Roon should create a steady secure tunnel instead of relying on port forwarding

I’m part of the gang affected by doubling NAT;-)
For me, it was easy to add two port-forwarding rules. But then I asked myself, how my mother would overcome this? I hit then the forum, and saw the steady comming-in complaints about having problems to get connection from outside(and it is going on). I was not impressed, that this will happen and started to try to help here and there.

However, you argue with facts known to you and of course not to me. Hence, I cannot further comment on them, I simply have to trust you.

That all said: Roonlabs could do a way better job in implementing easy and secure remote access. You proofed me, when your CTO already talked about alternatives.

Thanks for taking the time writing with me.

Regards
Stefan

2 Likes

Tailscale was used with this APP - Channels (a TV Video DVR) by embedding Tailscale in the APP so your entire device need not be VPN…just the APP.

The above is in beta test and not implemented…but it seems a good fit or at least an option, for ARC

Hey Andy,

Have you visited tailscale.com yet? You don’t need to install anything on you USG3- just install the client on your Roon core (or other computer on your home network that can talk to the core) and your phone.

Basically, with Tailscale it creates a peer-to-peer “mesh” VPN between every device. You don’t need a dedicated “VPN server exposed on the Internet” like with OpenVPN because of the network magic that Tailscale does.

Uh, no it is not embedded “just in the app”. That’s not how Tailscale or the core technology (Wireguard) works.

You can do interesting “tricks” with things like Linux network namespaces, policy routing, containers and stuff like that to tightly couple the two, but Tailscale is at its core a VPN and is seen by the operating system as a network interface.

Maybe I’m misunderstanding what they did. Here’s the explaining note (the APP is DVR):

Normally when you setup Tailscale or other VPN, you install the VPN software on the entire machine.

We have taken a different approach: the Tailscale VPN server is embedded directly into the DVR software. You can still have tailscale installed on your computer, but this new option will let the DVR server itself connect to your private network and get its own IP that’s just for the DVR.

We hope this is useful for users who are stuck behind CGNAT (i.e. T-Mobile Home, Starlink, etc), and provides a simpler alternative for those don’t want to have to mess with their router settings or expose their computers to the internet.

Note: we hope to bring better integration into our client apps as well, but for now you will need to install and enable Tailscale on your mobile device, copy the IP of the DVR, then go into Channels and select Connect > At Home to enter the private tailscale IP.

I have been spending some time on the tailscale site, doing some reading and it’s beginning to get clearer. I’m starting to wonder will it help me to run ARC on my phone by creating a tunnel through the CGNAT? or will it enable me to run a roon remote when I’m on a public network instead? Or maybe the answer is both.

I’m running an ROCK NUC so I was hoping I could get my synology NAS to run a subnet router to allow the ROCK to connect to tailspace and then I connect to tailspace with my phone and voila I can run the tailspace software on the phone which will allow me to connect the two of them using ARC?

Is that a reasonable summary of what it can do?

Not sure I understand how I use it to connect to my IP cameras etc that have open ports etc.

Im guessing quick connect is no longer used, but 2FA stays in place?

Seems a good read, but I don’t really get SSH which it requires some commands to work.

I’m in the same boat about ssh. If I see it done once I’ll get the idea!

I read a lot of marketing speak but nothing technically meaningful that suggests anything more than I’ve suggested is possible. All it sounds like is they’re now bundling the Tailscale client and wrapping the configuration to make it easier for users to use/setup.

Fantastic link, just talked me through the process in 40 minutes I got that done. Including learning how to SSH into my synology and I’m not that comfortable in Terminal.

Upshot is I’m able to run ARC on my phone and it behaves as if I were on my home network. CGNAT problem avoided. I will have to do some more reading on Tailscale but thanks to everyone who pointed me in that direction.

2 Likes

Short version: No, Tailscale will not let you use Roon Remote. It has to be ARC.

Longer version: Roon Remote relies on UDP broadcast/multicast traffic to discover the Core and the Core to discover Roon Remote. Unfortunately, this is not something that Tailscale supports (and is unlikely to support anytime soon).

I was able to try this out for myself thanks to you pointing me in the right direction :pray:

Why, what’s wrong with OpenVPN?

Oh, I’m just tired of OpenVPN because I’ve used it a lot at scale and have done horrible, horrible things to it. Don’t get me wrong… OpenVPN “works”. But so did the old 3-cly Geo Metro of the 90’s.

I’m glad to see Wireguard has come along and is slowly killing it. It’s far more modern, secure and performant.

2 Likes

For what it’s worth, a similar product (Zerotier) does support *cast messages (as I understand it) and this may therefore be a solution for you?

I am not an IT expert - but I do have some IT knowledge.

Have installed ARC and it runs just fine with my QNAP HS-264 and my FRITZ!Box 7590. But I am bit concern about port forwarding etc.

What would you recommend based on the above equipment?

Thanks

Torben

I have started a thread regarding Tailscale implementation which could help people to circumnavigate CGNAT woes. If you have any links or info to add I’m sure it could benefit community members who are struggling to get to grips with it.

Thanks again to @Phil_Ryan for the video that got me through the process.

3 Likes

Apologies but I disagree with the request to have Roon to create and maintain a VPN infra. If you think you need a VPN service, go ahead and subscribe to the one of your choice.
Having RoonLabs to add a VPN service will only make the subscription increase and stability to decrease.
now days, in the cybersecurity space, VPNs still have a meaning, but the world of security is moving away from them into ZeroTrust:

Huges savings, higher performance, and security.

And even better if you use ipv6, so then you do not longer need NAT nor port forwarding :wink:
If I would ask something to RoonLabs, it would be to support IpV6, and the problem would be solved (well as long as you enable IpV6 at home and input traffic allowed to your firewall) :+1:.
:slight_smile:

1 Like

ZTNA is just another fancy name some people in marketing came up for a VPN. Yes, the authentication and authorization model is different, but the core tech is the same.

I fully agree with your analysis.

Roon should implement a solution where core establishes a secure tunnel.

I think right now ARC is poses a security risk. I tried it, it works, but probably will disable it because of security concerns.