VPN
Tailscale, WireGuard, ZeroTier
ArchR ships three VPN options. All toggle from EmulationStation → System Settings → Network and are paused automatically during gameplay so they don't compete with the emulator for CPU.
Tailscale
Tailscale is a zero-config WireGuard-based VPN that lets your handheld talk to your PC anywhere on the internet, securely.
Sign up
Sign up for Tailscale. Free for personal use up to 100 devices.
Tailscale needs an SSO provider — Google, GitHub, Microsoft, or any of the supported identity providers.
Install on your PC
Download Tailscale for your OS and log in.
Enable on the handheld
ES → Network Settings → Tailscale VPN → ON.
The first time, you'll see an authentication URL. Open it on your PC's browser, click Connect, and Tailscale binds the handheld to your tailnet.
Disconnect
Same menu, toggle off.
After auth, your handheld appears under your tailnet's machines. SSH, file transfer, RetroArch netplay over the tailnet all work as if the device were on your local LAN.
WireGuard
For when you have your own VPN server (e.g. via your router or a self-hosted setup).
Drop the config
Provide a standard wg0.conf from your VPN provider or self-hosted server. Place it at:
/storage/.config/wireguard/wg0.confYou can copy it via SSH or Samba.
Sample minimal config:
[Interface]
PrivateKey = <your private key>
Address = 10.111.10.2/24
[Peer]
PublicKey = <server public key>
AllowedIPs = 0.0.0.0/0
Endpoint = <server>:<port>The DNS directive is not supported in this config. Remove any DNS = line or the connection won't come up.
Toggle
ES → Network Settings → WireGuard VPN is only visible when wg0.conf exists. Toggle ON / OFF.
Diagnose
wg show # active tunnel status
curl -4 ifconfig.co # current public IP
wg-quick up /storage/.config/wireguard/wg0.conf
wg-quick down /storage/.config/wireguard/wg0.confGenerate a keypair
For self-hosting (use as the device side):
wg-genconfig # writes wg0.conf and wg0.conf.serverThe .server file goes on your Linux PC / Raspberry Pi acting as gateway. Uncomment the PostUp lines if you want to access other devices on your home LAN through it (SNAT).
ZeroTier
ZeroTier is similar to Tailscale but with a different network model — you create networks on your ZeroTier dashboard and join devices to them.
Sign up
Sign up at my.zerotier.com, create a network, copy its 16-character ID.
Drop the network ID
/storage/.config/zerotier-networksOne network ID per line. Create the file via SSH or Samba.
Enable
ES → Network Settings → ZeroTier VPN → ON.
Approve in dashboard
Back at my.zerotier.com → your network → Members — your handheld appears as pending. Tick the Auth box.
Manual join (alternative)
Without the zerotier-networks file, you can run from SSH:
zerotier-cli join <network-id>
zerotier-cli listnetworksIf you mix this with the file approach, the file wins on next boot — pick one.
Which one to use
| Tailscale | WireGuard | ZeroTier | |
|---|---|---|---|
| Easiest setup | ✅ | — | — |
| Self-hostable | partial | ✅ | partial |
| Subnet routing | yes | yes | yes |
| Persistent peer-to-peer | with NATs | direct | with NATs |
| Free tier | 100 devices | n/a | 25 devices |
For most people: Tailscale if you want zero-config, WireGuard if you already have a VPN server, ZeroTier if you prefer their network model.
During gameplay
All three VPN services are paused automatically when a game launches via runemu.sh (alongside Syncthing and the simple HTTP server) and resumed when the game exits. The pause is per-process — TCP connections close on the client side and reconnect when the service comes back. For most uses (file sync, remote SSH) this is invisible.
If you specifically want a VPN on during gameplay (e.g. for online netplay over Tailscale), edit /usr/bin/runemu.sh and remove the service from the pause_background_services list. Heads-up: VPN traffic competes with WiFi airtime which is shared with Bluetooth — expect occasional crackle in BT audio.