github-starred/newt
2
0
Fork 0
mirror of https://github.com/fosrl/newt.git synced 2026-05-07 08:28:25 -05:00
Code Issues 227 Packages Projects Releases 40 Wiki Activity

[GH-ISSUE #237] Client connectivity not working on Raspbian (aarch64) #2056

New Issue
Open
opened 2026-05-03 05:45:14 -05:00 by GiteaMirror · 19 comments
GiteaMirror commented 2026-05-03 05:45:14 -05:00
Owner
Copy Link

Originally created by @hanjo on GitHub (Feb 17, 2026).
Original GitHub issue: https://github.com/fosrl/newt/issues/237

Originally assigned to: @LaurenceJJones on GitHub.

Describe the Bug

Hi,

I have tried to get the "Zero-Trust Private Access" functionality to work for some time and eventually figured out, that it is my newt which is causing the connection to fail. I believe this might have to do with the architecture of my host, which is ARM64 (aarch64). While this host has some special network setup (it is part of a DMZ), I never had issues with the "Web-based Public Access", and I was able to get the "Zero-Trust Private Access" functionality to work in no time on a x86_64 machine.

On the x86_64 host I can see this line on startup of newt:

INFO: 2026/02/17 14:11:48 Client connectivity setup. Ready to accept connections from clients!

This line is missing from the log on the aarch64 host and when I try to connect the app, I will instead get:

INFO: 2026/02/17 12:57:00 WireGuard device is not initialized

and obviously the App will never complete the connection attempt. This makes me believe that there may be some code which is missing for my architecture, or some other issue with setting up the required wireguard tunnel.

Environment

  • OS Type & Version: Debian GNU/Linux 12 (bookworm) (<-- this is Raspbian)
  • Kernel Version: 6.12.34+rpt-rpi-v8
  • Pangolin Version: v1.15.4
  • Gerbil Version: v1.3.0
  • Traefik Version: I don't know, :latest 🙃
  • Newt Version: v1.9.0
  • Docker Version: v28.3.2

To Reproduce

This is my docker-compose.yml on the Raspberry Pi 4 Model B Rev 1.5:

services:
  newt:
    image: fosrl/newt
    container_name: newt
    restart: unless-stopped
    network_mode: host
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - TZ=Europe/Berlin
      - PANGOLIN_ENDPOINT=https://xxxxxxxx
      - NEWT_ID=xxxxxxxxxx
      - NEWT_SECRET=xxxxxxxxxx
      - DOCKER_SOCKET=unix:///var/run/docker.sock

Expected Behavior

Same behavior as on x86_64 obviously 🙂

Originally created by @hanjo on GitHub (Feb 17, 2026). Original GitHub issue: https://github.com/fosrl/newt/issues/237 Originally assigned to: @LaurenceJJones on GitHub. ### Describe the Bug Hi, I have tried to get the "Zero-Trust Private Access" functionality to work for some time and eventually figured out, that it is my newt which is causing the connection to fail. I believe this might have to do with the architecture of my host, which is ARM64 (`aarch64`). While this host has some special network setup (it is part of a DMZ), I never had issues with the "Web-based Public Access", and I was able to get the "Zero-Trust Private Access" functionality to work in no time on a `x86_64` machine. On the `x86_64` host I can see this line on startup of newt: ``` INFO: 2026/02/17 14:11:48 Client connectivity setup. Ready to accept connections from clients! ``` This line is missing from the log on the `aarch64` host and when I try to connect the app, I will instead get: ``` INFO: 2026/02/17 12:57:00 WireGuard device is not initialized ``` and obviously the App will never complete the connection attempt. This makes me believe that there may be some code which is missing for my architecture, or some other issue with setting up the required wireguard tunnel. ### Environment - OS Type & Version: Debian GNU/Linux 12 (bookworm) (<-- this is Raspbian) - Kernel Version: 6.12.34+rpt-rpi-v8 - Pangolin Version: v1.15.4 - Gerbil Version: v1.3.0 - Traefik Version: I don't know, :latest 🙃 - Newt Version: v1.9.0 - Docker Version: v28.3.2 ### To Reproduce This is my `docker-compose.yml` on the Raspberry Pi 4 Model B Rev 1.5: ```yaml services: newt: image: fosrl/newt container_name: newt restart: unless-stopped network_mode: host volumes: - /var/run/docker.sock:/var/run/docker.sock:ro environment: - TZ=Europe/Berlin - PANGOLIN_ENDPOINT=https://xxxxxxxx - NEWT_ID=xxxxxxxxxx - NEWT_SECRET=xxxxxxxxxx - DOCKER_SOCKET=unix:///var/run/docker.sock ``` ### Expected Behavior Same behavior as on `x86_64` obviously 🙂
GiteaMirror added the needs investigating label 2026-05-03 05:45:14 -05:00
GiteaMirror commented 2026-05-03 05:45:15 -05:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Mar 4, 2026):

This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

<!-- gh-comment-id:3994471173 --> @github-actions[bot] commented on GitHub (Mar 4, 2026): This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.
GiteaMirror commented 2026-05-03 05:45:16 -05:00
Author
Owner
Copy Link

@hanjo commented on GitHub (Mar 4, 2026):

In the meantime, Pangolin v1.16.2 and Newt v1.10.2 were released, but I still see the same issue. Any chance to look into this?

Thanks!

<!-- gh-comment-id:3996252442 --> @hanjo commented on GitHub (Mar 4, 2026): In the meantime, Pangolin v1.16.2 and Newt v1.10.2 were released, but I still see the same issue. Any chance to look into this? Thanks!
GiteaMirror commented 2026-05-03 05:45:17 -05:00
Author
Owner
Copy Link

@LaurenceJJones commented on GitHub (Mar 7, 2026):

Could you set the environment LOG_LEVEL=DEBUG and provide the full logs so we can dive deeper. (just ensure to strip any sensitive information from the output)

<!-- gh-comment-id:4017024986 --> @LaurenceJJones commented on GitHub (Mar 7, 2026): Could you set the environment `LOG_LEVEL=DEBUG` and provide the full logs so we can dive deeper. (just ensure to strip any sensitive information from the output)
GiteaMirror commented 2026-05-03 05:45:19 -05:00
Author
Owner
Copy Link

@hanjo commented on GitHub (Mar 7, 2026):

