[GH-ISSUE #3096] Newt site stays online but WireGuard data plane stops carrying traffic #17293

New Issue

Open

opened 2026-05-18 17:47:05 -05:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-05-18 17:47:05 -05:00

Owner

Copy Link

Originally created by @yusuf-madkour on GitHub (May 17, 2026).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/3096

Describe the Bug

A Newt site that previously worked stopped carrying public-resource traffic. Pangolin still showed the site online / reconnected, but resources behind that Newt site returned 502.

The site had historical non-zero data in/out counters, so this was not a fresh setup that never worked. The same backend resources were restored immediately by moving them from the Newt site to a local Pangolin site on the VPS, reaching the same backend IPs/ports over an existing NetBird route.

Environment

• Pangolin/Gerbil/Traefik host: Ubuntu 24.04.3 LTS, aarch64, Oracle VPS
• Original Newt host: Proxmox VE 9.1.4, unprivileged Ubuntu LXC 100, amd64
• Reproduction Newt host: Debian 13.2 (trixie), aarch64, bare-metal madpi
• Pangolin Version: 1.18.4
• Gerbil Version: 1.4.0
• Traefik Version: 3.5
• Newt Version: 1.12.5

To Reproduce

I do not have a clean minimal reproducer yet. The failure was observed in this sequence:

1. Run Pangolin/Gerbil/Traefik on a VPS with a Newt site connected from a home network behind CGNAT.
2. Use the Newt site successfully for public resources for some time; the site had non-zero data in/out counters.
3. After the failure starts, keep the same Newt site connected. Pangolin still shows it online / reconnected.
4. Access public resources routed through that Newt site.
5. The resources return 502, while Gerbil wg0 shows no useful RX / handshake traffic.

Additional checks:

• The issue reproduced with a separate bare-metal Newt test on a raspberry pi device in the same subnet.
• A plain UDP probe to Gerbil 51820 reached the VPS.

Expected Behavior

If the Newt site is online/reconnected, the WireGuard data plane should recover or report a clear failed state. Previously working public resources behind the Newt site should not remain stuck at 502 with no useful wg0 RX/handshake traffic.

Originally created by @yusuf-madkour on GitHub (May 17, 2026). Original GitHub issue: https://github.com/fosrl/pangolin/issues/3096 ### Describe the Bug A Newt site that previously worked stopped carrying public-resource traffic. Pangolin still showed the site online / reconnected, but resources behind that Newt site returned 502. The site had historical non-zero data in/out counters, so this was not a fresh setup that never worked. The same backend resources were restored immediately by moving them from the Newt site to a local Pangolin site on the VPS, reaching the same backend IPs/ports over an existing NetBird route. ### Environment - Pangolin/Gerbil/Traefik host: Ubuntu 24.04.3 LTS, aarch64, Oracle VPS - Original Newt host: Proxmox VE 9.1.4, unprivileged Ubuntu LXC 100, amd64 - Reproduction Newt host: Debian 13.2 (trixie), aarch64, bare-metal `madpi` - Pangolin Version: 1.18.4 - Gerbil Version: 1.4.0 - Traefik Version: 3.5 - Newt Version: 1.12.5 ### To Reproduce I do not have a clean minimal reproducer yet. The failure was observed in this sequence: 1. Run Pangolin/Gerbil/Traefik on a VPS with a Newt site connected from a home network behind CGNAT. 2. Use the Newt site successfully for public resources for some time; the site had non-zero data in/out counters. 3. After the failure starts, keep the same Newt site connected. Pangolin still shows it online / reconnected. 4. Access public resources routed through that Newt site. 5. The resources return 502, while Gerbil `wg0` shows no useful RX / handshake traffic. Additional checks: - The issue reproduced with a separate bare-metal Newt test on a raspberry pi device in the same subnet. - A plain UDP probe to Gerbil `51820` reached the VPS. ### Expected Behavior If the Newt site is online/reconnected, the WireGuard data plane should recover or report a clear failed state. Previously working public resources behind the Newt site should not remain stuck at 502 with no useful `wg0` RX/handshake traffic.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/npm_and_yarn/prod-patch-updates-94425a55d0

dependabot/npm_and_yarn/dev-minor-updates-4aaf4dbce4

dependabot/go_modules/install/minor-updates-a249525a56

fix-3104

dev

exit-node-reconnect

fix-logoUrl

button-to-rebuild-association

crowdin_dev

rdp-ssh

dependabot/npm_and_yarn/brace-expansion-5.0.6

copilot/fix-documentation-input-output-types

dependabot/github_actions/sigstore/cosign-installer-4.1.2

redis

resource-policies

dependabot/npm_and_yarn/next-15.5.18

dependabot/npm_and_yarn/fast-uri-3.1.2

s3

dependabot/npm_and_yarn/fast-xml-builder-1.2.0

dependabot/npm_and_yarn/axios-1.15.2

dependabot/npm_and_yarn/next-intl-4.9.2

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

cross-org-idp

breakout-sites-tables

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.4

1.18.3

1.18.2

1.18.1

1.18.0

1.18.0-rc.0

1.17.1

1.17.0

1.17.0-rc.0

1.16.2

1.16.1

1.16.0

1.16.0-rc.0

1.15.4

1.15.3

1.15.2

1.15.1

1.15.0

1.15.0-rc.0

1.14.1

1.14.0

1.14.0-rc.0

1.13.1

1.13.0

1.13.0-rc.0

1.12.3

1.12.2

1.12.1

1.12.0

1.12.0-rc.0

1.11.1

1.11.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#17293