github-starred/pangolin
2
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-05-08 13:49:15 -05:00
Code Issues 564 Packages Projects Releases 72 Wiki Activity

[GH-ISSUE #593] TCP resource #1523

New Issue
Closed
opened 2026-04-16 08:11:00 -05:00 by GiteaMirror · 12 comments
GiteaMirror commented 2026-04-16 08:11:00 -05:00
Owner
Copy Link

Originally created by @roadkingvrod on GitHub (Apr 24, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/593

I may be misunderstanding how this should work. I have successfully set up https proxies and they work great, and as expected.

However, I'm trying to figure out how to set up an RDP type resource. Here's my scenario:"

I have newt installed in a separate subnet and connected (site shows connected in Pangolin). I am now trying to set up an rdp connection to a server in that network via the tcp resources. I have set up a resource to the best of my understanding, and in the newt logs, I see thsi:

nelIP:100.89.128.4]}
INFO: 2025/04/24 11:21:41 WireGuard device created. Lets ping the server now...
INFO: 2025/04/24 11:21:41 Ping attempt 1
INFO: 2025/04/24 11:21:41 Pinging 100.89.128.1
INFO: 2025/04/24 11:21:41 Ping latency: 9.9418ms
INFO: 2025/04/24 11:21:41 Starting ping check
INFO: 2025/04/24 11:21:41 Started tcp proxy from 100.89.128.4:43996 to 192.168.52.10:3389
INFO: 2025/04/24 11:22:11 Pinging 100.89.128.1
INFO: 2025/04/24 11:22:11 Ping latency: 4.6659ms
INFO: 2025/04/24 11:22:41 Pinging 100.89.128.1
INFO: 2025/04/24 11:22:41 Ping latency: 2.6014ms

192.168.52.10:3389 is the server I want to remote desktop to once I'm authenicated into Pangolin.

How do I actually connect to it?

Thanks for helping with my basic knowledge!

Originally created by @roadkingvrod on GitHub (Apr 24, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/593 I may be misunderstanding how this should work. I have successfully set up https proxies and they work great, and as expected. However, I'm trying to figure out how to set up an RDP type resource. Here's my scenario:" I have newt installed in a separate subnet and connected (site shows connected in Pangolin). I am now trying to set up an rdp connection to a server in that network via the tcp resources. I have set up a resource to the best of my understanding, and in the newt logs, I see thsi: nelIP:100.89.128.4]} INFO: 2025/04/24 11:21:41 WireGuard device created. Lets ping the server now... INFO: 2025/04/24 11:21:41 Ping attempt 1 INFO: 2025/04/24 11:21:41 Pinging 100.89.128.1 INFO: 2025/04/24 11:21:41 Ping latency: 9.9418ms INFO: 2025/04/24 11:21:41 Starting ping check INFO: 2025/04/24 11:21:41 Started tcp proxy from 100.89.128.4:43996 to 192.168.52.10:3389 INFO: 2025/04/24 11:22:11 Pinging 100.89.128.1 INFO: 2025/04/24 11:22:11 Ping latency: 4.6659ms INFO: 2025/04/24 11:22:41 Pinging 100.89.128.1 INFO: 2025/04/24 11:22:41 Ping latency: 2.6014ms 192.168.52.10:3389 is the server I want to remote desktop to once I'm authenicated into Pangolin. How do I actually connect to it? Thanks for helping with my basic knowledge!
GiteaMirror added the stale label 2026-04-16 08:11:00 -05:00
GiteaMirror commented 2026-04-16 08:11:03 -05:00
Author
Owner
Copy Link

@roadkingvrod commented on GitHub (Apr 24, 2025):

Important to note that Newt is running directly on Windows so there are no container issues (and windows fiirewall is turned off)

<!-- gh-comment-id:2828551996 --> @roadkingvrod commented on GitHub (Apr 24, 2025): Important to note that Newt is running directly on Windows so there are no container issues (and windows fiirewall is turned off)
GiteaMirror commented 2026-04-16 08:11:04 -05:00
Author
Owner
Copy Link

@miloschwartz commented on GitHub (Apr 24, 2025):

Assuming the proxy is working, to connect you'd use the VPS IP as the hostname, and use the port you set when you defined the resource as the port.

