[GH-ISSUE #2837] Newt ping failed #7050

New Issue

Open

opened 2026-04-25 16:02:52 -05:00 by GiteaMirror · 3 comments

GiteaMirror commented 2026-04-25 16:02:52 -05:00

Owner

Copy Link

Originally created by @DSYZayn on GitHub (Apr 12, 2026).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/2837

Describe the Bug

I tested on pangolin cloud without installing any realy server, just installed a Newt and tried to use it as a cloudflare tunnel to expose a private network service to the public, but it failed. The Newt logs show ping failed. Is this the main reason that my Newt instance is in China? I confirmed that there is no firewall on the server where my Newt instance is located, and that tailscale and cloudflare are both running fine on that server

Environment

• OS Type & Version: Ubuntu 22.04
• Pangolin Version:
• Gerbil Version:
• Traefik Version:
• Newt Version:
• Olm Version: (if applicable)

To Reproduce

Expected Behavior

newt ping failed

Originally created by @DSYZayn on GitHub (Apr 12, 2026). Original GitHub issue: https://github.com/fosrl/pangolin/issues/2837 ### Describe the Bug I tested on pangolin cloud without installing any realy server, just installed a Newt and tried to use it as a cloudflare tunnel to expose a private network service to the public, but it failed. The Newt logs show ping failed. Is this the main reason that my Newt instance is in China? I confirmed that there is no firewall on the server where my Newt instance is located, and that tailscale and cloudflare are both running fine on that server ### Environment - OS Type & Version: Ubuntu 22.04 - Pangolin Version: - Gerbil Version: - Traefik Version: - Newt Version: - Olm Version: (if applicable) ### To Reproduce <img width="2061" height="546" alt="Image" src="https://github.com/user-attachments/assets/1959a924-2219-417f-a613-3e7aae9b0fcb" /> ### Expected Behavior newt ping failed

GiteaMirror commented 2026-04-25 16:02:53 -05:00

Author

Owner

Copy Link

@DSYZayn commented on GitHub (Apr 12, 2026):

logs after restart Newt service：

<!-- gh-comment-id:4231274065 --> @DSYZayn commented on GitHub (Apr 12, 2026): logs after restart Newt service： <img width="2070" height="528" alt="Image" src="https://github.com/user-attachments/assets/bc6e0dc9-d285-4c60-89be-e271b6cf5e95" />

GiteaMirror commented 2026-04-25 16:02:53 -05:00

Author

Owner

Copy Link

@AstralDestiny commented on GitHub (Apr 17, 2026):

What's your vps provider? some vps providers might flag 51820 and 21820 as ddos and selectively flag or block connections, The ICMP happens over the tunnel so if the tunnel can't connect (51820) or your defined port it will cause the ping issue. Also would need to know what versions you're running for stuff.

Sorry didn't read that right in my head for some reason,
If you disable tailscale does it load fine? tailscale is aggressive on using the entire cgnat range for connections which can cause hit or miss issues.

<!-- gh-comment-id:4269529636 --> @AstralDestiny commented on GitHub (Apr 17, 2026): What's your vps provider? some vps providers might flag 51820 and 21820 as ddos and selectively flag or block connections, The ICMP happens over the tunnel so if the tunnel can't connect (51820) or your defined port it will cause the ping issue. Also would need to know what versions you're running for stuff. Sorry didn't read that right in my head for some reason, If you disable tailscale does it load fine? tailscale is aggressive on using the entire cgnat range for connections which can cause hit or miss issues.

GiteaMirror commented 2026-04-25 16:02:53 -05:00

Author

Owner

Copy Link

@coradia commented on GitHub (Apr 24, 2026):

This may be a Pangolin/Gerbil Cloudflare proxy configuration edge case rather than a standalone Newt client issue.

I think I’m hitting the same/related issue with Newt ping failure when using the documented Cloudflare proxy setup.

Pangolin is self-hosted behind a Cloudflare proxy. Following the docs, I've:

gerbil:
  base_endpoint: "<PUBLIC_IP>"

Newt connects successfully to Pangolin:

Server version: 1.18.0-rc.0
Websocket connected

But it then fails the exit node ping because it attempts HTTPS against the raw public IP:

Failed to ping exit node 1 (http://<PUBLIC_IP>/ping) attempt 1:
Get "https://<PUBLIC_IP>/ping": tls: failed to verify certificate:
x509: cannot validate certificate for <PUBLIC_IP> because it doesn't contain any IP SANs

I confirmed the network path itself works:

• WAN 443 forwards to Traefik/Pangolin
• Traefik /ping on websecure returns HTTP/2 200
• Traefik is serving my real wildcard certificate rather than TRAEFIK DEFAULT CERT

However, the certificate is valid for my Pangolin hostname/wildcard domain, not the raw IP address, so Newt’s HTTPS ping to the IP address can't be validated.

A hostname/SNI test works correctly:

curl --resolve <PANGOLIN_HOSTNAME>:443:<PUBLIC_IP> https://<PANGOLIN_HOSTNAME>/ping

So this looks like Newt needs to use a hostname for HTTPS ping/SNI while still allowing Gerbil/WireGuard to use the base_endpoint public IP, as required by the Cloudflare proxy docs.