Sure, here you go:

pi@pi-dmz:~/docker/newt $ sudo docker logs -f newt
INFO: 2026/03/07 21:08:22 Newt version 1.10.2
DEBUG: 2026/03/07 21:08:22 Starting metrics server on 127.0.0.1:2112
DEBUG: 2026/03/07 21:08:22 Config already provided, skipping loading from file
INFO: 2026/03/07 21:08:22 Config file does not exist at /root/.config/newt-client/config.json, will create it
DEBUG: 2026/03/07 21:08:22 Endpoint: https://my.pangolin.tld
DEBUG: 2026/03/07 21:08:22 Log Level: DEBUG
DEBUG: 2026/03/07 21:08:22 Docker Network Validation Enabled: false
DEBUG: 2026/03/07 21:08:22 Health Check Certificate Enforcement: false
DEBUG: 2026/03/07 21:08:22 Dns: 9.9.9.9
DEBUG: 2026/03/07 21:08:22 Docker Socket: unix:///var/run/docker.sock
DEBUG: 2026/03/07 21:08:22 MTU: 1280
DEBUG: 2026/03/07 21:08:22 ++++++++++++++++++++++ the port is 0
DEBUG: 2026/03/07 21:08:22 Setting up clients with netstack2...
DEBUG: 2026/03/07 21:08:22 +++++++++++++++++++++++++++++++= the port is 0
DEBUG: 2026/03/07 21:08:22 Created shared UDP socket on port 51099 (refcount: 2)
DEBUG: 2026/03/07 21:08:22 Creating new health check monitor with certificate enforcement: false
DEBUG: 2026/03/07 21:08:22 Initializing Docker event monitoring
DEBUG: 2026/03/07 21:08:22 Starting Docker event monitoring
DEBUG: 2026/03/07 21:08:22 Docker event monitoring started successfully
DEBUG: 2026/03/07 21:08:22 Token response body: {"data":{"token":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","serverVersion":"1.16.2"},"success":true,"error":false,"message":"Token created successfully","status":200}
INFO: 2026/03/07 21:08:22 Server version: 1.16.2
DEBUG: 2026/03/07 21:08:22 Received token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
INFO: 2026/03/07 21:08:22 Saving config to: /root/.config/newt-client/config.json
DEBUG: 2026/03/07 21:08:22 Public key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
INFO: 2026/03/07 21:08:22 Websocket connected
DEBUG: 2026/03/07 21:08:22 Requesting exit nodes from server
DEBUG: 2026/03/07 21:08:22 Sending message: newt/ping/request, data: map[noCloud:false]
DEBUG: 2026/03/07 21:08:22 Requesting WireGuard configuration from remote server
DEBUG: 2026/03/07 21:08:22 Sending message: newt/wg/register, data: map[backwardsCompatible:true newtVersion:1.10.2 publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]
DEBUG: 2026/03/07 21:08:22 Sending message: newt/wg/get-config, data: map[port:51099 publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]
DEBUG: 2026/03/07 21:08:22 Received ping message
DEBUG: 2026/03/07 21:08:22 Only one exit node available, using it directly: my.pangolin.tld
DEBUG: 2026/03/07 21:08:22 Sending message: newt/wg/register, data: map[newtVersion:1.10.2 pingResults:[{ExitNodeID:1 LatencyMs:0 Weight:1 Error: Name:Exit Node xxxx/xxx Endpoint:my.pangolin.tld WasPreviouslyConnected:true}] publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]
DEBUG: 2026/03/07 21:08:23 Received Docker container fetch request
DEBUG: 2026/03/07 21:08:23 Sending message: newt/socket/containers, data: map[containers:[{ID:7a3de3e1f6ec Name:newt Image:fosrl/newt State:running Status:Up Less than a second Ports:[] Labels:map[com.docker.compose.config-hash:c19b63b0e5b9935a43c5a536806f327f69d75264394977b9c7343deb48ccad2d com.docker.compose.container-number:1 com.docker.compose.depends_on: com.docker.compose.image:sha256:83e8b79ccabc454d90ec713e85ecb19bb0921eb8efee5fbb3300ad32bd888677 com.docker.compose.oneoff:False com.docker.compose.project:newt com.docker.compose.project.config_files:/home/pi/docker/newt/docker-compose.yml com.docker.compose.project.working_dir:/home/pi/docker/newt com.docker.compose.service:newt com.docker.compose.version:5.1.0 org.opencontainers.image.authors:fosrl org.opencontainers.image.created:2026-03-04T06:22:25Z org.opencontainers.image.description:Pangolin tunneled site & network connector org.opencontainers.image.documentation:https://github.com/fosrl/newt org.opencontainers.image.licenses:AGPL-3.0 org.opencontainers.image.ref.name:1.10.2 org.opencontainers.image.revision:beaf386615e324d9cb8aac9f24abdb9b10a27b64 org.opencontainers.image.source:https://github.com/fosrl/newt org.opencontainers.image.title:newt org.opencontainers.image.url:https://github.com/fosrl/newt org.opencontainers.image.version:1.10.2] Created:1772914101 Networks:map[host:{NetworkID:9dce72d1da10e54aed81ffeafab7307b937540bfc2fba5aaea71e35e801d6e4f EndpointID:2984c9bfee84256a70a3c2c8315409d716b1fd3912e095c5941d18f9c24725c0 Gateway: IPAddress: IPPrefixLen:0 IPv6Gateway: GlobalIPv6Address: GlobalIPv6PrefixLen:0 MacAddress: Aliases:[] DNSNames:[]}] Hostname:pi-dmz} ...]]
DEBUG: 2026/03/07 21:08:23 Docker container list sent, count: 10
DEBUG: 2026/03/07 21:08:23 Received registration message
DEBUG: 2026/03/07 21:08:23 Received registration message data: map[endpoint:my.pangolin.tld:51820 healthCheckTargets:[map[...]] publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx relayPort:21820 serverIP:100.89.128.1 targets:map[...] tunnelIP:100.89.128.4]
DEBUG: 2026/03/07 21:08:23 Received: {Type:newt/wg/connect Data:map[endpoint:my.pangolin.tld:51820 healthCheckTargets:[map[...]] publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx relayPort:21820 serverIP:100.89.128.1 targets:map[...] tunnelIP:100.89.128.4]}
INFO: 2026/03/07 21:08:23 Connecting to endpoint: my.pangolin.tld
DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: encryption worker 1 - started
DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: decryption worker 3 - started
DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: decryption worker 1 - started
DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: handshake worker 1 - started
DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: encryption worker 2 - started
DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: decryption worker 2 - started
DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: handshake worker 2 - started
DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: encryption worker 3 - started
DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: handshake worker 4 - started
DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: handshake worker 3 - started
DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: encryption worker 4 - started
DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: decryption worker 4 - started
DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: event worker - started
DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Interface up requested
DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: TUN reader - started
DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 UDP bind has been updated
DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Interface state was Down, requested Up, now Up
DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: receive incoming v4 - started
DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: receive incoming v6 - started
DEBUG: 2026/03/07 21:08:23 Starting UDP hole punch to 1 exit nodes with shared bind
DEBUG: 2026/03/07 21:08:23 Starting hole punch to xxx.xxx.xxx.xxx with public key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 UAPI: Updating private key
DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 peer(xxxx…xxxx) - UAPI: Created
DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 peer(xxxx…xxxx) - UAPI: Adding allowedip
DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 peer(xxxx…xxxx) - UAPI: Updating endpoint
DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 peer(xxxx…xxxx) - UAPI: Updating persistent keepalive interval
DEBUG: 2026/03/07 21:08:23 Resolved exit node: xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx:21820
DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 peer(xxxx…xxxx) - Starting
DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 peer(xxxx…xxxx) - Sending keepalive packet
DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 peer(xxxx…xxxx) - Sending handshake initiation
DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 peer(xxxx…xxxx) - Routine: sequential receiver - started
DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 peer(xxxx…xxxx) - Routine: sequential sender - started
DEBUG: 2026/03/07 21:08:23 Sent UDP hole punch to xxx.xxx.xxx.xxx:21820: {"ephemeralPublicKey":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","nonce":"xxxxxxxxxxxxxxxx","ciphertext":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"}
DEBUG: 2026/03/07 21:08:23 WireGuard device created. Lets ping the server now...
DEBUG: 2026/03/07 21:08:23 Testing initial connection with reliable ping...
DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 peer(xxxx…xxxx) - Received handshake response
DEBUG: 2026/03/07 21:08:23 Initial connection test successful
DEBUG: 2026/03/07 21:08:23 Ping attempt 1
DEBUG: 2026/03/07 21:08:23 Ping latency: 17.501657ms
INFO: 2026/03/07 21:08:23 Tunnel connection to server established successfully!
DEBUG: 2026/03/07 21:08:23 Starting ping check
DEBUG: 2026/03/07 21:08:23 Not adding target because not running
DEBUG: 2026/03/07 21:08:23 Not adding target because not running
DEBUG: 2026/03/07 21:08:23 Not adding target because not running
DEBUG: 2026/03/07 21:08:23 Not adding target because not running
DEBUG: 2026/03/07 21:08:23 Not adding target because not running
DEBUG: 2026/03/07 21:08:23 Started direct UDP relay on 100.89.128.4:51099 (bidirectional via SharedBind)
DEBUG: 2026/03/07 21:08:23 Adding 1 health check targets in bulk
DEBUG: 2026/03/07 21:08:23 Target 5 configuration: scheme=https, method=GET, interval=90s, timeout=5s
INFO: 2026/03/07 21:08:23 Starting monitoring for target 5 (xxxx.xxxxx:2743)
DEBUG: 2026/03/07 21:08:23 Successfully added target: ID=5, hostname=xxxx.xxxxx
DEBUG: 2026/03/07 21:08:23 Successfully added all 1 health check targets
DEBUG: 2026/03/07 21:08:23 Successfully added 1 health check targets
DEBUG: 2026/03/07 21:08:23 Direct UDP relay started (bidirectional through SharedBind)
INFO: 2026/03/07 21:08:23 Started tcp proxy to xxxx.xxxxx:4490
DEBUG: 2026/03/07 21:08:23 Started tcp proxy from 100.89.128.4:42428 to xxxx.xxxxx:4490
INFO: 2026/03/07 21:08:23 Started tcp proxy to xxxx.xxxxx:2743
DEBUG: 2026/03/07 21:08:23 Started tcp proxy from 100.89.128.4:40690 to xxxx.xxxxx:2743
INFO: 2026/03/07 21:08:23 Started tcp proxy to xxxxxx.xxxxx:2283
DEBUG: 2026/03/07 21:08:23 Started tcp proxy from 100.89.128.4:45496 to xxxxxx.xxxxx:2283
INFO: 2026/03/07 21:08:23 Started tcp proxy to xxxxxx.xxxxx:443
DEBUG: 2026/03/07 21:08:23 Started tcp proxy from 100.89.128.4:44325 to xxxxxx.xxxxx:443
INFO: 2026/03/07 21:08:23 Started tcp proxy to xxxxxxxxx.xxxxx:443
DEBUG: 2026/03/07 21:08:23 Started tcp proxy from 100.89.128.4:46393 to xxxxxxxxx.xxxxx:443
INFO: 2026/03/07 21:08:23 Starting health check monitoring for target 5 (xxxx.xxxxx:2743)
DEBUG: 2026/03/07 21:08:23 Target 5: performing health check 1 to https://xxxx.xxxxx:2743/health
DEBUG: 2026/03/07 21:08:23 Target 5: HTTPS health check with certificate enforcement: false
DEBUG: 2026/03/07 21:08:23 Target 5: health check passed (status: 200)
INFO: 2026/03/07 21:08:23 Target 5 initial status: healthy
DEBUG: 2026/03/07 21:08:23 Target 5: initial check interval set to 1m30s
DEBUG: 2026/03/07 21:08:23 Health check status update for 1 targets
DEBUG: 2026/03/07 21:08:23 Health check status: map[5:map[checkCount:1 config:{ID:5 Enabled:true Path:/health Scheme:https Mode:http Hostname:xxxx.xxxxx Port:2743 Interval:90 UnhealthyInterval:90 Timeout:5 Headers:map[host:xxxx.xxxxx] Method:GET Status:0 TLSServerName:xxxx.xxxxx} lastCheck:2026-03-07T21:08:23+01:00 lastError: status:healthy]]
DEBUG: 2026/03/07 21:08:23 Sending message: newt/healthcheck/status, data: map[targets:map[5:map[checkCount:1 config:{ID:5 Enabled:true Path:/health Scheme:https Mode:http Hostname:xxxx.xxxxx Port:2743 Interval:90 UnhealthyInterval:90 Timeout:5 Headers:map[host:xxxx.xxxxx] Method:GET Status:0 TLSServerName:xxxx.xxxxx} lastCheck:2026-03-07T21:08:23+01:00 lastError: status:healthy]]]
DEBUG: 2026/03/07 21:08:24 Sent UDP hole punch to xxx.xxx.xxx.xxx:21820: {"ephemeralPublicKey":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","nonce":"xxxxxxxxxxxxxxxx","ciphertext":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"}
DEBUG: 2026/03/07 21:08:24 Increased hole punch interval to 2s
DEBUG: 2026/03/07 21:08:24 Sending message: newt/wg/get-config, data: map[port:51099 publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]
DEBUG: 2026/03/07 21:08:26 Sent UDP hole punch to xxx.xxx.xxx.xxx:21820: {"ephemeralPublicKey":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","nonce":"xxxxxxxxxxxxxxxx","ciphertext":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"}
DEBUG: 2026/03/07 21:08:26 Increased hole punch interval to 4s
DEBUG: 2026/03/07 21:08:26 Sending message: newt/wg/get-config, data: map[port:51099 publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]
DEBUG: 2026/03/07 21:08:28 Sending message: newt/wg/get-config, data: map[port:51099 publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]
