[GH-ISSUE #2951] --holepunch=false (relay mode) fails when UDP 21820 is blocked — server still requires recent hole punch for registration #11041

New Issue

Closed

opened 2026-05-06 15:43:48 -05:00 by GiteaMirror · 3 comments

GiteaMirror commented 2026-05-06 15:43:48 -05:00

Owner

Copy Link

Originally created by @z10n-dev on GitHub (May 1, 2026).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/2951

Describe the Bug

When UDP port 21820 is blocked by a firewall (e.g. school or corporate network), the --holepunch=false flag does not work as expected. Even with holepunch disabled on the client, the server still requires a successful hole punch within the last 5 seconds before it will respond to olm/wg/register. This makes it impossible to use relay mode on networks that block UDP 21820.

Actual behavior
Server-side validation in handleOlmRegisterMessage checks if (now - (client.lastHolePunch || 0) > 5 && sitesCount > 0) and skips the register regardless of whether the client requested relay mode.

Additional context

• The connection works fine on a hotspot (UDP 21820 unblocked)
• Port 21820 UDP is hardcoded in Gerbil and not yet configurable via config.yml (clients_start_port does not affect Gerbil's actual listening port)
• This is a regression from pre-0.8.0 behavior, where relay fallback worked silently when hole punch failed
• tcpdump on the server confirms hole punch packets from the school network never reach port 21820, but do reach 51820

Environment

• Pangolin server: 1.18.1
• Olm client: 0.8.0
• OS: Arch Linux (kernel 7.0.2-arch1-1)
• Network: School WiFi — UDP 21820 blocked, UDP 51820 allowed (confirmed via tcpdump)

To Reproduce

1. Block outbound UDP port 21820 (or be on a network that does, e.g. school/corporate WiFi)
2. Run: pangolin up --holepunch=false
3. The websocket connects successfully, but the server keeps responding with:
   Client last hole punch is too old and we have sites to send; skipping this register
4. The client times out and disconnects — relay mode never establishes

Expected Behavior

When --holepunch=false is passed, the server should accept the registration without requiring a recent hole punch and fall back to relay mode, just as it did in versions prior to 0.8.0.

Originally created by @z10n-dev on GitHub (May 1, 2026). Original GitHub issue: https://github.com/fosrl/pangolin/issues/2951 ### Describe the Bug When UDP port 21820 is blocked by a firewall (e.g. school or corporate network), the `--holepunch=false` flag does not work as expected. Even with holepunch disabled on the client, the server still requires a successful hole punch within the last 5 seconds before it will respond to `olm/wg/register`. This makes it impossible to use relay mode on networks that block UDP 21820. **Actual behavior** Server-side validation in `handleOlmRegisterMessage` checks `if (now - (client.lastHolePunch || 0) > 5 && sitesCount > 0)` and skips the register regardless of whether the client requested relay mode. **Additional context** - The connection works fine on a hotspot (UDP 21820 unblocked) - Port 21820 UDP is hardcoded in Gerbil and not yet configurable via config.yml (`clients_start_port` does not affect Gerbil's actual listening port) - This is a regression from pre-0.8.0 behavior, where relay fallback worked silently when hole punch failed - tcpdump on the server confirms hole punch packets from the school network never reach port 21820, but do reach 51820 ### Environment - Pangolin server: 1.18.1 - Olm client: 0.8.0 - OS: Arch Linux (kernel 7.0.2-arch1-1) - Network: School WiFi — UDP 21820 blocked, UDP 51820 allowed (confirmed via tcpdump) ### To Reproduce 1. Block outbound UDP port 21820 (or be on a network that does, e.g. school/corporate WiFi) 2. Run: `pangolin up --holepunch=false` 3. The websocket connects successfully, but the server keeps responding with: `Client last hole punch is too old and we have sites to send; skipping this register` 4. The client times out and disconnects — relay mode never establishes ### Expected Behavior When `--holepunch=false` is passed, the server should accept the registration without requiring a recent hole punch and fall back to relay mode, just as it did in versions prior to 0.8.0.

GiteaMirror closed this issue 2026-05-06 15:43:48 -05:00

GiteaMirror commented 2026-05-06 15:43:48 -05:00

Author

Owner

Copy Link

@AstralDestiny commented on GitHub (May 1, 2026):

Relay is done via 21820 Out to the pangolin stack then it connects down to site over you going directly.

<!-- gh-comment-id:4358731769 --> @AstralDestiny commented on GitHub (May 1, 2026): Relay is done via 21820 Out to the pangolin stack then it connects down to site over you going directly.