<!-- gh-comment-id:4317050868 --> @coradia commented on GitHub (Apr 24, 2026): This may be a Pangolin/Gerbil Cloudflare proxy configuration edge case rather than a standalone Newt client issue. I think I’m hitting the same/related issue with Newt ping failure when using the [documented Cloudflare proxy setup](https://docs.pangolin.net/self-host/advanced/cloudflare-proxy). Pangolin is self-hosted behind a Cloudflare proxy. Following the docs, I've: ``` gerbil: base_endpoint: "<PUBLIC_IP>" ``` Newt connects successfully to Pangolin: ``` Server version: 1.18.0-rc.0 Websocket connected ``` But it then fails the exit node ping because it attempts HTTPS against the raw public IP: ``` Failed to ping exit node 1 (http://<PUBLIC_IP>/ping) attempt 1: Get "https://<PUBLIC_IP>/ping": tls: failed to verify certificate: x509: cannot validate certificate for <PUBLIC_IP> because it doesn't contain any IP SANs ``` I confirmed the network path itself works: - WAN 443 forwards to Traefik/Pangolin - Traefik /ping on websecure returns HTTP/2 200 - Traefik is serving my real wildcard certificate rather than TRAEFIK DEFAULT CERT However, the certificate is valid for my Pangolin hostname/wildcard domain, not the raw IP address, so Newt’s HTTPS ping to the IP address can't be validated. A hostname/SNI test works correctly: `curl --resolve <PANGOLIN_HOSTNAME>:443:<PUBLIC_IP> https://<PANGOLIN_HOSTNAME>/ping` So this looks like Newt needs to use a hostname for HTTPS ping/SNI while still allowing Gerbil/WireGuard to use the base_endpoint public IP, as required by the Cloudflare proxy docs.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

resource-policies

copilot/fix-create-alert-visibility

dev

dependabot/npm_and_yarn/prod-patch-updates-64dd675a88

dependabot/npm_and_yarn/dev-minor-updates-10ef4f0f15

redis

crowdin_dev

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

dependabot/npm_and_yarn/next-intl-4.9.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

dependabot/docker/docker/library/node-25-slim

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.2-s.5

1.18.2-s.4

1.18.2-s.3

1.18.2-s.2

1.18.2-s.1

1.18.2

1.18.2-s.0

1.18.1-s.7

1.18.1-s.6

1.18.1-s.5

1.18.1-s.4

1.18.1-s.3

1.18.1-s.2

1.18.1

1.18.1-s.1

1.18.1-s.0

1.18.0-s.2

1.18.0-s.1

1.18.0

1.18.0-s.0

1.17.1-s.7

1.17.1-s.6

1.18.0-rc.0

1.17.1-s.5

1.17.1-s.4

1.17.1-s.3

1.17.1

1.17.1-s.2

1.17.1-s.1

1.17.1-s.0

1.17.0-s.4

1.17.0

1.17.0-s.3

1.17.0-s.2

1.17.0-s.1

1.17.0-s.0

1.17.0-rc.0

1.16.2-s.22

1.16.2-s.21

1.16.2-s.20

1.16.2-s.19

1.16.2-s.18

1.16.2-s.17

1.16.2-s.16

1.16.2-s.15

1.16.2-s.14

1.16.2-s.13

1.16.2-s.12

1.16.2-s.11

1.16.2-s.10

1.16.2-s.9

1.16.2-s.8

1.16.2-s.7

1.16.2-s.6

1.16.2-s.5

1.16.2-s.4

1.16.2-s.3

1.16.2-s.2

1.16.2-s.1

1.16.2

1.16.2-s.0

1.16.1-s.1

1.16.1

1.16.1-s.0

1.16.0

1.16.0-s.1

1.16.0-s.0

1.16.0-rc.0

1.15.4-s.10

1.15.4-s.9

1.15.4-s.8

1.15.4-s.7

1.15.4-s.6

1.15.4-s.5

1.15.4-s.4

1.15.4-s.3

1.15.4-s.2

1.15.4-s.1

1.15.4

1.15.4-s.0

1.15.3

1.15.3-s.1

1.15.3-s.0

1.15.2

1.15.1-s.1

1.15.1-s.0

1.15.1

1.15.0-s.5

1.15.0

1.15.0-s.4

1.15.0-s.3

1.15.0-s.2

1.15.0-s.1

1.15.0-s.0

1.15.0-rc.0

1.14.1-s.3

1.14.1-s.2

1.14.1-s.1

1.14.1-s.0

1.14.1

1.14.0-s.2

1.14.0

1.14.0-rc.0

1.13.1

1.13.1-s.0

1.13.0

1.13.0.s.0

1.13.0-rc.0

1.12.2-s.5

1.12.3

1.12.2-s.4

1.12.2-s.3

1.12.2-s.2

1.12.2-s.1

1.12.2

1.12.2-s.0

1.12.1

1.12.0

1.12.0-s.0

1.12.0-rc.0

1.11.1

1.11.1-s.0

1.11.0-s.5

1.11.0

1.11.0-s.4

1.11.0-s.3

1.11.0-s.2

1.11.0-s.1

1.11.0-s.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#7050