[GH-ISSUE #2349] Feature Request: Native/Kernel WireGuard support for Newt with full site-to-site networking #4089

New Issue

Closed

opened 2026-04-20 08:31:56 -05:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-04-20 08:31:56 -05:00

Owner

Copy Link

Originally created by @fampla on GitHub (Jan 27, 2026).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/2349

Feature Request

Problem

I want to use Pangolin/Newt as my single networking solution to replace Tailscale, connecting multiple servers (homelab, remote Proxmox hosts) with full site-to-site connectivity for services like NFS shares.

Currently I face two limitations:

1. Performance: Newt's userspace WireGuard implementation is significantly slower than kernel WireGuard. As discussed in #512, users report ~1-10 MB/s with Newt vs 22+ MB/s with native WireGuard for the same connection.

2. Site-to-Site networking: Private resources and subnet routing only work with Newt, but the performance penalty makes it unsuitable for bandwidth-intensive use cases (NFS, media streaming, backups).

Current Workaround

I'm forced to run a hybrid setup:

• Native WireGuard (wg0) for bandwidth-intensive services (Emby, etc.)
• Tailscale for site-to-site connectivity (NFS between servers)

This defeats the purpose of having a unified self-hosted solution.

Proposed Solution

Add native/kernel WireGuard support to Newt, similar to how Tailscale offers both userspace and kernel modes:

1. --native or --kernel flag that uses the system's WireGuard kernel module instead of userspace netstack
2. Maintain Pangolin integration - keep the control plane communication, automatic peer configuration, and private resource management
3. Site-to-site routing through kernel networking stack for proper subnet gateway functionality (related to #1370)

Benefits

• Near line-speed performance for all traffic
• True Tailscale replacement with full site-to-site networking
• Single service to manage instead of multiple VPN solution

Environment

• Multiple Proxmox hosts
• Docker containers (Emby, NFS, etc.)
• Currently using: Pangolin + native WireGuard + Tailscale (want to consolidate)

I noticed there's a --native / USE_NATIVE_INTERFACE flag in the code - is this intended for this purpose? If so, documentation would be helpful.

Thank you for this great project!

Originally created by @fampla on GitHub (Jan 27, 2026). Original GitHub issue: https://github.com/fosrl/pangolin/issues/2349 ## Feature Request ### Problem I want to use Pangolin/Newt as my **single networking solution** to replace Tailscale, connecting multiple servers (homelab, remote Proxmox hosts) with full site-to-site connectivity for services like NFS shares. Currently I face two limitations: 1. **Performance**: Newt's userspace WireGuard implementation is significantly slower than kernel WireGuard. As discussed in #512, users report ~1-10 MB/s with Newt vs 22+ MB/s with native WireGuard for the same connection. 2. **Site-to-Site networking**: Private resources and subnet routing only work with Newt, but the performance penalty makes it unsuitable for bandwidth-intensive use cases (NFS, media streaming, backups). ### Current Workaround I'm forced to run a hybrid setup: - **Native WireGuard (wg0)** for bandwidth-intensive services (Emby, etc.) - **Tailscale** for site-to-site connectivity (NFS between servers) This defeats the purpose of having a unified self-hosted solution. ### Proposed Solution Add native/kernel WireGuard support to Newt, similar to how Tailscale offers both userspace and kernel modes: 1. **`--native` or `--kernel` flag** that uses the system's WireGuard kernel module instead of userspace netstack 2. **Maintain Pangolin integration** - keep the control plane communication, automatic peer configuration, and private resource management 3. **Site-to-site routing** through kernel networking stack for proper subnet gateway functionality (related to #1370) ### Benefits - Near line-speed performance for all traffic - True Tailscale replacement with full site-to-site networking - Single service to manage instead of multiple VPN solution ### Environment - Multiple Proxmox hosts - Docker containers (Emby, NFS, etc.) - Currently using: Pangolin + native WireGuard + Tailscale (want to consolidate) I noticed there's a `--native` / `USE_NATIVE_INTERFACE` flag in the code - is this intended for this purpose? If so, documentation would be helpful. Thank you for this great project!

GiteaMirror closed this issue 2026-04-20 08:31:57 -05:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/npm_and_yarn/axios-1.15.2

s3

dependabot/npm_and_yarn/next-intl-4.9.2

dev

dependabot/npm_and_yarn/prod-patch-updates-64dd675a88

dependabot/npm_and_yarn/dev-minor-updates-10ef4f0f15

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

crowdin_dev

resource-policies

redis

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.3-s.2

1.18.3

1.18.3-s.1

1.18.3-s.0

1.18.2-s.5

1.18.2-s.4

1.18.2-s.3

1.18.2-s.2

1.18.2-s.1

1.18.2

1.18.2-s.0

1.18.1-s.7

1.18.1-s.6

1.18.1-s.5

1.18.1-s.4

1.18.1-s.3

1.18.1-s.2

1.18.1

1.18.1-s.1

1.18.1-s.0

1.18.0-s.2

1.18.0-s.1

1.18.0

1.18.0-s.0

1.17.1-s.7

1.17.1-s.6

1.18.0-rc.0

1.17.1-s.5

1.17.1-s.4

1.17.1-s.3

1.17.1

1.17.1-s.2

1.17.1-s.1

1.17.1-s.0

1.17.0-s.4

1.17.0

1.17.0-s.3

1.17.0-s.2

1.17.0-s.1

1.17.0-s.0

1.17.0-rc.0

1.16.2-s.22

1.16.2-s.21

1.16.2-s.20

1.16.2-s.19

1.16.2-s.18

1.16.2-s.17

1.16.2-s.16

1.16.2-s.15

1.16.2-s.14

1.16.2-s.13

1.16.2-s.12

1.16.2-s.11

1.16.2-s.10

1.16.2-s.9

1.16.2-s.8

1.16.2-s.7

1.16.2-s.6

1.16.2-s.5

1.16.2-s.4

1.16.2-s.3

1.16.2-s.2

1.16.2-s.1

1.16.2

1.16.2-s.0

1.16.1-s.1

1.16.1

1.16.1-s.0

1.16.0

1.16.0-s.1

1.16.0-s.0

1.16.0-rc.0

1.15.4-s.10

1.15.4-s.9

1.15.4-s.8

1.15.4-s.7

1.15.4-s.6

1.15.4-s.5

1.15.4-s.4

1.15.4-s.3

1.15.4-s.2

1.15.4-s.1

1.15.4

1.15.4-s.0

1.15.3

1.15.3-s.1

1.15.3-s.0

1.15.2

1.15.1-s.1

1.15.1-s.0

1.15.1

1.15.0-s.5

1.15.0

1.15.0-s.4

1.15.0-s.3

1.15.0-s.2

1.15.0-s.1

1.15.0-s.0

1.15.0-rc.0

1.14.1-s.3

1.14.1-s.2

1.14.1-s.1

1.14.1-s.0

1.14.1

1.14.0-s.2

1.14.0

1.14.0-rc.0

1.13.1

1.13.1-s.0

1.13.0

1.13.0.s.0

1.13.0-rc.0

1.12.2-s.5

1.12.3

1.12.2-s.4

1.12.2-s.3

1.12.2-s.2

1.12.2-s.1

1.12.2

1.12.2-s.0

1.12.1

1.12.0

1.12.0-s.0

1.12.0-rc.0

1.11.1

1.11.1-s.0

1.11.0-s.5

1.11.0

1.11.0-s.4

1.11.0-s.3

1.11.0-s.2

1.11.0-s.1

1.11.0-s.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#4089