Roon should create a steady secure tunnel instead of relying on port forwarding

I read a lot of marketing speak but nothing technically meaningful that suggests anything more than I’ve suggested is possible. All it sounds like is they’re now bundling the Tailscale client and wrapping the configuration to make it easier for users to use/setup.

Fantastic link, just talked me through the process in 40 minutes I got that done. Including learning how to SSH into my synology and I’m not that comfortable in Terminal.

Upshot is I’m able to run ARC on my phone and it behaves as if I were on my home network. CGNAT problem avoided. I will have to do some more reading on Tailscale but thanks to everyone who pointed me in that direction.

2 Likes

Short version: No, Tailscale will not let you use Roon Remote. It has to be ARC.

Longer version: Roon Remote relies on UDP broadcast/multicast traffic to discover the Core and the Core to discover Roon Remote. Unfortunately, this is not something that Tailscale supports (and is unlikely to support anytime soon).

I was able to try this out for myself thanks to you pointing me in the right direction :pray:

Why, what’s wrong with OpenVPN?

Oh, I’m just tired of OpenVPN because I’ve used it a lot at scale and have done horrible, horrible things to it. Don’t get me wrong… OpenVPN “works”. But so did the old 3-cly Geo Metro of the 90’s.

I’m glad to see Wireguard has come along and is slowly killing it. It’s far more modern, secure and performant.

2 Likes

For what it’s worth, a similar product (Zerotier) does support *cast messages (as I understand it) and this may therefore be a solution for you?

I am not an IT expert - but I do have some IT knowledge.

Have installed ARC and it runs just fine with my QNAP HS-264 and my FRITZ!Box 7590. But I am bit concern about port forwarding etc.

What would you recommend based on the above equipment?

Thanks

Torben

I have started a thread regarding Tailscale implementation which could help people to circumnavigate CGNAT woes. If you have any links or info to add I’m sure it could benefit community members who are struggling to get to grips with it.

Thanks again to @Phil_Ryan for the video that got me through the process.

3 Likes

Apologies but I disagree with the request to have Roon to create and maintain a VPN infra. If you think you need a VPN service, go ahead and subscribe to the one of your choice.
Having RoonLabs to add a VPN service will only make the subscription increase and stability to decrease.
now days, in the cybersecurity space, VPNs still have a meaning, but the world of security is moving away from them into ZeroTrust:

Huges savings, higher performance, and security.

And even better if you use ipv6, so then you do not longer need NAT nor port forwarding :wink:
If I would ask something to RoonLabs, it would be to support IpV6, and the problem would be solved (well as long as you enable IpV6 at home and input traffic allowed to your firewall) :+1:.
:slight_smile:

1 Like

ZTNA is just another fancy name some people in marketing came up for a VPN. Yes, the authentication and authorization model is different, but the core tech is the same.

I fully agree with your analysis.

Roon should implement a solution where core establishes a secure tunnel.

I think right now ARC is poses a security risk. I tried it, it works, but probably will disable it because of security concerns.

You know, you can do this yourself. ARC works over VPN connections. So instead of forwarding the ARC port on your Roon server, set up a VPN tunnel and use it with your phone. ARC will work with that. Now the security issue is up to the VPN provider, which probably employs more security experts.

I hope that is a joke…

We are talking about consumer ready solutions. Those should be both easy and straightforward to use as well as being safe.

Another problem is that we do not know what kind of protocol is transported over this connection. It is an undisclosed protocol over TCP. Is it encrypted? Is it inside TLS? I did not find any information.

3 Likes

That’s wrong, but I will not get into details :slight_smile:
ZTN is an architecture, not a solution.
and this is an Audio forum :wink:

Another (more elegant) suggestion (which is one of the tools in the ZTN arsenal) and works with Ipv6 and Ipv4: use UDP pinholeing, like Teamviewer does :wink:

It is described here (for TeamViewer)

and in Wikipedia :wink:

@danny has said it’s encrypted. Various folks have snooped the wire and found out it is using TLS. True, it’s kind of hard to find out what “we know”, but it’s all out there.

TLS is nice, but doesn’t solve all security issues. Some questions that come to mind are:

  1. How are client connections to the Roon ARC server authenticated? It is very rare that this is done via TLS Client Certificates and is much more often done over TLS. But in such cases, TLS doesn’t prevent anyone from trying to connect to Roon via ARC.
  2. Are there any bugs or design flaws that allow an unauthenticated user from gaining access they should not have?
  3. Once they have access, can they use that to do things like run arbitrary code on my Roon Core?

This is probably a greater concern to me than some “bad guy” connecting to my Roon Core via ARC and then judging me based on my musical tastes.

Edit: Since Roon seems to run as root (at least on Linux), this is very non-optimal. Roon should be dropping privileges or running as a non-privliged user so if there are any bugs in the code, an attacker has a harder time causing havoc.

Danny, I can understand your perspective as an insider, but I’m one of the affected, and I think you are only seeing the tip of the iceberg. I couldn’t make ARC work outside my home network, and Roon help sent me to the UPnP guidance. That sent me Googling to find out what the heck that is. I have zero knowledge of networks and security, but immediately learned that there are security risks with UPnP and port forwarding. Equally important, I’ve not spent at least a dozen hours trying to understand the risks, how to implement if I decide to accept the risk, and I’m about out of patience. ARC is a consumer product at heart. I’m a music lover, not a network engineer. I don’t want to be suffering this stuff just to make an app work on my phone. I don’t have to do that with any other consumer product. I just want it to work, and Roon hasn’t accomplished that. No matter the numbers you have seen, there must be thousands of current and prospective Roon customers who will experience the same. So in my view, your current attitude will cap your market and customer growth.

1 Like

Roon ARC is a nice feature, but not necessary if someone is concerned about security. The method to make Roon ARC work is port forwarding. If you don’t get that automatically, you can do it manually as I did. It’s not really that difficult, but some people may need to get some help here or from an outside source.