I’m part of the gang affected by doubling NAT;-)
For me, it was easy to add two port-forwarding rules. But then I asked myself, how my mother would overcome this? I hit then the forum, and saw the steady comming-in complaints about having problems to get connection from outside(and it is going on). I was not impressed, that this will happen and started to try to help here and there.
However, you argue with facts known to you and of course not to me. Hence, I cannot further comment on them, I simply have to trust you.
That all said: Roonlabs could do a way better job in implementing easy and secure remote access. You proofed me, when your CTO already talked about alternatives.
Have you visited tailscale.com yet? You don’t need to install anything on you USG3- just install the client on your Roon core (or other computer on your home network that can talk to the core) and your phone.
Basically, with Tailscale it creates a peer-to-peer “mesh” VPN between every device. You don’t need a dedicated “VPN server exposed on the Internet” like with OpenVPN because of the network magic that Tailscale does.
Uh, no it is not embedded “just in the app”. That’s not how Tailscale or the core technology (Wireguard) works.
You can do interesting “tricks” with things like Linux network namespaces, policy routing, containers and stuff like that to tightly couple the two, but Tailscale is at its core a VPN and is seen by the operating system as a network interface.
Maybe I’m misunderstanding what they did. Here’s the explaining note (the APP is DVR):
Normally when you setup Tailscale or other VPN, you install the VPN software on the entire machine.
We have taken a different approach: the Tailscale VPN server is embedded directly into the DVR software. You can still have tailscale installed on your computer, but this new option will let the DVR server itself connect to your private network and get its own IP that’s just for the DVR.
We hope this is useful for users who are stuck behind CGNAT (i.e. T-Mobile Home, Starlink, etc), and provides a simpler alternative for those don’t want to have to mess with their router settings or expose their computers to the internet.
Note: we hope to bring better integration into our client apps as well, but for now you will need to install and enable Tailscale on your mobile device, copy the IP of the DVR, then go into Channels and select Connect > At Home to enter the private tailscale IP.
I have been spending some time on the tailscale site, doing some reading and it’s beginning to get clearer. I’m starting to wonder will it help me to run ARC on my phone by creating a tunnel through the CGNAT? or will it enable me to run a roon remote when I’m on a public network instead? Or maybe the answer is both.
I’m running an ROCK NUC so I was hoping I could get my synology NAS to run a subnet router to allow the ROCK to connect to tailspace and then I connect to tailspace with my phone and voila I can run the tailspace software on the phone which will allow me to connect the two of them using ARC?
I read a lot of marketing speak but nothing technically meaningful that suggests anything more than I’ve suggested is possible. All it sounds like is they’re now bundling the Tailscale client and wrapping the configuration to make it easier for users to use/setup.
Fantastic link, just talked me through the process in 40 minutes I got that done. Including learning how to SSH into my synology and I’m not that comfortable in Terminal.
Upshot is I’m able to run ARC on my phone and it behaves as if I were on my home network. CGNAT problem avoided. I will have to do some more reading on Tailscale but thanks to everyone who pointed me in that direction.
Short version: No, Tailscale will not let you use Roon Remote. It has to be ARC.
Longer version: Roon Remote relies on UDP broadcast/multicast traffic to discover the Core and the Core to discover Roon Remote. Unfortunately, this is not something that Tailscale supports (and is unlikely to support anytime soon).
Oh, I’m just tired of OpenVPN because I’ve used it a lot at scale and have done horrible, horrible things to it. Don’t get me wrong… OpenVPN “works”. But so did the old 3-cly Geo Metro of the 90’s.
I’m glad to see Wireguard has come along and is slowly killing it. It’s far more modern, secure and performant.
I have started a thread regarding Tailscale implementation which could help people to circumnavigate CGNAT woes. If you have any links or info to add I’m sure it could benefit community members who are struggling to get to grips with it.
Thanks again to @Phil_Ryan for the video that got me through the process.
Apologies but I disagree with the request to have Roon to create and maintain a VPN infra. If you think you need a VPN service, go ahead and subscribe to the one of your choice.
Having RoonLabs to add a VPN service will only make the subscription increase and stability to decrease.
now days, in the cybersecurity space, VPNs still have a meaning, but the world of security is moving away from them into ZeroTrust:
Huges savings, higher performance, and security.
And even better if you use ipv6, so then you do not longer need NAT nor port forwarding
If I would ask something to RoonLabs, it would be to support IpV6, and the problem would be solved (well as long as you enable IpV6 at home and input traffic allowed to your firewall) .
ZTNA is just another fancy name some people in marketing came up for a VPN. Yes, the authentication and authorization model is different, but the core tech is the same.