[Feature Request] Allow tunneled connections with CF proxy on #21

New Issue

GiteaMirror · 2025-11-19T07:12:03-06:00

GiteaMirror commented

2025-11-19 07:12:03 -06:00

Originally created by @gitmotion on GitHub (May 5, 2025).

Hey there!

loving the concept of pangolin, gerbil, and newt!

I posted about this on discord but i was getting an ICMP packet error when installing newt on my server to connect to a VPS

WARN: 2025/05/05 21:28:43 Ping attempt 1 failed: failed to read ICMP packet: i/o timeout INFO: 2025/05/05 21:28:43 Starting ping check INFO: 2025/05/05 21:28:43 Ping attempt 2

It's most likely because I have Cloudflare Proxy turned on and blocking UDP traffic.
however im wondering, since newt is trying to connect with gerbil using wireguard wouldn't it theoretically be possible to include a PUBLIC_IP env var for newt and use that when making the UDP connection to gerbil? so users can still have CF Proxy turned on for DNS but still make a tunneled connection directly?

i'm also told newt tries to get the config from pangolin, so maybe including a Public/Server IP setting on the org level in pangolin so it can pass that down in the config?

Not sure if this is 100% possible and don't have enough experience in GO to make a POC just yet but this would significantly make using pangolin safe against DDOS attacks

Of course, please correct me if im wrong 🙏🏻

thanks and great work!

Originally created by @gitmotion on GitHub (May 5, 2025). Hey there! loving the concept of pangolin, gerbil, and newt! I posted about this on discord but i was getting an ICMP packet error when installing newt on my server to connect to a VPS `WARN: 2025/05/05 21:28:43 Ping attempt 1 failed: failed to read ICMP packet: i/o timeout INFO: 2025/05/05 21:28:43 Starting ping check INFO: 2025/05/05 21:28:43 Ping attempt 2` It's most likely because I have Cloudflare Proxy turned on and blocking UDP traffic. however im wondering, since newt is trying to connect with gerbil using wireguard wouldn't it theoretically be possible to include a `PUBLIC_IP` env var for newt and use that when making the UDP connection to gerbil? so users can still have CF Proxy turned on for DNS but still make a tunneled connection directly? i'm also told newt tries to get the config from pangolin, so maybe including a Public/Server IP setting on the org level in pangolin so it can pass that down in the config? Not sure if this is 100% possible and don't have enough experience in `GO` to make a POC just yet but this would significantly make using pangolin safe against DDOS attacks Of course, please correct me if im wrong 🙏🏻 thanks and great work!

GiteaMirror closed this issue

2025-11-19 07:12:03 -06:00

GiteaMirror commented

2025-11-19 07:12:04 -06:00

@gitmotion commented on GitHub (May 6, 2025):

actually found the workaround for this by updating the endpoint in gerbil config to point to external ip instead of domain.
so this should allow newt to get the config from gerbil with the ip instead and establish the wireguard connection this way allowing cloudflare proxy to remain on.

read bottom:
https://docs.fossorial.io/Getting%20Started/dns-networking

will close this in a few days in case others need to come across this

@gitmotion commented on GitHub (May 6, 2025): actually found the workaround for this by updating the endpoint in gerbil config to point to external ip instead of domain. so this should allow newt to get the config from gerbil with the ip instead and establish the wireguard connection this way allowing cloudflare proxy to remain on. read bottom: https://docs.fossorial.io/Getting%20Started/dns-networking will close this in a few days in case others need to come across this

GiteaMirror referenced this issue

2025-11-19 07:13:29 -06:00

[PR #22] [MERGED] Fix 51820 typo #81

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/newt#21