DEBUG: 2026/03/07 21:08:30 Sent UDP hole punch to xxx.xxx.xxx.xxx:21820: {"ephemeralPublicKey":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","nonce":"xxxxxxxxxxxxxxxx","ciphertext":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"}
DEBUG: 2026/03/07 21:08:30 Increased hole punch interval to 8s
DEBUG: 2026/03/07 21:08:30 Sending message: newt/wg/get-config, data: map[port:51099 publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]
DEBUG: 2026/03/07 21:08:32 Sending message: newt/wg/get-config, data: map[port:51099 publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]
DEBUG: 2026/03/07 21:08:34 Sending message: newt/wg/get-config, data: map[port:51099 publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]
DEBUG: 2026/03/07 21:08:36 Sending message: newt/wg/get-config, data: map[port:51099 publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]
DEBUG: 2026/03/07 21:08:38 Sent UDP hole punch to xxx.xxx.xxx.xxx:21820: {"ephemeralPublicKey":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","nonce":"xxxxxxxxxxxxxxxx","ciphertext":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"}
DEBUG: 2026/03/07 21:08:38 Increased hole punch interval to 16s
DEBUG: 2026/03/07 21:08:38 Sending message: newt/wg/get-config, data: map[port:51099 publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]
DEBUG: 2026/03/07 21:08:40 Sending message: newt/wg/get-config, data: map[port:51099 publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]
INFO: 2026/03/07 21:08:42 SendMessageInterval timed out after 10 attempts for message type: newt/wg/get-config
DEBUG: 2026/03/07 21:08:54 Sent UDP hole punch to xxx.xxx.xxx.xxx:21820: {"ephemeralPublicKey":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","nonce":"xxxxxxxxxxxxxxxx","ciphertext":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"}
DEBUG: 2026/03/07 21:08:54 Increased hole punch interval to 32s
DEBUG: 2026/03/07 21:09:07 Received message: [map[destPrefix:100.96.128.9/32 disableIcmp:false portRange:[map[max:80 min:80 protocol:tcp] map[max:443 min:443 protocol:tcp] map[max:443 min:443 protocol:udp]] rewriteTo:xxxxxxxxx.xxxxx sourcePrefix:100.90.128.0/32]]
DEBUG: 2026/03/07 21:09:07 Skipping add target - using native interface (no proxy support)
DEBUG: 2026/03/07 21:09:23 Received message: map[publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]
INFO: 2026/03/07 21:09:23 WireGuard device is not initialized
DEBUG: 2026/03/07 21:09:23 Received message: map[allowedIps:[100.90.128.0/32] endpoint:xx.xxx.xxx.xxx:27616 publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]
INFO: 2026/03/07 21:09:23 WireGuard device is not initialized
DEBUG: 2026/03/07 21:09:26 Sent UDP hole punch to xxx.xxx.xxx.xxx:21820: {"ephemeralPublicKey":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","nonce":"xxxxxxxxxxxxxxxx","ciphertext":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"}
DEBUG: 2026/03/07 21:09:26 Increased hole punch interval to 1m0s
DEBUG: 2026/03/07 21:09:53 Target 5: performing health check 2 to https://xxxx.xxxxx:2743/health
DEBUG: 2026/03/07 21:09:53 Target 5: HTTPS health check with certificate enforcement: false
DEBUG: 2026/03/07 21:09:53 Target 5: health check passed (status: 200)
<!-- gh-comment-id:4017285952 --> @hanjo commented on GitHub (Mar 7, 2026): Sure, here you go: ```shell pi@pi-dmz:~/docker/newt $ sudo docker logs -f newt INFO: 2026/03/07 21:08:22 Newt version 1.10.2 DEBUG: 2026/03/07 21:08:22 Starting metrics server on 127.0.0.1:2112 DEBUG: 2026/03/07 21:08:22 Config already provided, skipping loading from file INFO: 2026/03/07 21:08:22 Config file does not exist at /root/.config/newt-client/config.json, will create it DEBUG: 2026/03/07 21:08:22 Endpoint: https://my.pangolin.tld DEBUG: 2026/03/07 21:08:22 Log Level: DEBUG DEBUG: 2026/03/07 21:08:22 Docker Network Validation Enabled: false DEBUG: 2026/03/07 21:08:22 Health Check Certificate Enforcement: false DEBUG: 2026/03/07 21:08:22 Dns: 9.9.9.9 DEBUG: 2026/03/07 21:08:22 Docker Socket: unix:///var/run/docker.sock DEBUG: 2026/03/07 21:08:22 MTU: 1280 DEBUG: 2026/03/07 21:08:22 ++++++++++++++++++++++ the port is 0 DEBUG: 2026/03/07 21:08:22 Setting up clients with netstack2... DEBUG: 2026/03/07 21:08:22 +++++++++++++++++++++++++++++++= the port is 0 DEBUG: 2026/03/07 21:08:22 Created shared UDP socket on port 51099 (refcount: 2) DEBUG: 2026/03/07 21:08:22 Creating new health check monitor with certificate enforcement: false DEBUG: 2026/03/07 21:08:22 Initializing Docker event monitoring DEBUG: 2026/03/07 21:08:22 Starting Docker event monitoring DEBUG: 2026/03/07 21:08:22 Docker event monitoring started successfully DEBUG: 2026/03/07 21:08:22 Token response body: {"data":{"token":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","serverVersion":"1.16.2"},"success":true,"error":false,"message":"Token created successfully","status":200} INFO: 2026/03/07 21:08:22 Server version: 1.16.2 DEBUG: 2026/03/07 21:08:22 Received token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx INFO: 2026/03/07 21:08:22 Saving config to: /root/.config/newt-client/config.json DEBUG: 2026/03/07 21:08:22 Public key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx INFO: 2026/03/07 21:08:22 Websocket connected DEBUG: 2026/03/07 21:08:22 Requesting exit nodes from server DEBUG: 2026/03/07 21:08:22 Sending message: newt/ping/request, data: map[noCloud:false] DEBUG: 2026/03/07 21:08:22 Requesting WireGuard configuration from remote server DEBUG: 2026/03/07 21:08:22 Sending message: newt/wg/register, data: map[backwardsCompatible:true newtVersion:1.10.2 publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx] DEBUG: 2026/03/07 21:08:22 Sending message: newt/wg/get-config, data: map[port:51099 publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx] DEBUG: 2026/03/07 21:08:22 Received ping message DEBUG: 2026/03/07 21:08:22 Only one exit node available, using it directly: my.pangolin.tld DEBUG: 2026/03/07 21:08:22 Sending message: newt/wg/register, data: map[newtVersion:1.10.2 pingResults:[{ExitNodeID:1 LatencyMs:0 Weight:1 Error: Name:Exit Node xxxx/xxx Endpoint:my.pangolin.tld WasPreviouslyConnected:true}] publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx] DEBUG: 2026/03/07 21:08:23 Received Docker container fetch request DEBUG: 2026/03/07 21:08:23 Sending message: newt/socket/containers, data: map[containers:[{ID:7a3de3e1f6ec Name:newt Image:fosrl/newt State:running Status:Up Less than a second Ports:[] Labels:map[com.docker.compose.config-hash:c19b63b0e5b9935a43c5a536806f327f69d75264394977b9c7343deb48ccad2d