GiteaMirror commented 2026-05-06 15:43:49 -05:00

Author

Owner

Copy Link

@z10n-dev commented on GitHub (May 1, 2026):

So there is no other way, than using my Hotspot, when the port 21820 is blocked in school wifi?

<!-- gh-comment-id:4358766476 --> @z10n-dev commented on GitHub (May 1, 2026): So there is no other way, than using my Hotspot, when the port 21820 is blocked in school wifi?

GiteaMirror commented 2026-05-06 15:43:49 -05:00

Author

Owner

Copy Link

@oschwartz10612 commented on GitHub (May 1, 2026):

Not right now sorry. Relay over UDP is the only option though I know some work is being done on websocket relaying which we might be able to take.

<!-- gh-comment-id:4360921345 --> @oschwartz10612 commented on GitHub (May 1, 2026): Not right now sorry. Relay over UDP is the only option though I know some work is being done on websocket relaying which we might be able to take.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/npm_and_yarn/axios-1.15.2

s3

dependabot/npm_and_yarn/next-intl-4.9.2

dev

dependabot/npm_and_yarn/prod-patch-updates-64dd675a88

dependabot/npm_and_yarn/dev-minor-updates-10ef4f0f15

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

crowdin_dev

resource-policies

redis

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.3-s.2

1.18.3

1.18.3-s.1

1.18.3-s.0

1.18.2-s.5

1.18.2-s.4

1.18.2-s.3

1.18.2-s.2

1.18.2-s.1

1.18.2

1.18.2-s.0

1.18.1-s.7

1.18.1-s.6

1.18.1-s.5

1.18.1-s.4

1.18.1-s.3

1.18.1-s.2

1.18.1

1.18.1-s.1

1.18.1-s.0

1.18.0-s.2

1.18.0-s.1

1.18.0

1.18.0-s.0

1.17.1-s.7

1.17.1-s.6

1.18.0-rc.0

1.17.1-s.5

1.17.1-s.4

1.17.1-s.3

1.17.1

1.17.1-s.2

1.17.1-s.1

1.17.1-s.0

1.17.0-s.4

1.17.0

1.17.0-s.3

1.17.0-s.2

1.17.0-s.1

1.17.0-s.0

1.17.0-rc.0

1.16.2-s.22

1.16.2-s.21

1.16.2-s.20

1.16.2-s.19

1.16.2-s.18

1.16.2-s.17

1.16.2-s.16

1.16.2-s.15

1.16.2-s.14

1.16.2-s.13

1.16.2-s.12

1.16.2-s.11

1.16.2-s.10

1.16.2-s.9

1.16.2-s.8

1.16.2-s.7

1.16.2-s.6

1.16.2-s.5

1.16.2-s.4

1.16.2-s.3

1.16.2-s.2

1.16.2-s.1

1.16.2

1.16.2-s.0

1.16.1-s.1

1.16.1

1.16.1-s.0

1.16.0

1.16.0-s.1

1.16.0-s.0

1.16.0-rc.0

1.15.4-s.10

1.15.4-s.9

1.15.4-s.8

1.15.4-s.7

1.15.4-s.6

1.15.4-s.5

1.15.4-s.4

1.15.4-s.3

1.15.4-s.2

1.15.4-s.1

1.15.4

1.15.4-s.0

1.15.3

1.15.3-s.1

1.15.3-s.0

1.15.2

1.15.1-s.1

1.15.1-s.0

1.15.1

1.15.0-s.5

1.15.0

1.15.0-s.4

1.15.0-s.3

1.15.0-s.2

1.15.0-s.1

1.15.0-s.0

1.15.0-rc.0

1.14.1-s.3

1.14.1-s.2

1.14.1-s.1

1.14.1-s.0

1.14.1

1.14.0-s.2

1.14.0

1.14.0-rc.0

1.13.1

1.13.1-s.0

1.13.0

1.13.0.s.0

1.13.0-rc.0

1.12.2-s.5

1.12.3

1.12.2-s.4

1.12.2-s.3

1.12.2-s.2

1.12.2-s.1

1.12.2

1.12.2-s.0

1.12.1

1.12.0

1.12.0-s.0

1.12.0-rc.0

1.11.1

1.11.1-s.0

1.11.0-s.5

1.11.0

1.11.0-s.4

1.11.0-s.3

1.11.0-s.2

1.11.0-s.1

1.11.0-s.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#11041