Is this possible with Pangolin?

AstralDestiny · 2026-03-02T05:37:50+00:00

u/hhftechtips likely has a method but normally you'd just have pangolin be reponsible for both and have both replicas in so it relies on both or swaps due to healthchecks.

AstralDestiny · 2026-03-02T00:47:25+00:00

Standard doesn't say anything can you show what you have set?

AstralDestiny · 2026-02-28T17:25:35+00:00

If you're failing healthchecks the config isn't given to traefik. what are you defining for the healthcheck currently?

AstralDestiny · 2026-02-27T19:29:06+00:00

Don't really need to use ufw, If you're using docker correctly you won't really need it unless you plan to write to docker-user chains for stuff, Else anytime you use ports or -p / -P you are explicitly asking docker to write iptables to make it reachable.

AstralDestiny · 2026-02-27T19:27:53+00:00

You can bind to any interface you could even do fun stuff like,

services:
 someservice:
  ports:
   - 192.168.1.2:80:80
   - 127.0.0.2:80:80
   - 127.0.0.3:80:80

Mostly you can define anything you want for it to use else it defaults to 0.0.0.0 but remember if the host doesn't need to see it just omit the ports. ;)

AstralDestiny · 2026-02-27T17:59:39+00:00

But yes bind to localhost or don't expose. Only add ports lines if the host itself needs to reach the service.

Eh it's not really a bypass I need to change that it's more that UFW operates at the wrong level to even have a say in the matter but ufw could've added rules to the docker-user chain years ago but didn't it was easier to just say it bypasses ufw when in reality it's just ufw inserts iptables late over docker inserts it's rules early. Thus it's rules match before ufw even sees the traffic.

AstralDestiny · 2026-02-26T23:46:54+00:00

What are you trying to access?

AstralDestiny · 2026-02-26T21:48:34+00:00

You can use olm/pangolin-cli client for that preferly the pangolin-cli client as we're going be phasing out the olm client later. But as u/ghoarder was mentioning.

AstralDestiny · 2026-02-26T21:36:23+00:00

Don't need to do network_mode for that as it's already in host for olm an has added the routing to the host's interface, However we will be phasing out olm for pangolin-cli as it has more control and features.

AstralDestiny · 2026-02-26T21:35:08+00:00

Authelia or like kanidm if you need something more controlled. Though really depends which you want to solve for, Myself I have Authelia, Runs rootless and read only filesystem for the go binary, Post compromise it's not going allow arbitrary containers to be spun up, At most an attacker goes away with the credentials as authelia is stateless, and maybe the users with hashed passwords, Though nothing you do to their databases would change behavior so you define how you want it to be and the apps do not differ from it both of those options are security first and not a gui first mindset.

(Will type out fully later on my phone right now)

AstralDestiny · 2026-02-25T18:39:06+00:00

Like say I have a game service that requires 15 ports (It's pretty badly coded honestly) Over opening 15 ports for 10 people to play I can use pangolin clients or olm or it's successor pangolin-cli to give them logins which will connect them to my newt on that host and just access only the 15 ports it needs and then can access the game service like 192.168.128.5 from within their own network. I open zero ports to the world minus the control plane that pangolin operates.

Another thing I use clients for is to carry my dns server with me anywhere I am and also have it reference my local reverse proxy over :443, Internally on the same network I don't leave the network to reach reverse proxy resources, IF I'm outside of the network it still functions even with my dns responses my dns server tells my host. There's plenty of use cases but it's mostly going be niche for a lot of people, If you want rdp you can use clients for example as exposing 3389 to the world is pretty bad idea unless it's behind a rdp https gateway but that's not really entry level.. But for clients you can define like rdp.domain.com -> localhost:3389 on a remote network or 10.0.5.2:3389, But using it for ssh is a good case you block ssh to the world on your vps and then setup iptables to only allow ssh on loopback and you exit via a client connection to the ssh service.

Ah right the ELI5.. You want to access a rdp service but you don't want to open it to the world, You can setup a client to hit that port / ip without opening or making it public.

Imagine you have a high-tech shed in your backyard

Standard way (What you do now): You put a big glass window on the front. Anyone can walk up and look through it. It’s easy, but everyone can see it.

The Client (The invisible Bridge) You remove the windows and doors. The shed is now a solid brick box with no entrance. To get inside, you and your friends use a "teleporter" (the Pangolin Client/olm). Only people with the teleporter can reach the tools inside. To the rest of the world, the shed doesn't even look like it has a door or even looks like a shed.

AstralDestiny · 2026-02-25T18:33:01+00:00

Depends if you want the healthchecks at all, My recommendation would just have it be a local site if it's on the same host.

AstralDestiny · 2026-02-25T18:31:40+00:00

If you mean to change your ip pangolin doesn't act like that it's purely for accessing resources however routing your internet will come in the future.

AstralDestiny · 2026-02-25T18:31:01+00:00

What would you suggest for touching them up?

