[GH-ISSUE #2446] Newt Tunnel can not connect to VPS #8933

New Issue

Closed

opened 2026-04-30 05:03:38 -05:00 by GiteaMirror · 4 comments

GiteaMirror commented 2026-04-30 05:03:38 -05:00

Owner

Copy Link

Originally created by @OscarsWorldTech on GitHub (Feb 10, 2026).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/2446

Describe the Bug

I just brought up a new Hertzner VPS and installed pangolin on it. I can reach the dashboard just fine, but when I am trying to install a site the VM that I am installing to will not connect. I have verified that the Hetzner firewall allows 80, 443, 51820, 21820 as well as my firewall allows it. Here is what happens after I run newt with the id and secret and endpoint:

INFO: 2026/02/10 14:21:37 Newt version 1.9.0
INFO: 2026/02/10 14:21:37 Server version: 1.15.2
INFO: 2026/02/10 14:21:37 Websocket connected
INFO: 2026/02/10 14:21:37 Connecting to endpoint: pangolin.oscarsworld.tech
INFO: 2026/02/10 14:21:57 SendMessageInterval timed out after 10 attempts for message type: newt/wg/get-config
WARN: 2026/02/10 14:22:08 Initial reliable ping failed, but continuing: all 5 ping attempts failed, last error: failed to read ICMP packet: i/o timeout
WARN: 2026/02/10 14:22:13 Ping attempt 1 failed: failed to read ICMP packet: i/o timeout
WARN: 2026/02/10 14:22:18 Ping attempt 2 failed: failed to read ICMP packet: i/o timeout
WARN: 2026/02/10 14:22:25 Ping attempt 3 failed: failed to read ICMP packet: i/o timeout
WARN: 2026/02/10 14:22:32 Ping attempt 4 failed: failed to read ICMP packet: i/o timeout
WARN: 2026/02/10 14:22:39 Ping attempt 5 failed: failed to read ICMP packet: i/o timeout
INFO: 2026/02/10 14:22:39 Increasing ping retry delay to 3s
WARN: 2026/02/10 14:22:47 Ping attempt 6 failed: failed to read ICMP packet: i/o timeout
WARN: 2026/02/10 14:22:55 Ping attempt 7 failed: failed to read ICMP packet: i/o timeout
WARN: 2026/02/10 14:22:57 Periodic ping failed (2 consecutive failures): all 2 ping attempts failed, last error: failed to read ICMP packet: i/o timeout
WARN: 2026/02/10 14:23:03 Ping attempt 8 failed: failed to read ICMP packet: i/o timeout
WARN: 2026/02/10 14:23:11 Ping attempt 9 failed: failed to read ICMP packet: i/o timeout
WARN: 2026/02/10 14:23:19 Ping attempt 10 failed: failed to read ICMP packet: i/o timeout
INFO: 2026/02/10 14:23:19 Increasing ping retry delay to 4.5s
WARN: 2026/02/10 14:23:28 Periodic ping failed (3 consecutive failures): all 2 ping attempts failed, last error: failed to read ICMP packet: i/o timeout
WARN: 2026/02/10 14:23:29 Ping attempt 11 failed: failed to read ICMP packet: i/o timeout
WARN: 2026/02/10 14:23:38 Ping attempt 12 failed: failed to read ICMP packet: i/o timeout
WARN: 2026/02/10 14:23:48 Ping attempt 13 failed: failed to read ICMP packet: i/o timeout
WARN: 2026/02/10 14:23:57 Ping attempt 14 failed: failed to read ICMP packet: i/o timeout
WARN: 2026/02/10 14:23:59 Periodic ping failed (4 consecutive failures): all 2 ping attempts failed, last error: failed to read ICMP packet: i/o timeout
WARN: 2026/02/10 14:23:59 Connection to server lost after 4 failures. Continuous reconnection attempts will be made.
INFO: 2026/02/10 14:23:59 Stopping ping check
INFO: 2026/02/10 14:23:59 Connecting to endpoint: pangolin.oscarsworld.tech
WARN: 2026/02/10 14:23:59 Failed to start hole punch: hole punch already running
WARN: 2026/02/10 14:24:30 Initial reliable ping failed, but continuing: all 5 ping attempts failed, last error: failed to read ICMP packet: i/o timeout
WARN: 2026/02/10 14:24:35 Ping attempt 1 failed: failed to read ICMP packet: i/o timeout
WARN: 2026/02/10 14:24:40 Ping attempt 2 failed: failed to read ICMP packet: i/o timeout