com.docker.compose.container-number:1 com.docker.compose.depends_on: com.docker.compose.image:sha256:83e8b79ccabc454d90ec713e85ecb19bb0921eb8efee5fbb3300ad32bd888677 com.docker.compose.oneoff:False com.docker.compose.project:newt com.docker.compose.project.config_files:/home/pi/docker/newt/docker-compose.yml com.docker.compose.project.working_dir:/home/pi/docker/newt com.docker.compose.service:newt com.docker.compose.version:5.1.0 org.opencontainers.image.authors:fosrl org.opencontainers.image.created:2026-03-04T06:22:25Z org.opencontainers.image.description:Pangolin tunneled site & network connector org.opencontainers.image.documentation:https://github.com/fosrl/newt org.opencontainers.image.licenses:AGPL-3.0 org.opencontainers.image.ref.name:1.10.2 org.opencontainers.image.revision:beaf386615e324d9cb8aac9f24abdb9b10a27b64 org.opencontainers.image.source:https://github.com/fosrl/newt org.opencontainers.image.title:newt org.opencontainers.image.url:https://github.com/fosrl/newt org.opencontainers.image.version:1.10.2] Created:1772914101 Networks:map[host:{NetworkID:9dce72d1da10e54aed81ffeafab7307b937540bfc2fba5aaea71e35e801d6e4f EndpointID:2984c9bfee84256a70a3c2c8315409d716b1fd3912e095c5941d18f9c24725c0 Gateway: IPAddress: IPPrefixLen:0 IPv6Gateway: GlobalIPv6Address: GlobalIPv6PrefixLen:0 MacAddress: Aliases:[] DNSNames:[]}] Hostname:pi-dmz} ...]] DEBUG: 2026/03/07 21:08:23 Docker container list sent, count: 10 DEBUG: 2026/03/07 21:08:23 Received registration message DEBUG: 2026/03/07 21:08:23 Received registration message data: map[endpoint:my.pangolin.tld:51820 healthCheckTargets:[map[...]] publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx relayPort:21820 serverIP:100.89.128.1 targets:map[...] tunnelIP:100.89.128.4] DEBUG: 2026/03/07 21:08:23 Received: {Type:newt/wg/connect Data:map[endpoint:my.pangolin.tld:51820 healthCheckTargets:[map[...]] publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx relayPort:21820 serverIP:100.89.128.1 targets:map[...] tunnelIP:100.89.128.4]} INFO: 2026/03/07 21:08:23 Connecting to endpoint: my.pangolin.tld DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: encryption worker 1 - started DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: decryption worker 3 - started DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: decryption worker 1 - started DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: handshake worker 1 - started DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: encryption worker 2 - started DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: decryption worker 2 - started DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: handshake worker 2 - started DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: encryption worker 3 - started DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: handshake worker 4 - started DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: handshake worker 3 - started DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: encryption worker 4 - started DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: decryption worker 4 - started DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: event worker - started DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Interface up requested DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: TUN reader - started DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 UDP bind has been updated DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Interface state was Down, requested Up, now Up DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: receive incoming v4 - started DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 Routine: receive incoming v6 - started DEBUG: 2026/03/07 21:08:23 Starting UDP hole punch to 1 exit nodes with shared bind DEBUG: 2026/03/07 21:08:23 Starting hole punch to xxx.xxx.xxx.xxx with public key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 UAPI: Updating private key DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 peer(xxxx…xxxx) - UAPI: Created DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 peer(xxxx…xxxx) - UAPI: Adding allowedip DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 peer(xxxx…xxxx) - UAPI: Updating endpoint DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 peer(xxxx…xxxx) - UAPI: Updating persistent keepalive interval DEBUG: 2026/03/07 21:08:23 Resolved exit node: xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx:21820 DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 peer(xxxx…xxxx) - Starting DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 peer(xxxx…xxxx) - Sending keepalive packet DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 peer(xxxx…xxxx) - Sending handshake initiation DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 peer(xxxx…xxxx) - Routine: sequential receiver - started DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 peer(xxxx…xxxx) - Routine: sequential sender - started DEBUG: 2026/03/07 21:08:23 Sent UDP hole punch to xxx.xxx.xxx.xxx:21820: {"ephemeralPublicKey":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","nonce":"xxxxxxxxxxxxxxxx","ciphertext":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"} DEBUG: 2026/03/07 21:08:23 WireGuard device created. Lets ping the server now... DEBUG: 2026/03/07 21:08:23 Testing initial connection with reliable ping... DEBUG: gerbil-wireguard: 2026/03/07 21:08:23 peer(xxxx…xxxx) - Received handshake response DEBUG: 2026/03/07 21:08:23 Initial connection test successful DEBUG: 2026/03/07 21:08:23 Ping attempt 1 DEBUG: 2026/03/07 21:08:23 Ping latency: 17.501657ms INFO: 2026/03/07 21:08:23 Tunnel connection to server established successfully! DEBUG: 2026/03/07 21:08:23 Starting ping check DEBUG: 2026/03/07 21:08:23 Not adding target because not running DEBUG: 2026/03/07 21:08:23 Not adding target because not running DEBUG: 2026/03/07 21:08:23 Not adding target because not running DEBUG: 2026/03/07 21:08:23 Not adding target because not running DEBUG: 2026/03/07 21:08:23 Not adding target because not running DEBUG: 2026/03/07 21:08:23 Started direct UDP relay on 100.89.128.4:51099 (bidirectional via SharedBind) DEBUG: 2026/03/07 21:08:23 Adding 1 health check targets in bulk DEBUG: 2026/03/07 21:08:23 Target 5 configuration: scheme=https, method=GET, interval=90s, timeout=5s INFO: 2026/03/07 21:08:23 Starting monitoring for target 5 (xxxx.xxxxx:2743) DEBUG: 2026/03/07 21:08:23 Successfully added target: ID=5, hostname=xxxx.xxxxx DEBUG: 2026/03/07 21:08:23 Successfully added all 1 health check targets DEBUG: 