<!-- gh-comment-id:2829081749 --> @miloschwartz commented on GitHub (Apr 24, 2025): Assuming the proxy is working, to connect you'd use the VPS IP as the hostname, and use the port you set when you defined the resource as the port.
GiteaMirror commented 2026-04-16 08:11:04 -05:00
Author
Owner
Copy Link

@roadkingvrod commented on GitHub (Apr 24, 2025):

That's how I thought it should work but no luck. Knowing that, I'll keep tinkering and report back anything I find. Thanks!

<!-- gh-comment-id:2829086017 --> @roadkingvrod commented on GitHub (Apr 24, 2025): That's how I thought it should work but no luck. Knowing that, I'll keep tinkering and report back anything I find. Thanks!
GiteaMirror commented 2026-04-16 08:11:05 -05:00
Author
Owner
Copy Link

@miloschwartz commented on GitHub (Apr 24, 2025):

Just doing my due diligence by asking, have you triple checked the following:

  1. Added entrypoint to Traefik
  2. Exposed ports on the Gerbil container in docker compose
  3. Opened port on server firewall (network firewall/security and OS firewall if needed)
<!-- gh-comment-id:2829087862 --> @miloschwartz commented on GitHub (Apr 24, 2025): Just doing my due diligence by asking, have you triple checked the following: 1. Added entrypoint to Traefik 2. Exposed ports on the Gerbil container in docker compose 3. Opened port on server firewall (network firewall/security and OS firewall if needed)
GiteaMirror commented 2026-04-16 08:11:06 -05:00
Author
Owner
Copy Link

@roadkingvrod commented on GitHub (Apr 24, 2025):

  1. and 2. Yes

OS firewall is off. But I have a question on the outside firewall/router. I was hoping that you'd have to authenticate to gain access to the TCP port (as RDP open to the web can be quite dangerous). Does Pangolin just enrypt the data without authentication?

<!-- gh-comment-id:2829091418 --> @roadkingvrod commented on GitHub (Apr 24, 2025): 1. and 2. Yes OS firewall is off. But I have a question on the outside firewall/router. I was hoping that you'd have to authenticate to gain access to the TCP port (as RDP open to the web can be quite dangerous). Does Pangolin just enrypt the data without authentication?
GiteaMirror commented 2026-04-16 08:11:07 -05:00
Author
Owner
Copy Link

@TuncTaylan commented on GitHub (Apr 25, 2025):

Just for this I just tested on my setup, here is a quick summary and points you might be missing:

  • Create a raw tcp resource with the TCP port 3389
  • add following to the config/traefik/traefik_config.yml
entryPoints:
  tcp-3389:
    address: ":3389/tcp"
  • add following to your docker-compose-yml
ports:
  - 3389:3389
  • Add the target configuration for that resource in pingolin (add IP / Hostname to your Windows and Port and save targets)
  • After that make sure, that your tunnel / newt instance at the network has access to windows via TCP 3389
  • Make sure that the VM/VPS where Pingolin stack is running, has ingress rule for TCP 3389
  • Make sure in Windows, that RDP is activated and the firewall is configured (google that :))
  • Make sure that the allow_raw_resources flag in your config/config.yml is set to true.
flags:
  allow_raw_resources: true
  • Restart the stack with docker compose up -d --force-recreate

That's it, it works as described.

To your question about encryption, pingolin sends the raw TCP, everything else is handled by the RDP, and RDP is encapsulated and encrypted within TCP.

<!-- gh-comment-id:2829899771 --> @TuncTaylan commented on GitHub (Apr 25, 2025): Just for this I just tested on my setup, here is a quick summary and points you might be missing: - Create a raw tcp resource with the TCP port 3389 - add following to the `config/traefik/traefik_config.yml` ```yaml entryPoints: tcp-3389: address: ":3389/tcp" ``` - add following to your `docker-compose-yml` ```yaml ports: - 3389:3389 ``` - Add the target configuration for that resource in pingolin (add IP / Hostname to your Windows and Port and save targets) - After that make sure, that your tunnel / newt instance at the network has access to windows via TCP 3389 - Make sure that the VM/VPS where Pingolin stack is running, has ingress rule for TCP 3389 - Make sure in Windows, that RDP is activated and the firewall is configured (google that :)) - Make sure that the `allow_raw_resources` flag in your `config/config.yml` is set to true. ```yaml flags: allow_raw_resources: true ``` - Restart the stack with `docker compose up -d --force-recreate` That's it, it works as described. To your question about encryption, pingolin sends the raw TCP, everything else is handled by the RDP, and RDP is encapsulated and encrypted within TCP.
GiteaMirror commented 2026-04-16 08:11:07 -05:00
Author
Owner
Copy Link