Environment

• OS Type & Version: Ubuntu 24.04
• Pangolin Version: 1.15.2
• Gerbil Version: 1.3.0
• Traefik Version: 3.6
• Newt Version: 1.9
• Olm Version: (if applicable)

To Reproduce

1. Create new site
2. Copy Newt installation script and run it on remote system
3. Copy id, secret, and endpoint
4. Start the tunnel
5. Failure to connect

Expected Behavior

I should be able to automatically connect the tunnel

Originally created by @OscarsWorldTech on GitHub (Feb 10, 2026). Original GitHub issue: https://github.com/fosrl/pangolin/issues/2446 ### Describe the Bug I just brought up a new Hertzner VPS and installed pangolin on it. I can reach the dashboard just fine, but when I am trying to install a site the VM that I am installing to will not connect. I have verified that the Hetzner firewall allows 80, 443, 51820, 21820 as well as my firewall allows it. Here is what happens after I run newt with the id and secret and endpoint: INFO: 2026/02/10 14:21:37 Newt version 1.9.0 INFO: 2026/02/10 14:21:37 Server version: 1.15.2 INFO: 2026/02/10 14:21:37 Websocket connected INFO: 2026/02/10 14:21:37 Connecting to endpoint: pangolin.oscarsworld.tech INFO: 2026/02/10 14:21:57 SendMessageInterval timed out after 10 attempts for message type: newt/wg/get-config WARN: 2026/02/10 14:22:08 Initial reliable ping failed, but continuing: all 5 ping attempts failed, last error: failed to read ICMP packet: i/o timeout WARN: 2026/02/10 14:22:13 Ping attempt 1 failed: failed to read ICMP packet: i/o timeout WARN: 2026/02/10 14:22:18 Ping attempt 2 failed: failed to read ICMP packet: i/o timeout WARN: 2026/02/10 14:22:25 Ping attempt 3 failed: failed to read ICMP packet: i/o timeout WARN: 2026/02/10 14:22:32 Ping attempt 4 failed: failed to read ICMP packet: i/o timeout WARN: 2026/02/10 14:22:39 Ping attempt 5 failed: failed to read ICMP packet: i/o timeout INFO: 2026/02/10 14:22:39 Increasing ping retry delay to 3s WARN: 2026/02/10 14:22:47 Ping attempt 6 failed: failed to read ICMP packet: i/o timeout WARN: 2026/02/10 14:22:55 Ping attempt 7 failed: failed to read ICMP packet: i/o timeout WARN: 2026/02/10 14:22:57 Periodic ping failed (2 consecutive failures): all 2 ping attempts failed, last error: failed to read ICMP packet: i/o timeout WARN: 2026/02/10 14:23:03 Ping attempt 8 failed: failed to read ICMP packet: i/o timeout WARN: 2026/02/10 14:23:11 Ping attempt 9 failed: failed to read ICMP packet: i/o timeout WARN: 2026/02/10 14:23:19 Ping attempt 10 failed: failed to read ICMP packet: i/o timeout INFO: 2026/02/10 14:23:19 Increasing ping retry delay to 4.5s WARN: 2026/02/10 14:23:28 Periodic ping failed (3 consecutive failures): all 2 ping attempts failed, last error: failed to read ICMP packet: i/o timeout WARN: 2026/02/10 14:23:29 Ping attempt 11 failed: failed to read ICMP packet: i/o timeout WARN: 2026/02/10 14:23:38 Ping attempt 12 failed: failed to read ICMP packet: i/o timeout WARN: 2026/02/10 14:23:48 Ping attempt 13 failed: failed to read ICMP packet: i/o timeout WARN: 2026/02/10 14:23:57 Ping attempt 14 failed: failed to read ICMP packet: i/o timeout WARN: 2026/02/10 14:23:59 Periodic ping failed (4 consecutive failures): all 2 ping attempts failed, last error: failed to read ICMP packet: i/o timeout WARN: 2026/02/10 14:23:59 Connection to server lost after 4 failures. Continuous reconnection attempts will be made. INFO: 2026/02/10 14:23:59 Stopping ping check INFO: 2026/02/10 14:23:59 Connecting to endpoint: pangolin.oscarsworld.tech WARN: 2026/02/10 14:23:59 Failed to start hole punch: hole punch already running WARN: 2026/02/10 14:24:30 Initial reliable ping failed, but continuing: all 5 ping attempts failed, last error: failed to read ICMP packet: i/o timeout WARN: 2026/02/10 14:24:35 Ping attempt 1 failed: failed to read ICMP packet: i/o timeout WARN: 2026/02/10 14:24:40 Ping attempt 2 failed: failed to read ICMP packet: i/o timeout ### Environment - OS Type & Version: Ubuntu 24.04 - Pangolin Version: 1.15.2 - Gerbil Version: 1.3.0 - Traefik Version: 3.6 - Newt Version: 1.9 - Olm Version: (if applicable) ### To Reproduce 1. Create new site 2. Copy Newt installation script and run it on remote system 3. Copy id, secret, and endpoint 4. Start the tunnel 5. Failure to connect ### Expected Behavior I should be able to automatically connect the tunnel