2026/03/07 21:08:23 Successfully added 1 health check targets DEBUG: 2026/03/07 21:08:23 Direct UDP relay started (bidirectional through SharedBind) INFO: 2026/03/07 21:08:23 Started tcp proxy to xxxx.xxxxx:4490 DEBUG: 2026/03/07 21:08:23 Started tcp proxy from 100.89.128.4:42428 to xxxx.xxxxx:4490 INFO: 2026/03/07 21:08:23 Started tcp proxy to xxxx.xxxxx:2743 DEBUG: 2026/03/07 21:08:23 Started tcp proxy from 100.89.128.4:40690 to xxxx.xxxxx:2743 INFO: 2026/03/07 21:08:23 Started tcp proxy to xxxxxx.xxxxx:2283 DEBUG: 2026/03/07 21:08:23 Started tcp proxy from 100.89.128.4:45496 to xxxxxx.xxxxx:2283 INFO: 2026/03/07 21:08:23 Started tcp proxy to xxxxxx.xxxxx:443 DEBUG: 2026/03/07 21:08:23 Started tcp proxy from 100.89.128.4:44325 to xxxxxx.xxxxx:443 INFO: 2026/03/07 21:08:23 Started tcp proxy to xxxxxxxxx.xxxxx:443 DEBUG: 2026/03/07 21:08:23 Started tcp proxy from 100.89.128.4:46393 to xxxxxxxxx.xxxxx:443 INFO: 2026/03/07 21:08:23 Starting health check monitoring for target 5 (xxxx.xxxxx:2743) DEBUG: 2026/03/07 21:08:23 Target 5: performing health check 1 to https://xxxx.xxxxx:2743/health DEBUG: 2026/03/07 21:08:23 Target 5: HTTPS health check with certificate enforcement: false DEBUG: 2026/03/07 21:08:23 Target 5: health check passed (status: 200) INFO: 2026/03/07 21:08:23 Target 5 initial status: healthy DEBUG: 2026/03/07 21:08:23 Target 5: initial check interval set to 1m30s DEBUG: 2026/03/07 21:08:23 Health check status update for 1 targets DEBUG: 2026/03/07 21:08:23 Health check status: map[5:map[checkCount:1 config:{ID:5 Enabled:true Path:/health Scheme:https Mode:http Hostname:xxxx.xxxxx Port:2743 Interval:90 UnhealthyInterval:90 Timeout:5 Headers:map[host:xxxx.xxxxx] Method:GET Status:0 TLSServerName:xxxx.xxxxx} lastCheck:2026-03-07T21:08:23+01:00 lastError: status:healthy]] DEBUG: 2026/03/07 21:08:23 Sending message: newt/healthcheck/status, data: map[targets:map[5:map[checkCount:1 config:{ID:5 Enabled:true Path:/health Scheme:https Mode:http Hostname:xxxx.xxxxx Port:2743 Interval:90 UnhealthyInterval:90 Timeout:5 Headers:map[host:xxxx.xxxxx] Method:GET Status:0 TLSServerName:xxxx.xxxxx} lastCheck:2026-03-07T21:08:23+01:00 lastError: status:healthy]]] DEBUG: 2026/03/07 21:08:24 Sent UDP hole punch to xxx.xxx.xxx.xxx:21820: {"ephemeralPublicKey":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","nonce":"xxxxxxxxxxxxxxxx","ciphertext":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"} DEBUG: 2026/03/07 21:08:24 Increased hole punch interval to 2s DEBUG: 2026/03/07 21:08:24 Sending message: newt/wg/get-config, data: map[port:51099 publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx] DEBUG: 2026/03/07 21:08:26 Sent UDP hole punch to xxx.xxx.xxx.xxx:21820: {"ephemeralPublicKey":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","nonce":"xxxxxxxxxxxxxxxx","ciphertext":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"} DEBUG: 2026/03/07 21:08:26 Increased hole punch interval to 4s DEBUG: 2026/03/07 21:08:26 Sending message: newt/wg/get-config, data: map[port:51099 publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx] DEBUG: 2026/03/07 21:08:28 Sending message: newt/wg/get-config, data: map[port:51099 publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx] DEBUG: 2026/03/07 21:08:30 Sent UDP hole punch to xxx.xxx.xxx.xxx:21820: {"ephemeralPublicKey":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","nonce":"xxxxxxxxxxxxxxxx","ciphertext":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"} DEBUG: 2026/03/07 21:08:30 Increased hole punch interval to 8s DEBUG: 2026/03/07 21:08:30 Sending message: newt/wg/get-config, data: map[port:51099 publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx] DEBUG: 2026/03/07 21:08:32 Sending message: newt/wg/get-config, data: map[port:51099 publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx] DEBUG: 2026/03/07 21:08:34 Sending message: newt/wg/get-config, data: map[port:51099 publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx] DEBUG: 2026/03/07 21:08:36 Sending message: newt/wg/get-config, data: map[port:51099 publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx] DEBUG: 2026/03/07 21:08:38 Sent UDP hole punch to xxx.xxx.xxx.xxx:21820: {"ephemeralPublicKey":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","nonce":"xxxxxxxxxxxxxxxx","ciphertext":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"} DEBUG: 2026/03/07 21:08:38 Increased hole punch interval to 16s DEBUG: 2026/03/07 21:08:38 Sending message: newt/wg/get-config, data: map[port:51099 publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx] DEBUG: 2026/03/07 21:08:40 Sending message: newt/wg/get-config, data: map[port:51099 publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx] INFO: 2026/03/07 21:08:42 SendMessageInterval timed out after 10 attempts for message type: newt/wg/get-config DEBUG: 2026/03/07 21:08:54 Sent UDP hole punch to xxx.xxx.xxx.xxx:21820: {"ephemeralPublicKey":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","nonce":"xxxxxxxxxxxxxxxx","ciphertext":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"} DEBUG: 2026/03/07 21:08:54 Increased hole punch interval to 32s DEBUG: 2026/03/07 21:09:07 Received message: [map[destPrefix:100.96.128.9/32 disableIcmp:false portRange:[map[max:80 min:80 protocol:tcp] map[max:443 min:443 protocol:tcp] map[max:443 min:443 protocol:udp]] rewriteTo:xxxxxxxxx.xxxxx sourcePrefix:100.90.128.0/32]] DEBUG: 2026/03/07 21:09:07 Skipping add target - using native interface (no proxy support) DEBUG: 2026/03/07 21:09:23 Received message: map[publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx] INFO: 2026/03/07 21:09:23 WireGuard device is not initialized DEBUG: 2026/03/07 21:09:23 Received message: map[allowedIps:[100.90.128.0/32] endpoint:xx.xxx.xxx.xxx:27616 publicKey:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx] INFO: 2026/03/07 21:09:23 WireGuard device is not initialized DEBUG: 2026/03/07 21:09:26 Sent UDP hole punch to xxx.xxx.xxx.xxx:21820: {"ephemeralPublicKey":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","nonce":"xxxxxxxxxxxxxxxx","ciphertext":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"} DEBUG: 2026/03/07 21:09:26 Increased hole punch interval to 1m0s DEBUG: 2026/03/07 21:09:53 Target 5: performing health check 2 to https://xxxx.xxxxx:2743/health DEBUG: 2026/03/07 21:09:53 Target 5: HTTPS health check with certificate enforcement: false DEBUG: 2026/03/07 21:09:53 Target 5: health check passed (status: 200) ```
GiteaMirror commented 2026-05-03 05:45:21 -05:00
Author
Owner
Copy Link

