on the entire machine.

We have taken a different approach: the Tailscale VPN server is embedded directly into the DVR software. You can still have tailscale installed on your computer, but this new option will let the DVR server itself connect to your private network and get its own IP that’s just for the DVR.

We hope this is useful for users who are stuck behind CGNAT (i.e. T-Mobile Home, Starlink, etc), and provides a simpler alternative for those don’t want to have to mess with their router settings or expose their computers to the internet.

Note: we hope to bring better integration into our client apps as well, but for now you will need to install and enable Tailscale on your mobile device, copy the IP of the DVR, then go into Channels and select Connect > At Home to enter the private tailscale IP.

I have been spending some time on the tailscale site, doing some reading and it’s beginning to get clearer. I’m starting to wonder will it help me to run ARC on my phone by creating a tunnel through the CGNAT? or will it enable me to run a roon remote when I’m on a public network instead? Or maybe the answer is both.

I’m running an ROCK NUC so I was hoping I could get my synology NAS to run a subnet router to allow the ROCK to connect to tailspace and then I connect to tailspace with my phone and voila I can run the tailspace software on the phone which will allow me to connect the two of them using ARC?

Is that a reasonable summary of what it can do?

Not sure I understand how I use it to connect to my IP cameras etc that have open ports etc.

Im guessing quick connect is no longer used, but 2FA stays in place?

Seems a good read, but I don’t really get SSH which it requires some commands to work.

I’m in the same boat about ssh. If I see it done once I’ll get the idea!

I read a lot of marketing speak but nothing technically meaningful that suggests anything more than I’ve suggested is possible. All it sounds like is they’re now bundling the Tailscale client and wrapping the configuration to make it easier for users to use/setup.

Fantastic link, just talked me through the process in 40 minutes I got that done. Including learning how to SSH into my synology and I’m not that comfortable in Terminal.

Upshot is I’m able to run ARC on my phone and it behaves as if I were on my home network. CGNAT problem avoided. I will have to do some more reading on Tailscale but thanks to everyone who pointed me in that direction.


Short version: No, Tailscale will not let you use Roon Remote. It has to be ARC.

Longer version: Roon Remote relies on UDP broadcast/multicast traffic to discover the Core and the Core to discover Roon Remote. Unfortunately, this is not something that Tailscale supports (and is unlikely to support anytime soon).