Security with Roon ARC / Roon 2.0

Or it might be some iptables config, need to check. I was using udp_proxy_2020 from Aaron (search for another thread in this forum). I configured something in the network for that.
However, if it works with an external Wi-Fi network, I cannot imagine a reason in your network why it should not work on 4g…

The same kind of pattern of daily, every other day security events, with the same type of security alerts on the core machine and another machine on my network (Mac Mini that is running my head/remote; the alerts on the mini actually list a domain; the current case is some kind of ad URL from; so I’m not concerned) @Bill_Janssen.

I’ve been getting these alerts for months during all builds of the ARC beta, when I turn off the port forwarding, which I’ve done twice for 7 days each time, they completely stop (of course I then cannot use ARC, lol) They drop off of the Router security report after 7 days, which is why you don’t see the full history. There have been, say 50+ of them at least.

Thanks for your time in response, Bill!

EDIT - One other thing, the two intial ones, actually required me to run a Scan with Windows Defender anti-virus and quarantine and delete the two items (they are the only two that have shown up on my Windows core machine; I’ve been running full scans periodically, just to make sure; no repeat offenders have progressed to the Windows core machine, since)

1 Like

Some say we never should have left the trees. I for one, say it was a mistake to leave the oceans.


What if, actually, we were never in either? :rofl:

4 posts were split to a new topic: Is there a way to get ARC working over VPN?

3 posts were merged into an existing topic: Is there a way to get ARC working over VPN?

You are still misunderstanding. My suggestion is to have Roon Core on a separate machine that does not have privileged access to anything else. I’ve seen plenty of situations where for “convenience” people set all of their local machines to be able to connect in with privileges to all the others. Very bad idea. Roon does not need anything more than read-only access to music files, local read-write access to its own library database and other working data (such as logs), and RAAT or ARC TCP/IP streams to other devices.

If you don’t mind, how does one know if their core machine has access privileges to other devices on the local network? My knowledge of these things is little to nil.

I have a Salkstream III (running Linux Arch) where Roon core (Roonserver?) and my music files reside. Roon remotes are iPad, iPhone, and desktop PC (Windows 10). I use the PC to rip CDs and transfer music files to the Salkstream. On the PC, I can see and access the music files on the Salkstream. Does this mean the Salkstream also has “privileges” to access my PC?

Any clarification you can provide for this novice is appreciated. :grinning:

It’s difficult to say without detailed knowledge of how everything is set up. However, what you describe seems benign: the PC can manipulate files on the Salkstream, presumably because you gave the PC access to SMB service running on the Salkstream, but that should not open the PC to the Salkstream.

1 Like

No, it is you misunderstanding me this time.

You should do that even without ARC.

You keep saying file access and separate machines and privileged access, but you never address the network issue.

Are you going to put Roon Core under the same VLAN with your Roon devices or Roon remote? Because it sounds you’re. If Roon Core get compromised through the public-facing port, the hackers can gain access to your network and talk to other devises in your network even without privileged access. Of course they cannot use the official way to log in, but there are a lot of internal-facing ports that aren’t that secure and can be easily exploited (i.e. your PC’s family sharing feature, or the streaming port of network player).

Thanks for the information. :+1:

Are you going to put Roon Core under the same VLAN with your Roon devices or Roon remote?
Of course, Roon won’t work otherwise.

Maybe on your network there are…

It’s unfortunate that Roon (not the only ones) need you to use UPnP or setup a DNAT for their service to work. Not what modern SaaS services should be doing. I was pretty shocked when I went to setup, it failed and I had to setup a DNAT (

Roon please manage the connection, use a well known port - something like TCP 443 (SSL) outbound. Users turns on ARC from Roon core, connection to ARC service is setup outbound over SSL. Clients auth to the ARC SaaS service and then gets connected back over the active connection opened by the Roon Core ARC service. You can offload the connection so it’s not tunneling though your SaaS service.

No open ports/FW rules, UPnP to setup/manage. No concerns about port scanning, random port scans, etc.) even if they cannot auth/connect to your service.

yes, we have to trust that the Roon Service won’t be hacked (they should be managing this as part of the service - are you?), but right now you have to as well as having open ports back to your Roon Core.

1 Like

By now this is becoming well traveled territory. UPnP is not necessary to enable the Roon ARC functionality. Manually creating a port forwarding rule is fairly trivial on most consumer grade routers. The open port doesn’t seem to respond to port scans in my brief testing, so that may not be a concern. To my understanding, connections to the Core are only allowed after authentication takes place. My Core has nothing on it but Roon Core and there are no unauthenticated network connections to any other device on my network. I’m not as terribly outraged by the perceived security concerns as some are. If you are uncomfortable with then don’t use it. For me having mobile access to my Roon playlists and library of music that IS NOT available on streaming services is just dandy. Kudos to the Roon staff for making this happen.


I know enough about home networking to be dangerous. Roon 2.0 has us open a firewall port. Does having a commonly known port open, open me up to unwanted visitors? What are some of the steps one can take to secure a network in this situation. There are some pretty savvy folks in this forum any suggestions would probably be a help to many.

1 Like

You can use any port number you want within certain limitations. It’s best to use a port number in the private port range of 49152 to 65535. Port scanners will find any open port but at least you can get way from using 55000 so people won’t guess that it is Roon.

20 posts were split to a new topic: Ransomwared :frowning:

I think It’s a fanless next gen firewall device


I asked for this information in some other thread a few weeks ago. Nice to see a bit of it here.

Can you tell me which credential is used to authenticate the ARC client? How is it entered?

It’s of concern because if I want to give someone access to my core via ARC, do I reveal my roon account login/password to them, my forum login/password, or something entirely different? And aside from the human vulnerabilities and compromising my account, how can it be leaked or snooped by other agents?

What secures the traffic between the core and the ARC client? If the protocol or traffic was compromised, could anybody enumerate my music collection or, say, mess up the metadata?


  • Eric

Your Roon username (email you used to sign up) and the password for your Roon account.

Yes, you would reveal your Roon account login/password. Don’t share your Roon account login/password. Your Roon account login/password is your entire Roon identity, which includes this forum.

Have you used ARC? You type it in.

Malicious software that infects your apps or operating system, etc… the normal stuff.

TLS is used for encryption, and the Roon software verifies your identity via an intermediary server on our end.

The “secure protocol” only prevents snooping on a wire. A TLS compromise would allow an attacker to snoop on your traffic if an attacker had infected your device running ARC or the Roon Core.

1 Like