@LaurenceJJones commented on GitHub (Mar 9, 2026):

Thanks for the detailed debug logs @hanjo - they were very helpful in tracking this down.

So my theory so far is a race condition in Pangolin, not a newt client issue. The handleGetConfigMessage handler has two conditions that cause it to silently drop requests without sending a response:

  1. Endpoint not set yet (handleGetConfigMessage.ts:59-64):
    if (!existingSite.endpoint) {
    logger.debug(In newt get config: existing site has no endpoint, skipping);
    return; // No response sent - client times out
    }

  2. Hole punch too old (handleGetConfigMessage.ts:70-75):
    if (existingSite.lastHolePunch && now - existingSite.lastHolePunch > 5) {
    logger.warn(Site last hole punch is too old, skipping);
    return; // No response sent - client times out
    }

Why it could be affecting ARM64/aarch64 only?

The endpoint and lastHolePunch fields are only set when the hole punch succeeds via Gerbil (updateHolePunch.ts:321-328). On ARM64/Raspberry Pi:

  1. Newt connects and immediately starts requesting config
  2. Hole punch is happening concurrently but takes slightly longer on ARM64
  3. All get-config requests arrive before endpoint is set → silently dropped
  4. By the time hole punch completes, either:
    - The 10 retry attempts (20 seconds) have been exhausted, OR
    - The lastHolePunch timestamp is now >5 seconds old

Evidence from Logs

  21:08:22 - Requesting WireGuard configuration from remote server
  21:08:22 - Sending message: newt/wg/get-config  ← endpoint not set yet
  21:08:23 - Starting UDP hole punch...
  21:08:24 - Sending message: newt/wg/get-config  ← still waiting for hole punch
  ...
  21:08:42 - SendMessageInterval timed out after 10 attempts  ← never received response
  21:09:23 - WireGuard device is not initialized  ← device was never created

Could it be anything else?

Yes in theory maybe the DMZ the device is behind is too strict, but is the x86 device in the same DMZ?

Current ideas to fix:

Option A: Increase the 5-second window
The 5-second lastHolePunch requirement is very strict. Increasing to 30 seconds would accommodate slower ARM64 initialization, but also could introduce mismatch if not handled correctly (most stateful firewalls hold routes for 30 seconds maximum)

Option B: Return an error instead of silent drop
Send an explicit error response so the client knows to retry:

  if (!existingSite.endpoint) {
      return {
          message: {
              type: "newt/wg/receive-config",
              data: { error: "endpoint_not_ready" }
          }
      };
  }

Option C: Client-side resilience
Have newt wait for hole punch confirmation before requesting config, or implement longer/infinite retries for get-config.

<!-- gh-comment-id:4022753053 --> @LaurenceJJones commented on GitHub (Mar 9, 2026): Thanks for the detailed debug logs @hanjo - they were very helpful in tracking this down. So my theory so far is a race condition in Pangolin, not a newt client issue. The handleGetConfigMessage handler has two conditions that cause it to silently drop requests without sending a response: 1. Endpoint not set yet (handleGetConfigMessage.ts:59-64): if (!existingSite.endpoint) { logger.debug(`In newt get config: existing site has no endpoint, skipping`); return; // No response sent - client times out } 2. Hole punch too old (handleGetConfigMessage.ts:70-75): if (existingSite.lastHolePunch && now - existingSite.lastHolePunch > 5) { logger.warn(`Site last hole punch is too old, skipping`); return; // No response sent - client times out } Why it could be affecting ARM64/aarch64 only? The endpoint and lastHolePunch fields are only set when the hole punch succeeds via Gerbil (updateHolePunch.ts:321-328). On ARM64/Raspberry Pi: 1. Newt connects and immediately starts requesting config 2. Hole punch is happening concurrently but takes slightly longer on ARM64 3. All get-config requests arrive before endpoint is set → silently dropped 4. By the time hole punch completes, either: - The 10 retry attempts (20 seconds) have been exhausted, OR - The lastHolePunch timestamp is now >5 seconds old Evidence from Logs ``` 21:08:22 - Requesting WireGuard configuration from remote server 21:08:22 - Sending message: newt/wg/get-config ← endpoint not set yet 21:08:23 - Starting UDP hole punch... 21:08:24 - Sending message: newt/wg/get-config ← still waiting for hole punch ... 21:08:42 - SendMessageInterval timed out after 10 attempts ← never received response 21:09:23 - WireGuard device is not initialized ← device was never created ``` Could it be anything else? Yes in theory maybe the DMZ the device is behind is too strict, but is the `x86` device in the same DMZ? Current ideas to fix: Option A: Increase the 5-second window The 5-second lastHolePunch requirement is very strict. Increasing to 30 seconds would accommodate slower ARM64 initialization, but also could introduce mismatch if not handled correctly (most stateful firewalls hold routes for 30 seconds maximum) Option B: Return an error instead of silent drop Send an explicit error response so the client knows to retry: ``` if (!existingSite.endpoint) { return { message: { type: "newt/wg/receive-config", data: { error: "endpoint_not_ready" } } }; } ``` Option C: Client-side resilience Have newt wait for hole punch confirmation before requesting config, or implement longer/infinite retries for get-config.
GiteaMirror commented 2026-05-03 05:45:25 -05:00
Author
Owner
Copy Link

@hanjo commented on GitHub (Mar 9, 2026):

Wow, very intersting. I wouldn't have figured the performance of the device to be a factor. The x86_64 machine I'm running newt on is a Intel Core i5-9500T which should be about 5-6x times as fast. A more relevant measure is probably the SSD compared to the SD card, which has a huge influence on I/O.

Not sure what Option makes most sense, but if you need me to test some development version, let me know. I'm running everything in docker, if that makes any difference.

<!-- gh-comment-id:4023004090 --> @hanjo commented on GitHub (Mar 9, 2026): Wow, very intersting. I wouldn't have figured the performance of the device to be a factor. The x86_64 machine I'm running newt on is a Intel Core i5-9500T which should be about 5-6x times as fast. A more relevant measure is probably the SSD compared to the SD card, which has a huge influence on I/O. Not sure what Option makes most sense, but if you need me to test some development version, let me know. I'm running everything in docker, if that makes any difference.
GiteaMirror commented 2026-05-03 05:45:29 -05:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Mar 24, 2026):

This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

<!-- gh-comment-id:4114615440 --> @github-actions[bot] commented on GitHub (Mar 24, 2026): This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.
GiteaMirror commented 2026-05-03 05:45:31 -05:00
Author
Owner
Copy Link

@hanjo commented on GitHub (Mar 24, 2026):

Any news on this issue @LaurenceJJones ?

<!-- gh-comment-id:4121125395 --> @hanjo commented on GitHub (Mar 24, 2026): Any news on this issue @LaurenceJJones ?
GiteaMirror commented 2026-05-03 05:45:32 -05:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Apr 8, 2026):

This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

<!-- gh-comment-id:4203090401 --> @github-actions[bot] commented on GitHub (Apr 8, 2026): This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.
GiteaMirror commented 2026-05-03 05:45:33 -05:00
Author
Owner
Copy Link

@hanjo commented on GitHub (Apr 8, 2026):

It seems also with Pangolin v1.17.0 and Newt v1.11.0 this is still not working.

