I read a lot of marketing speak but nothing technically meaningful that suggests anything more than I’ve suggested is possible. All it sounds like is they’re now bundling the Tailscale client and wrapping the configuration to make it easier for users to use/setup.
Fantastic link, just talked me through the process in 40 minutes I got that done. Including learning how to SSH into my synology and I’m not that comfortable in Terminal.
Upshot is I’m able to run ARC on my phone and it behaves as if I were on my home network. CGNAT problem avoided. I will have to do some more reading on Tailscale but thanks to everyone who pointed me in that direction.
Short version: No, Tailscale will not let you use Roon Remote. It has to be ARC.
Longer version: Roon Remote relies on UDP broadcast/multicast traffic to discover the Core and the Core to discover Roon Remote. Unfortunately, this is not something that Tailscale supports (and is unlikely to support anytime soon).
I have started a thread regarding Tailscale implementation which could help people to circumnavigate CGNAT woes. If you have any links or info to add I’m sure it could benefit community members who are struggling to get to grips with it.
Thanks again to @Phil_Ryan for the video that got me through the process.
Apologies but I disagree with the request to have Roon to create and maintain a VPN infra. If you think you need a VPN service, go ahead and subscribe to the one of your choice.
Having RoonLabs to add a VPN service will only make the subscription increase and stability to decrease.
now days, in the cybersecurity space, VPNs still have a meaning, but the world of security is moving away from them into ZeroTrust:
Huges savings, higher performance, and security.
And even better if you use ipv6, so then you do not longer need NAT nor port forwarding
If I would ask something to RoonLabs, it would be to support IpV6, and the problem would be solved (well as long as you enable IpV6 at home and input traffic allowed to your firewall) .
You know, you can do this yourself. ARC works over VPN connections. So instead of forwarding the ARC port on your Roon server, set up a VPN tunnel and use it with your phone. ARC will work with that. Now the security issue is up to the VPN provider, which probably employs more security experts.
We are talking about consumer ready solutions. Those should be both easy and straightforward to use as well as being safe.
Another problem is that we do not know what kind of protocol is transported over this connection. It is an undisclosed protocol over TCP. Is it encrypted? Is it inside TLS? I did not find any information.
TLS is nice, but doesn’t solve all security issues. Some questions that come to mind are:
How are client connections to the Roon ARC server authenticated? It is very rare that this is done via TLS Client Certificates and is much more often done over TLS. But in such cases, TLS doesn’t prevent anyone from trying to connect to Roon via ARC.
Are there any bugs or design flaws that allow an unauthenticated user from gaining access they should not have?
Once they have access, can they use that to do things like run arbitrary code on my Roon Core?
This is probably a greater concern to me than some “bad guy” connecting to my Roon Core via ARC and then judging me based on my musical tastes.
Edit: Since Roon seems to run as root (at least on Linux), this is very non-optimal. Roon should be dropping privileges or running as a non-privliged user so if there are any bugs in the code, an attacker has a harder time causing havoc.