GiteaMirror closed this issue 2026-04-30 05:03:39 -05:00

GiteaMirror commented 2026-04-30 05:03:41 -05:00

Author

Owner

Copy Link

@OscarsWorldTech commented on GitHub (Feb 10, 2026):

Also adding that the Pangolin docker logs do show that it is adding a peer with the ID, but for some reason I still can not connect

EDIT: Just tried to create a tunnel from the Hetzner VPS to a another non-Hetzner VPS and it is still not connecting

<!-- gh-comment-id:3878042164 --> @OscarsWorldTech commented on GitHub (Feb 10, 2026): Also adding that the Pangolin docker logs do show that it is adding a peer with the ID, but for some reason I still can not connect EDIT: Just tried to create a tunnel from the Hetzner VPS to a another non-Hetzner VPS and it is still not connecting

GiteaMirror commented 2026-04-30 05:03:41 -05:00

Author

Owner

Copy Link

@hands0fblue commented on GitHub (Feb 12, 2026):

I have been having similar issues. I run my domain through Cloudflare and I had to remove the proxy and go to DNS only. My Newt tunnels now connect after a restart and the log look like this...

newt | INFO: 2026/02/12 04:08:07 Newt version 1.9.0
newt | INFO: 2026/02/12 04:08:08 Config file does not exist at /root/.config/newt-client/config.json, will create it
newt | INFO: 2026/02/12 04:08:08 Server version: 1.15.2
newt | INFO: 2026/02/12 04:08:08 Saving config to: /root/.config/newt-client/config.json
newt | INFO: 2026/02/12 04:08:08 Websocket connected
newt | INFO: 2026/02/12 04:08:08 Connecting to endpoint: xxx.xxx.xxx.xxx
newt | INFO: 2026/02/12 04:08:08 Tunnel connection to server established successfully!
newt | INFO: 2026/02/12 04:08:10 Client connectivity setup. Ready to accept connections from client

When I attempt to connect to my wildcard domains I get stuck in a redirect look so I still think there is something wrong with my DNS settings somewhere. If I figure out what I am doing wrong I will post and update.

If you use Cloudflare the docs are here https://docs.pangolin.net/self-host/advanced/cloudflare-proxy#cloudflare-proxy.

P.S. You should only need to open firewall ports for the VPS. Newt acts as a VPN client and will bypass your firewall.

<!-- gh-comment-id:3888705843 --> @hands0fblue commented on GitHub (Feb 12, 2026): I have been having similar issues. I run my domain through Cloudflare and I had to remove the proxy and go to DNS only. My Newt tunnels now connect after a restart and the log look like this... newt | INFO: 2026/02/12 04:08:07 Newt version 1.9.0 newt | INFO: 2026/02/12 04:08:08 Config file does not exist at /root/.config/newt-client/config.json, will create it newt | INFO: 2026/02/12 04:08:08 Server version: 1.15.2 newt | INFO: 2026/02/12 04:08:08 Saving config to: /root/.config/newt-client/config.json newt | INFO: 2026/02/12 04:08:08 Websocket connected newt | INFO: 2026/02/12 04:08:08 Connecting to endpoint: xxx.xxx.xxx.xxx newt | INFO: 2026/02/12 04:08:08 Tunnel connection to server established successfully! newt | INFO: 2026/02/12 04:08:10 Client connectivity setup. Ready to accept connections from client When I attempt to connect to my wildcard domains I get stuck in a redirect look so I still think there is something wrong with my DNS settings somewhere. If I figure out what I am doing wrong I will post and update. If you use Cloudflare the docs are here https://docs.pangolin.net/self-host/advanced/cloudflare-proxy#cloudflare-proxy. P.S. You should only need to open firewall ports for the VPS. Newt acts as a VPN client and will bypass your firewall.

