[GH-ISSUE #2749] iOS client connects, but any private site resource causes endless registering / no LAN access in Docker self-host setup #8995

New Issue

Closed

opened 2026-04-30 05:11:12 -05:00 by GiteaMirror · 2 comments

GiteaMirror commented 2026-04-30 05:11:12 -05:00

Owner

Copy Link

Originally created by @Mathdbn on GitHub (Mar 31, 2026).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/2749

Describe the Bug

Summary

I am self-hosting Pangolin in Docker with the standard Pangolin-style architecture:

• pangolin
• gerbil
• traefik
• newt

Traefik runs with:

• network_mode: service:gerbil

The setup is hosted on Docker/Portainer on a single host.

Public access works:

• Pangolin dashboard works
• OIDC login works
• iOS client can authenticate
• base VPN/client connection works when no private/internal site resource is assigned

But as soon as I assign any private site resource to the iOS client, the client stops working correctly.

Environment

• Pangolin: 1.16.2
• Newt: 1.10.4
• Self-hosted with Docker / Docker Compose / Portainer
• Reverse proxy: Traefik
• Gerbil ports exposed on Docker host:
  • 80/tcp
  • 443/tcp
  • 51820/udp
  • 21820/udp
• Public IPv4: full stack, not shared
• Router: Freebox Pop
• iPhone client tested on iOS app
• Mobile operator tested: Bouygues

Networking layout

Docker host LAN IP:

• 192.168.1.99

Example LAN resources tested:

• 192.168.1.254
• 192.168.1.200

Expected behavior

• iOS client connects
• private site resource is pushed to client
• client can access LAN/internal target through Pangolin

Actual behavior

If no private site resource is assigned:

• iOS client can connect
• VPN/client session appears OK
• but no internal site is reachable (No site connected)

If I assign one private site resource:

• client starts failing
• access to internal resources no longer works
• the client may stay in Registering
• removing the private resource makes the client work again

This happens even after:

• recreating the iPhone client
• archiving/removing old iPhone clients
• recreating the newt site entirely
• testing with different internal destinations
• testing both host mode and CIDR mode

Important observation

The problem is not tied to one single host.

I first suspected 192.168.1.254, but the same problem happens with another LAN target like 192.168.1.200.

So the pattern seems to be:

• VPN base connectivity: OK
• adding any private/internal site resource: KO

Logs

Pangolin

I repeatedly get logs like:

Client last hole punch is too old and we have sites to send; skipping this register

In some cases, after assigning private resources, I also saw:
handleOlmServerPeerAddMessage: No endpoint found for client 2

Client behavior
iOS app authenticates successfully
device/session looks connected
but internal routing never becomes usable once private resources are assigned
Things already checked
Docker stack is healthy
Pangolin, Gerbil, Traefik, Newt are up
gerbil listens on:
51820/udp
21820/udp
router/NAT forwards these UDP ports correctly
public IPv4 is full stack
no CGNAT issue
recreating the newt site did not solve it
recreating iPhone client did not solve it
issue persists with different private resources
Question
Is this a known limitation or bug of:

iOS OLM clients with private site resources
Docker self-host with pangolin + gerbil + traefik + newt
or site resource routing/state handling in Pangolin?
Is there a recommended way to make private/internal site resources work reliably for iOS clients in a Docker deployment like this?


### Environment

OS Type & Version: Debian/Ubuntu-based Docker host on Portainer-managed MiniPC (host LAN IP 192.168.1.99)
Si tu veux être exact, donne-moi le résultat de cat /etc/os-release sur le host et je te mets la valeur exacte.

Pangolin Version: 1.16.2

Gerbil Version: latest
Si tu veux l’exacte, je peux te la lire depuis l’image runtime.

Traefik Version: 3.6.12

Newt Version: 1.10.4

Olm Version: iOS client app

### To Reproduce

1. Deploy Pangolin in Docker with:
   - `pangolin`
   - `gerbil`
   - `traefik`
   - `newt`
   - `traefik` using `network_mode: service:gerbil`

2. Expose the standard ports on `gerbil`:
   - `80/tcp`
   - `443/tcp`
   - `51820/udp`
   - `21820/udp`

3. Create a `newt` site and connect it successfully.

4. Install the iOS client and authenticate it successfully.

5. Confirm that with no private/internal site resource assigned, the client can connect but shows no internal site access.

6. Create a private site resource (tested with both host and CIDR modes), for example:
   - `192.168.1.254`
   - `192.168.1.254/32`
   - `192.168.1.200`
   and assign it to the user/role/client.

7. Reconnect the iOS client.

8. Observe that the client stops working correctly:
   - stays on `Registering` or
   - no longer gets usable internal access
   - removing the private resource restores base connectivity


### Expected Behavior

When a private site resource is assigned to the iOS client, the client should remain connected and be able to reach the internal destination through Pangolin.