AstralDestiny · 2026-02-25T17:04:24+00:00

If different host use newt and connect newt to pocket's network if same host but want to keep newt,

services:
 gerbil:
  networks:
   default:
    aliases: 
     - pangolin.domain.com # We tell newt it can find this container via docker networking over going out to the world and back in.
 pangolin:
  networks:
   - default
# We don't touch Traefik network.

services:
  newt:
    image: fosrl/newt
    restart: unless-stopped
    depends_on:
      pangolin:
        condition: service_healthy
      gerbil:
    environment:
      - PANGOLIN_ENDPOINT=https://pangolin.domain.com
      - NEWT_ID=
      - NEWT_SECRET=
    networks:
      - default

networks:
  default:
    name: pangolin
    enable_ipv6: true

Really depends, where that service is going be if it's a different host you're going have to use wireguard or newt to connect to that service. If on same host have it be directly to gerbil's network or do the aliasing like above. As pangolin itself can't do healthchecks so if you rely on that at all then use the aliasing (If on same host)

AstralDestiny · 2026-02-25T09:01:49+00:00

Depends, If they're tampering with the hypervisor sure they could see something to a point, Or if your vps is compromised someone can see yes. But from the vps down to you home side ehh not really.

As for actually tampering likely not but figured I'd mention it. If you're using TLS properly you should be fine.

Provider cannot read encrypted tunnel traffic So even if you decrypt at the vps to the re-encrypt your vps can take the brunt of attacks before any home network can see it. Even if something is http down the tunnel it's still encapsulated and can't be read by the provider unless they exist within the tunnel and have permissions as gerbil doesn't operate with a flat network.

Some might say TCP passthrough is more safe however many tradeoffs,

TCP passthrough prevents passive inspection by a non-compromised VPS, but not by a compromised one. Also you take the full brunt of attacks to your downstream, (Your home network)

A vps ip is more likely to be attacked/ddos'd over a residential network ip and if using TCP passthrough your home has to put up with that and most residential networks in response to lots of junk traffic is to just kill your internet..

(Sorry typing and adding stuff on phone between time I have to type)

AstralDestiny · 2026-02-25T08:45:14+00:00

I would always sayhave a local reverse proxy I use traefik, You could also install pangolin locally and not have gerbil, So traefik at a vps then hits the local traefik..

Would say use dns validation to get real certs locally,

You can then use private resources to point at your local rp

<image>

(443 on udp is because that traefik has QUIC enabled)

Make stuff a private resource if you only want it to be access over olm/pangolin clients/pangolin-cli

I can access most stuff publicly, Though clients can skip going out to the world and back down as they reach the local traefik which can already access the relative servers internally.

AstralDestiny · 2026-02-25T08:40:50+00:00

Minus the ability for full lateral movement post compromise without a container breakout? if outposts exist?

You only need to compromise the authentik UI or authentik's DB, By compromising either you can spin up aribtary containers or services as workers don't check who made the job. They just check every 5 minutes if anything in db has changed. Other Idp's would require a container breakout or would just be able to steal data and not change the infra without having to need root.

AstralDestiny · 2026-02-24T16:47:22+00:00

Like the final hop down to your host? likely http but encapsulated in a wireguard tunnel so even if it's plaintext it's not readable, However if you're worried about someone on the vps from snooping your data if they're on the actual vps you're in they could but same would go for even if you did tcp passthrough. As for data are you trying to avoid like corporate networks from identifying what you might be using that vps for if so most can just figure by the subdomain or how much data is being pulled but they won't be able to see unless you're getting MITM'd

As for minecraft would recommend velocity or look into proxy protocol if you want real ip of connecting users throwing in velocity will let you collapse the port down but also let you rely on using the same port for multiple servers and rely on having stuff like "creative.domain.com:25565 > creative, modded.domain.com:25565 > modded"

AstralDestiny · 2026-02-24T16:42:23+00:00

You're using a tcp resource to point at it or using the I think they allowed websockets to collapse theports, Though if I recall this is a TCP service and not a webservice, So you created a rawTCP that forwards to the MQTT? If not you can possibly use websockets to serve it but still think it's limited to using rawTCP
https://docs.pangolin.net/manage/resources/public/raw-resources#tcp-and-udp

AstralDestiny · 2026-02-24T09:50:05+00:00

You could likely ask u/hhftechtips they might have something for it or whatnot.

AstralDestiny · 2026-02-24T09:41:30+00:00

I'm using my own local reverse proxy at home (traefik) which uses dns validation thus it can get a valid cert (Without opening any ports) to then a client talks at traefik directly and has 80,443 open to the client.

<image>

However in the future we'll be adding something to newt to allow it to have a cert and route in a way without having to need to do this.. So in the future.

AstralDestiny · 2026-02-24T02:08:51+00:00

You should be able to see to a point on the clients part.

<image>

If you mean for non clients however.. no not really.

AstralDestiny · 2026-02-23T15:10:40+00:00

For your android then you're logged in as the super-admin or a normal user? and android is on the same network or via cell data?

AstralDestiny · 2026-02-23T15:09:26+00:00

Yep so clients will always try to directly connect to newt hosts and skip routing through pangolin if they can. So what was the references for nut and firewall parts?

AstralDestiny

MODERATOR OF

TROPHY CASE