GiteaMirror commented 2026-04-30 05:03:42 -05:00

Author

Owner

Copy Link

@oschwartz10612 commented on GitHub (Feb 12, 2026):

^^^ all good advice. Make sure UDP ports 21820 and 51820 are open.

<!-- gh-comment-id:3892861146 --> @oschwartz10612 commented on GitHub (Feb 12, 2026): ^^^ all good advice. Make sure UDP ports 21820 and 51820 are open.

GiteaMirror commented 2026-04-30 05:03:42 -05:00

Author

Owner

Copy Link

@OscarsWorldTech commented on GitHub (Feb 12, 2026):

Hi all,

What i ended up doing was completely rebuilding the vps and verifying ports were open. It was able to connect after that.

<!-- gh-comment-id:3892887391 --> @OscarsWorldTech commented on GitHub (Feb 12, 2026): Hi all, What i ended up doing was completely rebuilding the vps and verifying ports were open. It was able to connect after that.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

resource-policies

copilot/fix-create-alert-visibility

dev

dependabot/npm_and_yarn/prod-patch-updates-64dd675a88

dependabot/npm_and_yarn/dev-minor-updates-10ef4f0f15

redis

crowdin_dev

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

dependabot/npm_and_yarn/next-intl-4.9.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

dependabot/docker/docker/library/node-25-slim

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.2-s.5

1.18.2-s.4

1.18.2-s.3

1.18.2-s.2

1.18.2-s.1

1.18.2

1.18.2-s.0

1.18.1-s.7

1.18.1-s.6

1.18.1-s.5

1.18.1-s.4

1.18.1-s.3

1.18.1-s.2

1.18.1

1.18.1-s.1

1.18.1-s.0

1.18.0-s.2

1.18.0-s.1

1.18.0

1.18.0-s.0

1.17.1-s.7

1.17.1-s.6

1.18.0-rc.0

1.17.1-s.5

1.17.1-s.4

1.17.1-s.3

1.17.1

1.17.1-s.2

1.17.1-s.1

1.17.1-s.0

1.17.0-s.4

1.17.0

1.17.0-s.3

1.17.0-s.2

1.17.0-s.1

1.17.0-s.0

1.17.0-rc.0

1.16.2-s.22

1.16.2-s.21

1.16.2-s.20

1.16.2-s.19

1.16.2-s.18

1.16.2-s.17

1.16.2-s.16

1.16.2-s.15

1.16.2-s.14

1.16.2-s.13

1.16.2-s.12

1.16.2-s.11

1.16.2-s.10

1.16.2-s.9

1.16.2-s.8

1.16.2-s.7

1.16.2-s.6

1.16.2-s.5

1.16.2-s.4

1.16.2-s.3

1.16.2-s.2

1.16.2-s.1

1.16.2

1.16.2-s.0

1.16.1-s.1

1.16.1

1.16.1-s.0

1.16.0

1.16.0-s.1

1.16.0-s.0

1.16.0-rc.0

1.15.4-s.10

1.15.4-s.9

1.15.4-s.8

1.15.4-s.7

1.15.4-s.6

1.15.4-s.5

1.15.4-s.4

1.15.4-s.3

1.15.4-s.2

1.15.4-s.1

1.15.4

1.15.4-s.0

1.15.3

1.15.3-s.1

1.15.3-s.0

1.15.2

1.15.1-s.1

1.15.1-s.0

1.15.1

1.15.0-s.5

1.15.0

1.15.0-s.4

1.15.0-s.3

1.15.0-s.2

1.15.0-s.1

1.15.0-s.0

1.15.0-rc.0

1.14.1-s.3

1.14.1-s.2

1.14.1-s.1

1.14.1-s.0

1.14.1

1.14.0-s.2

1.14.0

1.14.0-rc.0

1.13.1

1.13.1-s.0

1.13.0

1.13.0.s.0

1.13.0-rc.0

1.12.2-s.5

1.12.3

1.12.2-s.4

1.12.2-s.3

1.12.2-s.2

1.12.2-s.1

1.12.2

1.12.2-s.0

1.12.1

1.12.0

1.12.0-s.0

1.12.0-rc.0

1.11.1

1.11.1-s.0

1.11.0-s.5

1.11.0

1.11.0-s.4

1.11.0-s.3

1.11.0-s.2

1.11.0-s.1

1.11.0-s.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#8933