Thanks - timely as my QNAP has just prompted a firmware update.
You could always just select your own random port?
With such a small amount of users and such a random application is someone really going to go hunting for them?
On my NAS it shows zero attempted logons since it was installed.
You need your core to have a fixed IP in your router, then go to the Port Forwarding page on your router and you enter the port Roon is using and assign it to the internal IP.
In my example my NAS is named so it shows the name rather than its IP.
I also gave the forwarding a name to identify it - Roon-ARC, refer to your router manual for how to forward a port.
This URL can test if the port is open - Open Port Check Tool - Test Port Forwarding on Your Router
Help from Roon below
Youâre not, Iâm a community member just like you. AFAIK, 1.2 isnât depreciated, so thatâs why Iâm asking.
1 Like
So in the interests of network security, I would be interested to know what security is actually incorporated into the Roon server software. With the multiple QNAP failures and people getting their files locked with ransomware it is something to be aware of.
Personally, all access is going to be via VPN and not just open a port manually or by upnp.
As always mileage will vary. But it is worth thinking about.
2 Likes
How are you telling the ARC app to find your core over VPN? Or are you bringing your VPN into the LAN network directly (rather than routed)?
I use OpenVPN that gets me on to my local network I can access everything locally. I tried ARC this morning and it just works.
There no way Iâd open a port and trust Roon to be better built for security than all the other things I donât trust. What would be great would be in Arc is workable over an existing VPN (wireguard in my case) so Iâm adding no more risk to my setup. Is that doable? Wireguard in particular is designed to be simple and fast and doesnât proxy broadcast packets so upnp discovery wonât work⌠is there a way to access Roon via arc in this scenario? If not, thanks for the intention but the implementation is impossible for me to trust enough to open a port for it, which is a shame.
3 Likes
Ok over wireguard it works fine on a remote wifi network once Iâve initially set it up on my home network â great.
Iâve so far not managed to get it to play anything on 4G mobile network here in the UK (over wireguard) â not sure if I should expect that to work or not, but it just gives me a âpoor connectionâ error regardless of how solid my data connection is.
Iâm NOT going to be opening ports to try a direct connection, for security-concern reasons⌠but at least on wifi I can get in and listen in âhigh qualityâ. So thatâs non zero.
1 Like
So I found this page on my router. Then what? Bear in mind, as an Economist, I donât know what a port or port forwarding is. All I know is that it lets people in.
One of the changes from 1.2 to 1.3 is that a number of obsolete and potentially dangerous protocols still in 1.2 were removed. And the security of the initial handshake was improved.
By âpotentially dangerousâ, I mean that well-known (to the security community) attacks have exploited those weaknesses already, and those attacks worked.
Really should use 1.3 instead of 1.2, if at all possible.
@Danny You must realise that people like me, and there are lots of us (we are the vast majority) that know nothing about networking hate having to log in to our router as we know next to nothing about them and we do not use software products that require us to get technical.
My QNAP - and I paid someone to set it up and I rarely log in to it - has an app called Qfinder Pro that lets me update the firmware (vital for security reasons, Iâm told) without actually having to log in to the server directly. I did the today as there was an update and, as someone advised, the ARC port code changed.
There must be a simple switch to disable ARC and one that does not change when the Roon Core reboots.
This is a big issue - my QNAP got wiped out by ransomware in January.
1 Like
The danger from security holes is not, generally speaking, from some âscript kiddyâ or nominal potentate from some obscure country. Or from anyone who even knows you exist or cares about whatâs on your computer. Itâs from large, highly automated attack systems that are looking for computers of any kind, primarily for one of three purposes:
-
To enroll in a botnet, a collection of many zombified machines that will do whatever the commander of such a net wants them to;
-
To âmineâ some kind of digital currency like Bitcoin;
-
To encrypt the contents of the machine and hold the information for ransom.
These systems scan the whole Internet continuously, over and over, looking for vulnerable computers. They are inhumanly persistent and patient. Not to be too dramatic, but they donât care who you are, what you do, or what your machine has on it; they only care about weaknesses. Anthropomorphizing this is kind of dangerous in its own right.
3 Likes
Sorry I misunderstood you. But why would Roon ever need to hold this kind of information? So you are saying open port for Roon Core without any proxy or segmentation? That doesnât sound like good practice to me.
I hope limiting my machine to UK access using QuFirewall and 2-stage authentication will help. Plus three or four anti-virus and malware apps.
Yes, but those outdated cryptography features, whilst still available, shouldnât be used, and 1.2 can be deployed securely.
I have for some time, but Iâd wager that most implementations still use 1.2⌠it took business long enough to mobilize resources to move away from 1.0 and 1.1.
So if Roon are advertising 1.3 as an available option in the key exchange why are they using 1.2?
TLS v1.3 has been around for the last 4 years and Arc is a new app so why use a 14 year old vulnerable version as a preference?
If I understand correctly what you are saying, the server is advertising both TLS 1.2 and 1.3, and the iOS client is selecting 1.2.
I forget which version of iOS started supporting TLS 1.3, but it wasnât all that long ago. If you compile the ARC app to be compatible with older versions of iOS, then it will default to TLS 1.2, 'cuz thatâs what those versions of iOS supported.
2 Likes
The screen shots look the same , I would try and follow the instructions below.
1 Like