<!-- gh-comment-id:4204663303 --> @hanjo commented on GitHub (Apr 8, 2026): It seems also with Pangolin v1.17.0 and Newt v1.11.0 this is still not working.
GiteaMirror commented 2026-05-03 05:45:34 -05:00
Author
Owner
Copy Link

@dpurnam commented on GitHub (Apr 10, 2026):

+1 (AMD based newt sites work fine with private resources but not with ARM based newt-sites)

<!-- gh-comment-id:4221162198 --> @dpurnam commented on GitHub (Apr 10, 2026): +1 (AMD based newt sites work fine with private resources but not with ARM based newt-sites)
GiteaMirror commented 2026-05-03 05:45:35 -05:00
Author
Owner
Copy Link

@hanjo commented on GitHub (Apr 28, 2026):

I just updated to newt v1.12.0 and it seems the situation has not changed (i.e. the issue is still the same).

<!-- gh-comment-id:4335980998 --> @hanjo commented on GitHub (Apr 28, 2026): I just updated to newt v1.12.0 and it seems the situation has not changed (i.e. the issue is still the same).
GiteaMirror commented 2026-05-03 05:45:36 -05:00
Author
Owner
Copy Link

@LaurenceJJones commented on GitHub (Apr 28, 2026):

I just updated to newt v1.12.0 and it seems the situation has not changed (i.e. the issue is still the same).

Yes apologies me and @oschwartz10612 have a ticket to dive into this but had a few set backs with the release of pangolin.

<!-- gh-comment-id:4336163727 --> @LaurenceJJones commented on GitHub (Apr 28, 2026): > I just updated to newt v1.12.0 and it seems the situation has not changed (i.e. the issue is still the same). Yes apologies me and @oschwartz10612 have a ticket to dive into this but had a few set backs with the release of pangolin.
GiteaMirror commented 2026-05-03 05:45:36 -05:00
Author
Owner
Copy Link

@hanjo commented on GitHub (Apr 28, 2026):

No worries, I can understand this isn't the most pressing thing to look into. Just trying to keep the bot from closing this issue, before it is resolved 🙃

Thanks for your great work!

<!-- gh-comment-id:4336256976 --> @hanjo commented on GitHub (Apr 28, 2026): No worries, I can understand this isn't the most pressing thing to look into. Just trying to keep the bot from closing this issue, before it is resolved 🙃 Thanks for your great work!
GiteaMirror commented 2026-05-03 05:45:38 -05:00
Author
Owner
Copy Link

@LaurenceJJones commented on GitHub (Apr 28, 2026):

No worries, I can understand this isn't the most pressing thing to look into. Just trying to keep the bot from closing this issue, before it is resolved 🙃

Thanks for your great work!

I added a tag now so the bot wont close or mark as stale 👍🏻

<!-- gh-comment-id:4336315674 --> @LaurenceJJones commented on GitHub (Apr 28, 2026): > No worries, I can understand this isn't the most pressing thing to look into. Just trying to keep the bot from closing this issue, before it is resolved 🙃 > > Thanks for your great work! I added a tag now so the bot wont close or mark as stale 👍🏻
GiteaMirror commented 2026-05-03 05:45:39 -05:00
Author
Owner
Copy Link

@oschwartz10612 commented on GitHub (Apr 28, 2026):

I was actually testing on a arm32v7 Raspberry Pi yesterday and it was working fine. We have newts deployed on arm64 EC2 graviton instances which also work. Must be a specific race condition as maybe Loz is saying. Needs more investigation.

<!-- gh-comment-id:4337677659 --> @oschwartz10612 commented on GitHub (Apr 28, 2026): I was actually testing on a arm32v7 Raspberry Pi yesterday and it was working fine. We have newts deployed on arm64 EC2 graviton instances which also work. Must be a specific race condition as maybe Loz is saying. Needs more investigation.
GiteaMirror commented 2026-05-03 05:45:40 -05:00
Author
Owner
Copy Link

@hanjo commented on GitHub (Apr 30, 2026):

Thanks for looking into this. I now believe my bug report is a false positive. After having re-read the entire issue discussion once more and with the statement, that it works for you, I was checking my configuration once again. In my DMZ I disallow outbound Internet connectivity and I have explicitly allowed tcp/udp 443 and udp 51820 to pangolin. My other newt is in a different network segment without these restrictions. I ran a tcpdump and noticed that newt also tries to connect on udp 21820 to pangolin, which I previously believed only clients (as in "user devices") need to connect to. So I allowed this in the firewall and voilà it works.
Bottom line: it was a misconfiguration on my side; my apologies for having wasted your time.
I leave this issue open in case you would like to use it to trace that race condition, but from my point of view feel free to close it 👍

<!-- gh-comment-id:4353405060 --> @hanjo commented on GitHub (Apr 30, 2026): Thanks for looking into this. I now believe my bug report is a false positive. After having re-read the entire issue discussion once more and with the statement, that it works for you, I was checking my configuration once again. In my DMZ I disallow outbound Internet connectivity and I have explicitly allowed tcp/udp 443 and udp 51820 to pangolin. My other newt is in a different network segment without these restrictions. I ran a tcpdump and noticed that newt also tries to connect on udp 21820 to pangolin, which I previously believed only clients (as in "user devices") need to connect to. So I allowed this in the firewall and voilà it works. Bottom line: it was a misconfiguration on my side; my apologies for having wasted your time. I leave this issue open in case you would like to use it to trace that race condition, but from my point of view feel free to close it 👍
GiteaMirror commented 2026-05-03 05:45:41 -05:00
Author
Owner
Copy Link

@LaurenceJJones commented on GitHub (Apr 30, 2026):

which I previously believed only clients (as in "user devices") need to connect to. So I allowed this in the firewall and voilà it works.

Ahhh! makes perfect sense, maybe we should clarify a bit more in the documentation then? that even though we say "Clients" it is the co-ordination port so both sides as in a client and Newt itself need to be able to communicate to it.

<!-- gh-comment-id:4353673593 --> @LaurenceJJones commented on GitHub (Apr 30, 2026): > which I previously believed only clients (as in "user devices") need to connect to. So I allowed this in the firewall and voilà it works. Ahhh! makes perfect sense, maybe we should clarify a bit more in the documentation then? that even though we say "Clients" it is the co-ordination port so both sides as in a client and Newt itself need to be able to communicate to it.
GiteaMirror commented 2026-05-03 05:45:42 -05:00
Author
Owner
Copy Link

@hanjo commented on GitHub (Apr 30, 2026):

Better documentation can never hurt, can it? 🙃 I think port 21820 is only mentioned twice in the documentation. Maybe it would be helpful to mention the communication requirements on the newt documentation page at https://docs.pangolin.net/manage/sites/install-site#running-newt

<!-- gh-comment-id:4353873949 --> @hanjo commented on GitHub (Apr 30, 2026): Better documentation can never hurt, can it? 🙃 I think port 21820 is only mentioned twice in the documentation. Maybe it would be helpful to mention the communication requirements on the newt documentation page at https://docs.pangolin.net/manage/sites/install-site#running-newt
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
dependencies
enhancement
good first issue
help wanted
Improvement
needs investigating
pull-request
Mirrored from GitHub Pull Request
 stale
wontfix
No Label needs investigating
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/newt#2056
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?