Using Wireguard on PfSense for Accessing Roon on NAS

Hello There,

I’m looking for help being able to access Roon when away from my home network. Roon is a music library/streaming service that I have setup on my QNAP TVS-672N NAS and want to be able to access it when away from home. Roon is designed to only work while on ones’ home network. However, several people have made it work anyway, including myself. By using my Netgate 6100 and WireGuard I’m able to open the Roon app and connect to the Roon server on my cell phone when away from home.

So, what’s the problem? In order to actually listen to music using the Roon app on my phone, I need to select my phone from the list of devices and it’s not listed when I’m away from home. Once I get back home & on my home network, it works. Actually, if WireGuard is activated before I leave for work in the morning, Roon will work just fine, playing music till I get to work. However, once my phone switches networks or loses connection in the parking garage, it won’t work again till I get back home.

It’s as if my phone can connect to the Roon server, but the Roon server doesn’t see it as a device. But that can’t be it because the Roon server won’t respond unless a device is on the home network. I’m not sure if it’s something to do with how Roon works, or if it’s because of my NAS, or how I have WireGuard setup. I’ve wondered if it has something to do with being on different subnet IP’s (I.E. x.y.z.2 & x.y.a.22), but when I bridge the Wireguard Tunnel w/ the other LANs on my network, the Wireguard tunnel seems to switch to a point to point type setup and then my phone can’t connect at all.

From the Roon forums, people have got this to work, so I know it’s possible. Other things they have tried are ZeroTier and OpenVPN. I have tried both and while OpenVPN kinda worked on my Netgear Nighthawk, I haven’t been able to complete the setup on the Netgate to test that, and I could never get Zerotier to work at all (I think it has to do w/ how the QNAP works).

Any tips and tricks would be greatly appreciate it!

Just a thought.

Your QNAP has, it looks like, at least 2 Ethernet ports. Based on what you’ve said it sounds like Roon won’t work if both ports are on different subnets, at least for one network anyway.

My guess is that won’t happen.

If that is the case, then you could put, say an OpenVPN network on the same subnet as the 2nd port (no idea if that will work btw), when you dial in it will be on the same network.

It sounds a terrible mess.

I have a QNAP NAS too, I can remote in over VPN and using QMusic access music on my android phone without any issues.

Give it a go (with QMusic), if you still have issues then your problem is probably with the networking on your VPN, would be my guess.

Hello @neogrid thank you for your response. I’m not sure I follow, but it could be I didn’t describe the setup properly. My NAS has 3 ethernet ports, two gigabits and one 5 GB port. I have the two ethernet ports connected using port trunking from my NAS to a small, unmanaged switch. The unmanaged switch also has my iMac plugged into it and the switch is what’s connected to my Netgate 6100 on the other side of the room. The Netgate 6100 is running the latest version of PfSense and is connected to my Modem.

The different subnets I talked about is something I’m forced to create with PfSense in order to setup and use WireGuard. The subnets aren’t related specifically to the NAS.

I’ll try OpenVPN again, but I haven’t been able to get my phone to accept the certificate, so I can’t even finish setting up OpenVPN, let alone see if it’ll get Roon to work properly. Since WireGuard is already up and kinda working, I had hoped there might be a solution within the current setup, but perhaps OpenVPN has more flexibility to its setup than WireGuard does. Hopefully I’ll have time to play w/ it more later this weekend.

Thank you.

There is no chance you have port trunking working between the QNAP and your unmanaged switch. You will need a managed switch to do any type of aggregation.
It might look like it’s set up on QNAP but it’s not. On my QNAP I could get the port aggregation to work with my Asus consumer router, but for the life of me it would not work with my Netgear managed switch.

What I’d suggest is to go back into QNAP and clear all your network settings. Give it an IP address on a single ethernet port, unplug and do not use and/or configure the remaining ports. Then see if your roon will work. I would guess it will with either wireguard or openvpn, if they are configured correctly obviously.

You might benefit from aggregating your ports on the QNAP if you have a lot of traffic from different clients (I suspect you don’t). In which case you can buy a managed switch, but you have to read the manual to see if the switch supports the type of aggregation offered by QNAP.

Morning @neogrid. Thank you for the feedback, I really appreciate you taking the time to reply. Ultimately, it didn’t completely solve the problem; however, by, “slimming down,” the connection between my NAS and Netgear 6100, I am able to utilize the 2.5 GbE LAN of my Netgate and the 5GbE LAN of my QNAP.

Regarding the Roon debacle, I’m getting to the point of probably needing to just cut my losses. I don’t want to give up, but troubleshooting has been wasting a ton of hours. I really feel the Wireguard is setup properly because everything else works when I’m away from home. I also have Plex on my QNAP and I’m able to access it and it works fine.

