[GH-ISSUE #2631] Memory leak in Node.js server caused by rapid UDP endpoint roaming (LTE/CGNAT) #10962

New Issue

Closed

opened 2026-05-06 15:38:39 -05:00 by GiteaMirror · 5 comments

GiteaMirror commented 2026-05-06 15:38:39 -05:00

Owner

Copy Link

Originally created by @cmmrandau on GitHub (Mar 11, 2026).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/2631

Describe the Bug

The Pangolin Node.js process is experiencing a memory leak, eventually consuming almost all available host RAM (reached 5.8 GiB in my case).

The issue appears to be tied to endpoint roaming/port changes. I have a newt client running on an LTE network in a Docker container. Because of the cellular provider's aggressive CGNAT, the UDP connection drops exactly every 60 seconds, and the client reconnects on a new port.

While WireGuard natively handles this endpoint roaming fine, the Pangolin server appears to be holding onto every single dead connection state instead of garbage-collecting them. Over 5 days, at 1,440 port changes a day, the Node process memory slowly balloons until the system runs out of RAM.

(please forgive me for using AI to write the report)

Environment

• OS Type & Version: Ubuntu 24.04
• Pangolin Version: 1.16.2 EE
• Gerbil Version: 1.30
• Traefik Version: 3.69
• Newt Version:1.10.2

To Reproduce

Run a newt client behind an aggressive CGNAT or LTE connection that forces a port change frequently (or artificially force the client to change its source port every 60 seconds).

Monitor the Pangolin server logs; observe the constant [info]: Site X endpoint changed from IP:PORT to IP:NEW_PORT messages.

On the newt client side: lots of INFO: 2026/03/11 01:10:25 TCP Forwarder: Successfully connected to 172.18.0.7:3553, starting bidirectional copy

Monitor the Pangolin node process RAM usage via top or btop.

Observe the memory usage steadily climbing without ever releasing.

Expected Behavior

When a WireGuard endpoint roams and changes its port, Pangolin should update the tunnel's active endpoint and immediately discard/garbage-collect the old connection state from memory.

Originally created by @cmmrandau on GitHub (Mar 11, 2026). Original GitHub issue: https://github.com/fosrl/pangolin/issues/2631 ### Describe the Bug The Pangolin Node.js process is experiencing a memory leak, eventually consuming almost all available host RAM (reached 5.8 GiB in my case). The issue appears to be tied to endpoint roaming/port changes. I have a newt client running on an LTE network in a Docker container. Because of the cellular provider's aggressive CGNAT, the UDP connection drops exactly every 60 seconds, and the client reconnects on a new port. While WireGuard natively handles this endpoint roaming fine, the Pangolin server appears to be holding onto every single dead connection state instead of garbage-collecting them. Over 5 days, at 1,440 port changes a day, the Node process memory slowly balloons until the system runs out of RAM. (please forgive me for using AI to write the report) ### Environment - OS Type & Version: Ubuntu 24.04 - Pangolin Version: 1.16.2 EE - Gerbil Version: 1.30 - Traefik Version: 3.69 - Newt Version:1.10.2 ### To Reproduce Run a newt client behind an aggressive CGNAT or LTE connection that forces a port change frequently (or artificially force the client to change its source port every 60 seconds). Monitor the Pangolin server logs; observe the constant [info]: Site X endpoint changed from IP:PORT to IP:NEW_PORT messages. On the newt client side: lots of INFO: 2026/03/11 01:10:25 TCP Forwarder: Successfully connected to 172.18.0.7:3553, starting bidirectional copy Monitor the Pangolin node process RAM usage via top or btop. Observe the memory usage steadily climbing without ever releasing. ### Expected Behavior When a WireGuard endpoint roams and changes its port, Pangolin should update the tunnel's active endpoint and immediately discard/garbage-collect the old connection state from memory.

GiteaMirror added the stale label 2026-05-06 15:38:39 -05:00

GiteaMirror closed this issue 2026-05-06 15:38:42 -05:00

GiteaMirror commented 2026-05-06 15:38:45 -05:00

Author

Owner

Copy Link

@cmmrandau commented on GitHub (Mar 11, 2026):

<!-- gh-comment-id:4035520976 --> @cmmrandau commented on GitHub (Mar 11, 2026): <img width="1920" height="1200" alt="Image" src="https://github.com/user-attachments/assets/d2f8f6b4-e869-4e24-9460-dd392738c90c" />

GiteaMirror commented 2026-05-06 15:38:47 -05:00

Author

Owner

Copy Link

@xylcro commented on GitHub (Mar 12, 2026):

This may be related to #2120

<!-- gh-comment-id:4049501873 --> @xylcro commented on GitHub (Mar 12, 2026): This may be related to #2120

GiteaMirror commented 2026-05-06 15:38:48 -05:00

Author

Owner

Copy Link

@cmmrandau commented on GitHub (Mar 12, 2026):

Yes I've seen that. I've removed the CGNAT site as well as traefik dashboard and crowdsec manager to see if the "vanilla" pangolin suite also leaks memory, in which case it's likely the same bug. Never seen it before, though, before I added the CGNAT site and the log spam began.

