Seeking Open Source Playback Streaming Solution with Specific Requirements

[AlfieFroud]

I’m on the hunt for a playback streaming device or software that aligns with my specific needs, and I could use your expertise in finding the right fit.

Here are my requirements:

1. Open Source: I’m looking for a solution that is open source, ensuring transparency and flexibility.
2. Secure Protocols: It should not rely on insecure protocols like UPnP, as security is a priority.
3. Linux Compatibility: My music is stored on a Linux server, so I need the streaming device or software to either run on the server and stream to a separate endpoint or run on the output device and access music from the server.
4. Remote Control: I require the ability to control the playback remotely. Compatibility with both Android devices and Linux on a laptop is crucial.

If you have any recommendations or suggestions that match these criteria, I would greatly appreciate your insights. Thank you in advance for your help!

 

[somebodyelse]

You'll probably fall down on 2, depending on definition of 'secure'. Do LMS or MPD fit the bill?

 

[Berwhale]

You'll probably fall down on 2, depending on definition of 'secure'. Do LMS or MPD fit the bill?

LMS is highly insecure, e.g. https://forums.slimdevices.com/foru...op-forwarding-your-LMS-ports-to-the-internet=

MPD protocol is not authenticated, you need to tunnel it to secure it... https://wiki.archlinux.org/title/Mu...icks#Music_streaming_with_the_satellite_setup

 

[FreakyKiwi]

LMS is highly insecure, e.g. https://forums.slimdevices.com/foru...op-forwarding-your-LMS-ports-to-the-internet=

There was no mention of requiring external access, highlighting that exposing a local service to the internet with no added security is a bad idea does not make it insecure for normal use.

OP - what do you mean by secure?
Do you want to restrict LAN access, or are you only concerned about unauthorised access from the internet?
Part of the UPnP protocol is allowing router ports to be opened but this is not required for local music streaming. UPnP/DLNA streaming is generally terrible in any case.

I would also recommend LMS/Squeezelite which can be secured using HTTPS and authentication.

 

[Berwhale]

There was no mention of requiring external access, highlighting that exposing a local service to the internet with no added security is a bad idea does not make it insecure for normal use.

Keeping an insecure protocol behind a firewall doesn't make the protocol secure, which is what the OP asked for.

I would also recommend LMS/Squeezelite which can be secured using HTTPS and authentication.

I don't think clients can stream over HTTPS, is this not the case?

That said, I run LMS at home and I'm not particularly worried about doing so.

 

[MaxwellsEq]

OP - what do you mean by secure?

In my opinion, a secure protocol should be strongly encrypted with a session key and strongly authenticated.

Most audio protocols when operating natively do not come close, forcing all traffic behind a NAT masquerade and/or firewall and requiring strong segmentation at the server end and secure VPNs between sites.

 

[somebodyelse]

That's why I think it will fail on 2 - I'm not aware of anything using protocols I would consider secure. You could arrange for server and clients to communicate via secure tunnels though - WireGuard or something. It depends on exactly what OP means by 'secure'.

 

[AlfieFroud]

My apologies for late reply. I think you’re correct in that I’m not going to find a secure protocol. Looking at my options I think I’m going to have to go with LMS but try to secure it as much as possible. Any suggestions?

 

[fatoldgit]

So lets say you end up with a two tier (LMS server running on file server -> end point) or three tier (file server->lms server->end point) topology then you can:

1- Run a firewall on each Linux device that only allows the specific ports needed and disable ssh****
2- Also configure the firewalls to only allow traffic from a defined set of MAC addresses
3- Additionally tie specific ports to specific MAC addresses (i.e. HTTP browsing on port XXX into hardware running LMS server only from MAC address YYY, squeezelite traffic from LMS server to endpoint similarly locked down, NFS traffic from fileserver to LMS server similarly locked down)
4- run ethernet (no wifi) between all devices and dont connect to your router (optional)
5- if wifi from say ipad is needed to browse, setup the server running LMS as an access point over its wifi (use USB wifi dongle if needed) or use a private WAP hardwired in via ethernet.. avoids sending traffic over your ISP router)
6- if using WAP wifi, also use MAC address filtering/port filtering configured in the WAP on the port use for browsing
7- if super paraniod and need to stream music services via ISP router, tie all of this into a managed switch and do the port and address filtering at this level as well (i.e. keeps ISP router restricted at two levels.. logical at the server level and physical at the switch level)

All of the above assumes you have the admin skills to do it.

Logically, as no PI (personal info) is moving between the various PC's involved, your only concern (albeit paranoid) is to stop someone connecting in from a remote device should they somehow breach your ISP router

Peter

**** To manage/admin each server system in a non-ssh env, you would need to connect a monitor/keyboard as needed OR get fancy and have a monitor/keyboard permanently attached and use a KVM switch

 

[bachatero]

Why make it so complicated? Introducing NextCloud: store everything and access it anytime anywhere on any device. Although I don't have it set up with HTTPS on my local network, I use LetsEncrypt to get an encryption certificate for everywhere else.

 

[fatoldgit]

Why make it so complicated? Introducing NextCloud: store everything and access it anytime anywhere on any device. Although I don't have it set up with HTTPS on my local network, I use LetsEncrypt to get an encryption certificate for everywhere else.

Cause (speaking for the OP):

- you are trusting a third party
- you need to copy all your stuff to the cloud
- only addresses the file server side... doesnt address all tiers in an LMS config (say LMS server to squeezelite)

Now the OP's requirements are a bit over the top but between a self managed solution (mine) and a "trust some cloud company" solution (yours), they have options

 

[bachatero]

NextCloud is all self-hosted, which means it stays all on your own server and nothing gets out.