mirror of
https://github.com/fosrl/pangolin.git
synced 2026-07-16 14:47:04 -05:00
[GH-ISSUE #2951] --holepunch=false (relay mode) fails when UDP 21820 is blocked — server still requires recent hole punch for registration #32343
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @z10n-dev on GitHub (May 1, 2026).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/2951
Describe the Bug
When UDP port 21820 is blocked by a firewall (e.g. school or corporate network), the
--holepunch=falseflag does not work as expected. Even with holepunch disabled on the client, the server still requires a successful hole punch within the last 5 seconds before it will respond toolm/wg/register. This makes it impossible to use relay mode on networks that block UDP 21820.Actual behavior
Server-side validation in
handleOlmRegisterMessagechecksif (now - (client.lastHolePunch || 0) > 5 && sitesCount > 0)and skips the register regardless of whether the client requested relay mode.Additional context
clients_start_portdoes not affect Gerbil's actual listening port)Environment
To Reproduce
pangolin up --holepunch=falseClient last hole punch is too old and we have sites to send; skipping this registerExpected Behavior
When
--holepunch=falseis passed, the server should accept the registration without requiring a recent hole punch and fall back to relay mode, just as it did in versions prior to 0.8.0.@AstralDestiny commented on GitHub (May 1, 2026):
Relay is done via 21820 Out to the pangolin stack then it connects down to site over you going directly.
@z10n-dev commented on GitHub (May 1, 2026):
So there is no other way, than using my Hotspot, when the port 21820 is blocked in school wifi?
@oschwartz10612 commented on GitHub (May 1, 2026):
Not right now sorry. Relay over UDP is the only option though I know some work is being done on websocket relaying which we might be able to take.
@jecabe commented on GitHub (Jun 2, 2026):
I don't think this is only related to the server configuration.
In my case, using exactly the same Pangolin server, the same client and the same user account:
Client last hole punch is too old.The interesting part is that the server receives the WebSocket connection correctly, but the UDP hole punch validation never completes.
I also contacted my mobile provider and they confirmed that mobile connections use a carrier-grade NAT-like architecture that cannot be disabled for individual customers.
Since most mobile operators today use CG-NAT or similar carrier NAT technologies, I suspect the current hole punching implementation may have problems with some mobile NAT environments (symmetric NAT, aggressive UDP port remapping, carrier NAT, etc.).
The same server works perfectly over WiFi but consistently fails over the mobile network, which points more towards a NAT traversal issue than a firewall or port-forwarding problem.
Has anyone successfully tested Android clients over mobile networks using CG-NAT?