<!-- gh-comment-id:4049869506 --> @cmmrandau commented on GitHub (Mar 12, 2026): Yes I've seen that. I've removed the CGNAT site as well as traefik dashboard and crowdsec manager to see if the "vanilla" pangolin suite also leaks memory, in which case it's likely the same bug. Never seen it before, though, before I added the CGNAT site and the log spam began.

GiteaMirror commented 2026-05-06 15:38:48 -05:00

Author

Owner

Copy Link

@github-actions[bot] commented on GitHub (Mar 27, 2026):

This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

<!-- gh-comment-id:4139240772 --> @github-actions[bot] commented on GitHub (Mar 27, 2026): This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

GiteaMirror commented 2026-05-06 15:38:49 -05:00

Author

Owner

Copy Link

@github-actions[bot] commented on GitHub (Apr 10, 2026):

This issue has been automatically closed due to inactivity. If you believe this is still relevant, please open a new issue with up-to-date information.

<!-- gh-comment-id:4218926806 --> @github-actions[bot] commented on GitHub (Apr 10, 2026): This issue has been automatically closed due to inactivity. If you believe this is still relevant, please open a new issue with up-to-date information.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/npm_and_yarn/prod-patch-updates-64dd675a88

dependabot/npm_and_yarn/dev-minor-updates-10ef4f0f15

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

crowdin_dev

dev

resource-policies

redis

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

dependabot/npm_and_yarn/next-intl-4.9.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.3

1.18.3-s.1

1.18.3-s.0

1.18.2-s.5

1.18.2-s.4

1.18.2-s.3

1.18.2-s.2

1.18.2-s.1

1.18.2

1.18.2-s.0

1.18.1-s.7

1.18.1-s.6

1.18.1-s.5

1.18.1-s.4

1.18.1-s.3

1.18.1-s.2

1.18.1

1.18.1-s.1

1.18.1-s.0

1.18.0-s.2

1.18.0-s.1

1.18.0

1.18.0-s.0

1.17.1-s.7

1.17.1-s.6

1.18.0-rc.0

1.17.1-s.5

1.17.1-s.4

1.17.1-s.3

1.17.1

1.17.1-s.2

1.17.1-s.1

1.17.1-s.0

1.17.0-s.4

1.17.0

1.17.0-s.3

1.17.0-s.2

1.17.0-s.1

1.17.0-s.0

1.17.0-rc.0

1.16.2-s.22

1.16.2-s.21

1.16.2-s.20

1.16.2-s.19

1.16.2-s.18

1.16.2-s.17

1.16.2-s.16

1.16.2-s.15

1.16.2-s.14

1.16.2-s.13

1.16.2-s.12

1.16.2-s.11

1.16.2-s.10

1.16.2-s.9

1.16.2-s.8

1.16.2-s.7

1.16.2-s.6

1.16.2-s.5

1.16.2-s.4

1.16.2-s.3

1.16.2-s.2

1.16.2-s.1

1.16.2

1.16.2-s.0

1.16.1-s.1

1.16.1

1.16.1-s.0

1.16.0

1.16.0-s.1

1.16.0-s.0

1.16.0-rc.0

1.15.4-s.10

1.15.4-s.9

1.15.4-s.8

1.15.4-s.7

1.15.4-s.6

1.15.4-s.5

1.15.4-s.4

1.15.4-s.3

1.15.4-s.2

1.15.4-s.1

1.15.4

1.15.4-s.0

1.15.3

1.15.3-s.1

1.15.3-s.0

1.15.2

1.15.1-s.1

1.15.1-s.0

1.15.1

1.15.0-s.5

1.15.0

1.15.0-s.4

1.15.0-s.3

1.15.0-s.2

1.15.0-s.1

1.15.0-s.0

1.15.0-rc.0

1.14.1-s.3

1.14.1-s.2

1.14.1-s.1

1.14.1-s.0

1.14.1

1.14.0-s.2

1.14.0

1.14.0-rc.0

1.13.1

1.13.1-s.0

1.13.0

1.13.0.s.0

1.13.0-rc.0

1.12.2-s.5

1.12.3

1.12.2-s.4

1.12.2-s.3

1.12.2-s.2

1.12.2-s.1

1.12.2

1.12.2-s.0

1.12.1

1.12.0

1.12.0-s.0

1.12.0-rc.0

1.11.1

1.11.1-s.0

1.11.0-s.5

1.11.0

1.11.0-s.4

1.11.0-s.3

1.11.0-s.2

1.11.0-s.1

1.11.0-s.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label stale

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#10962