Roon should create a steady secure tunnel instead of relying on port forwarding

Not sure I understand how I use it to connect to my IP cameras etc that have open ports etc.

Im guessing quick connect is no longer used, but 2FA stays in place?

Seems a good read, but I don’t really get SSH which it requires some commands to work.

I’m in the same boat about ssh. If I see it done once I’ll get the idea!

I read a lot of marketing speak but nothing technically meaningful that suggests anything more than I’ve suggested is possible. All it sounds like is they’re now bundling the Tailscale client and wrapping the configuration to make it easier for users to use/setup.

Fantastic link, just talked me through the process in 40 minutes I got that done. Including learning how to SSH into my synology and I’m not that comfortable in Terminal.

Upshot is I’m able to run ARC on my phone and it behaves as if I were on my home network. CGNAT problem avoided. I will have to do some more reading on Tailscale but thanks to everyone who pointed me in that direction.


Short version: No, Tailscale will not let you use Roon Remote. It has to be ARC.

Longer version: Roon Remote relies on UDP broadcast/multicast traffic to discover the Core and the Core to discover Roon Remote. Unfortunately, this is not something that Tailscale supports (and is unlikely to support anytime soon).

I was able to try this out for myself thanks to you pointing me in the right direction :pray:

Why, what’s wrong with OpenVPN?

Oh, I’m just tired of OpenVPN because I’ve used it a lot at scale and have done horrible, horrible things to it. Don’t get me wrong… OpenVPN “works”. But so did the old 3-cly Geo Metro of the 90’s.

I’m glad to see Wireguard has come along and is slowly killing it. It’s far more modern, secure and performant.


For what it’s worth, a similar product (Zerotier) does support *cast messages (as I understand it) and this may therefore be a solution for you?

I am not an IT expert - but I do have some IT knowledge.

Have installed ARC and it runs just fine with my QNAP HS-264 and my FRITZ!Box 7590. But I am bit concern about port forwarding etc.

What would you recommend based on the above equipment?



I have started a thread regarding Tailscale implementation which could help people to circumnavigate CGNAT woes. If you have any links or info to add I’m sure it could benefit community members who are struggling to get to grips with it.

Thanks again to @Phil_Ryan for the video that got me through the process.


Apologies but I disagree with the request to have Roon to create and maintain a VPN infra. If you think you need a VPN service, go ahead and subscribe to the one of your choice.
Having RoonLabs to add a VPN service will only make the subscription increase and stability to decrease.
now days, in the cybersecurity space, VPNs still have a meaning, but the world of security is moving away from them into ZeroTrust:

Huges savings, higher performance, and security.

And even better if you use ipv6, so then you do not longer need NAT nor port forwarding :wink:
If I would ask something to RoonLabs, it would be to support IpV6, and the problem would be solved (well as long as you enable IpV6 at home and input traffic allowed to your firewall) :+1:.

1 Like

ZTNA is just another fancy name some people in marketing came up for a VPN. Yes, the authentication and authorization model is different, but the core tech is the same.

I fully agree with your analysis.

Roon should implement a solution where core establishes a secure tunnel.

I think right now ARC is poses a security risk. I tried it, it works, but probably will disable it because of security concerns.

You know, you can do this yourself. ARC works over VPN connections. So instead of forwarding the ARC port on your Roon server, set up a VPN tunnel and use it with your phone. ARC will work with that. Now the security issue is up to the VPN provider, which probably employs more security experts.

I hope that is a joke…

We are talking about consumer ready solutions. Those should be both easy and straightforward to use as well as being safe.

Another problem is that we do not know what kind of protocol is transported over this connection. It is an undisclosed protocol over TCP. Is it encrypted? Is it inside TLS? I did not find any information.


That’s wrong, but I will not get into details :slight_smile:
ZTN is an architecture, not a solution.
and this is an Audio forum :wink:

Another (more elegant) suggestion (which is one of the tools in the ZTN arsenal) and works with Ipv6 and Ipv4: use UDP pinholeing, like Teamviewer does :wink:

It is described here (for TeamViewer)

and in Wikipedia :wink:

@danny has said it’s encrypted. Various folks have snooped the wire and found out it is using TLS. True, it’s kind of hard to find out what “we know”, but it’s all out there.

TLS is nice, but doesn’t solve all security issues. Some questions that come to mind are:

  1. How are client connections to the Roon ARC server authenticated? It is very rare that this is done via TLS Client Certificates and is much more often done over TLS. But in such cases, TLS doesn’t prevent anyone from trying to connect to Roon via ARC.
  2. Are there any bugs or design flaws that allow an unauthenticated user from gaining access they should not have?
  3. Once they have access, can they use that to do things like run arbitrary code on my Roon Core?

This is probably a greater concern to me than some “bad guy” connecting to my Roon Core via ARC and then judging me based on my musical tastes.

Edit: Since Roon seems to run as root (at least on Linux), this is very non-optimal. Roon should be dropping privileges or running as a non-privliged user so if there are any bugs in the code, an attacker has a harder time causing havoc.