@roadkingvrod commented on GitHub (Apr 25, 2025):

Thank you @TuncTaylan and @miloschwartz . I appreciate the help.

<!-- gh-comment-id:2830498792 --> @roadkingvrod commented on GitHub (Apr 25, 2025): Thank you @TuncTaylan and @miloschwartz . I appreciate the help.
GiteaMirror commented 2026-04-16 08:11:08 -05:00
Author
Owner
Copy Link

@akehir commented on GitHub (Apr 26, 2025):

Small question to @TuncTaylan , I haven't found this in the docs explicitly; but it's a question asked by @roadkingvrod .

He asked:

is the server I want to remote desktop to once I'm authenicated into Pangolin.

However to my understanding, raw ports are always forwarded directly without authentication. Therefore, this is basically the same as exposing the RDP port directly to the internet; or am I missing something?

<!-- gh-comment-id:2832201857 --> @akehir commented on GitHub (Apr 26, 2025): Small question to @TuncTaylan , I haven't found this in the docs explicitly; but it's a question asked by @roadkingvrod . He asked: > is the server I want to remote desktop to once I'm authenicated into Pangolin. However to my understanding, raw ports are always forwarded directly without authentication. Therefore, this is basically the same as exposing the RDP port directly to the internet; or am I missing something?
GiteaMirror commented 2026-04-16 08:11:09 -05:00
Author
Owner
Copy Link

@TuncTaylan commented on GitHub (Apr 26, 2025):

Grüezi!
Yes, that’s correct — Pangolin does not provide authentication or encryption for raw TCP/UDP resources. I was referring to the RDP protocol, which should be encrypted within the TCP communication.

That said, exposing RDP directly to the internet is risky. I personally wouldn’t do it, as Microsoft hasn’t historically been known for strong inherent security.

<!-- gh-comment-id:2832233155 --> @TuncTaylan commented on GitHub (Apr 26, 2025): Grüezi! Yes, that’s correct — Pangolin does not provide authentication or encryption for raw TCP/UDP resources. I was referring to the RDP protocol, which should be encrypted within the TCP communication. That said, exposing RDP directly to the internet is risky. I personally wouldn’t do it, as Microsoft hasn’t historically been known for strong inherent security.
GiteaMirror commented 2026-04-16 08:11:09 -05:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (May 11, 2025):

This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

<!-- gh-comment-id:2869272573 --> @github-actions[bot] commented on GitHub (May 11, 2025): This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.
GiteaMirror commented 2026-04-16 08:11:10 -05:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (May 25, 2025):

This issue has been automatically closed due to inactivity. If you believe this is still relevant, please open a new issue with up-to-date information.

<!-- gh-comment-id:2907524045 --> @github-actions[bot] commented on GitHub (May 25, 2025): This issue has been automatically closed due to inactivity. If you believe this is still relevant, please open a new issue with up-to-date information.
GiteaMirror commented 2026-04-16 08:11:10 -05:00
Author
Owner
Copy Link

@krevelen commented on GitHub (Oct 27, 2025):

you could use an SSH tunnel instead, and then initiate rdp on your (extended) localhost

<!-- gh-comment-id:3453013443 --> @krevelen commented on GitHub (Oct 27, 2025): you could use an SSH tunnel instead, and then initiate rdp on your (extended) localhost
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
api
authentication
bug
config
dependencies
docker
documentation
enhancement
good first issue
help wanted
Improvement
Look Into
needs investigating
networking
new feature
non-critical bug
potential bug
pull-request
Mirrored from GitHub Pull Request
 question
reverse proxy
Security
stale
ui
wontfix
No Label stale
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#1523
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?