I’ve tried several times to complete the OpenVPN setup using several different videos as a guide (Tom’s and a couple others I found) and I keep messing it up somehow. I think it’s something to do w/ the certificates, but I don’t know how to address it.

Have you ever seen those old (like 1960’s?) Donald Duck or Goofy cartoons where they’re trying to complete something and the more they try the worse it gets? That’s kind of how I feel at the moment. If I wasn’t able to connect to Roon at all when away from home, fine, I get it. But the fact it works sometimes, but not consistently, drives me crazy. What’s worse is, it actually worked more often when using OpenVPN on my old Netgear Nighthawk R8000. I spent the extra $$$ to upgrade my router for the extra speed and flexibility, but I have yet to see the fruits of this choice.

Regardless, I’ve paid for the lifetime subscription for Roon, and despite not being able to use it when away from home, it’s still worth every penny (for me anyway).

Thank you again for your help.

Matt

I don’t think Tom has covered using certs with OpenVPN but like most things it’s easy when you know how (obviously you can test it with just a password, though certs would be a better solution).

Another test you can easily perform, is to setup QVPN on the NAS and forward that port. It’s basically QNAPs implementation of OpenVPN, then connect to your network over it and inspect the results. Their solution is much easier to setup, if that works then you know it’s how you configured your VPN.

I’ve not used WG but perhaps it needs some additional configuration, can’t think what.

Either way you can run with two VPNs but QNAP has so many security alerts, I wouldn’t trust it’s QVPN but only use it for testing then figure out OpenVPN on pfSense. There are guides / recipes on pfsense’s site.

@bymatty ignore what I wrote above …

I noticed that’s a hefty fee for Roon, I think you should throw me a 100 bucks :wink:

It looks like Roon won’t support remote access out of the box, at least the posts I saw, might be out of date, but doesn’t look like it.

However it seems to work if you can connect using the same subnet as your your Roon server. In that case you need to setup OpenVPN in TAP mode (everything I’ve seen says to use TUN which I have used as a default) then bridge to your network.

This should give you some idea

https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-bridged.html#bridging-openvpn-connections-to-local-networks

You also need to ensure your OpenVPN client is also set to TAP mode it might default to TUN.

I’ve never done this myself, but if you can get this to work then I’d bet Roon will work externally.

Ha! It was either Roon or a downpayment for a new car! :smile: Actually, I figure it’s for life and I get a lot out of it. As long as I don’t go deaf, or am at least able to use hearing aids, it’s a great investment.

Yes, you are correct, Roon won’t support remote access out of the box. They say the feature is being worked on, but it hasn’t come to fruition as of yet. I remember coming across TUN and TAP stuff before, especially when trying to get Zerotier setup (that was one of the solutions someone from the Roon forums found to work). The deal w/ TUN vs TAP was one of the reasons I traded up to Netgate from my Nighthawk, to get the flexibility to make changes like that. It was then I discovered OpenVPN and putting it to use on the router itself would be a much more efficient solution.

Thank you so much for this info, especially the specific link to creating the bridges. I had an idea this had something to do w/ getting the devices on the same subnet, but wasn’t sure how to go about making that work. I really appreciate the time you put in to help me out! It’s hard trying to learn this stuff as you go.

I’d be interested to hear the results once you’ve attempted it, if only to prove my theory correct or not.

OpenVPN is a bit tricky but quite doable, while I’ve not used TAP, it might take a few attempts to get the client correctly configured, but in the first instance it ought to work over a mobile network though you might have a challenge with public wifi.

Yeah it’s mostly trial and error, just keep plodding on !!!

Hello @neogrid. I haven’t looked into your theory re TAP vs. TUN as of yet because, from my reading, it seems like a bridged VPN setup doesn’t work on Android and IOS software. What makes this issue a bit more puzzling is that when I connect to my Roon server remotely using Wireguard on my laptop, I am able to use it as a device and can therefore play music.

I recently used the IT services of Eric from Lawrence Systems who suggested the issue might be w/ multicasting. He briefly described IGMP Proxy and how it might be a way to make that work. I’ve been fiddling w/ it, but I haven’t gotten it to work.

In summation, using Wireguard on a laptop to remotely connect to my home network will allow me to both connect to and play music from my Roon server. Using Wireguard on a cell phone to remotely connect to my home network will only let me connect to my Roon server, but will not list it as a device so I can play music. So, there’s something different between the inner workings of a cell phone that’s messing things up.

Not sure if any of the above sparks additional possibilities, but I’m sending this in case you’re interested.

I guess you have a lot of trial and error to go through…