In other words:
- client authentication succeeds
- OLM/VPN tunnel remains usable
- assigned private/internal site resources become reachable
- adding a private resource should not break the client connection state

Originally created by @Mathdbn on GitHub (Mar 31, 2026). Original GitHub issue: https://github.com/fosrl/pangolin/issues/2749 ### Describe the Bug ## Summary I am self-hosting Pangolin in Docker with the standard Pangolin-style architecture: - `pangolin` - `gerbil` - `traefik` - `newt` Traefik runs with: - `network_mode: service:gerbil` The setup is hosted on Docker/Portainer on a single host. Public access works: - Pangolin dashboard works - OIDC login works - iOS client can authenticate - base VPN/client connection works when no private/internal site resource is assigned But as soon as I assign any private site resource to the iOS client, the client stops working correctly. ## Environment - Pangolin: `1.16.2` - Newt: `1.10.4` - Self-hosted with Docker / Docker Compose / Portainer - Reverse proxy: Traefik - Gerbil ports exposed on Docker host: - `80/tcp` - `443/tcp` - `51820/udp` - `21820/udp` - Public IPv4: full stack, not shared - Router: Freebox Pop - iPhone client tested on iOS app - Mobile operator tested: Bouygues ## Networking layout Docker host LAN IP: - `192.168.1.99` Example LAN resources tested: - `192.168.1.254` - `192.168.1.200` ## Expected behavior - iOS client connects - private site resource is pushed to client - client can access LAN/internal target through Pangolin ## Actual behavior If no private site resource is assigned: - iOS client can connect - VPN/client session appears OK - but no internal site is reachable (`No site connected`) If I assign one private site resource: - client starts failing - access to internal resources no longer works - the client may stay in `Registering` - removing the private resource makes the client work again This happens even after: - recreating the iPhone client - archiving/removing old iPhone clients - recreating the `newt` site entirely - testing with different internal destinations - testing both host mode and CIDR mode ## Important observation The problem is not tied to one single host. I first suspected `192.168.1.254`, but the same problem happens with another LAN target like `192.168.1.200`. So the pattern seems to be: - VPN base connectivity: OK - adding any private/internal site resource: KO ## Logs ### Pangolin I repeatedly get logs like: ```text Client last hole punch is too old and we have sites to send; skipping this register In some cases, after assigning private resources, I also saw: handleOlmServerPeerAddMessage: No endpoint found for client 2 Client behavior iOS app authenticates successfully device/session looks connected but internal routing never becomes usable once private resources are assigned Things already checked Docker stack is healthy Pangolin, Gerbil, Traefik, Newt are up gerbil listens on: 51820/udp 21820/udp router/NAT forwards these UDP ports correctly public IPv4 is full stack no CGNAT issue recreating the newt site did not solve it recreating iPhone client did not solve it issue persists with different private resources Question Is this a known limitation or bug of: iOS OLM clients with private site resources Docker self-host with pangolin + gerbil + traefik + newt or site resource routing/state handling in Pangolin? Is there a recommended way to make private/internal site resources work reliably for iOS clients in a Docker deployment like this? ### Environment OS Type & Version: Debian/Ubuntu-based Docker host on Portainer-managed MiniPC (host LAN IP 192.168.1.99) Si tu veux être exact, donne-moi le résultat de cat /etc/os-release sur le host et je te mets la valeur exacte. Pangolin Version: 1.16.2 Gerbil Version: latest Si tu veux l’exacte, je peux te la lire depuis l’image runtime. Traefik Version: 3.6.12 Newt Version: 1.10.4 Olm Version: iOS client app ### To Reproduce 1. Deploy Pangolin in Docker with: - `pangolin` - `gerbil` - `traefik` - `newt` - `traefik` using `network_mode: service:gerbil` 2. Expose the standard ports on `gerbil`: - `80/tcp` - `443/tcp` - `51820/udp` - `21820/udp` 3. Create a `newt` site and connect it successfully. 4. Install the iOS client and authenticate it successfully. 5. Confirm that with no private/internal site resource assigned, the client can connect but shows no internal site access. 6. Create a private site resource (tested with both host and CIDR modes), for example: - `192.168.1.254` - `192.168.1.254/32` - `192.168.1.200` and assign it to the user/role/client. 7. Reconnect the iOS client. 8. Observe that the client stops working correctly: - stays on `Registering` or - no longer gets usable internal access - removing the private resource restores base connectivity ### Expected Behavior When a private site resource is assigned to the iOS client, the client should remain connected and be able to reach the internal destination through Pangolin. In other words: - client authentication succeeds - OLM/VPN tunnel remains usable - assigned private/internal site resources become reachable - adding a private resource should not break the client connection state

GiteaMirror closed this issue 2026-04-30 05:11:13 -05:00

GiteaMirror commented 2026-04-30 05:11:14 -05:00

Author

Owner

Copy Link

@Mathdbn commented on GitHub (Mar 31, 2026):

The issue was not related to open ports, but to the internal subnet used by Gerbil.

By default, Pangolin uses the subnet 100.89.137.0/20, which belongs to the CGNAT address space. While this range is intended to avoid conflicts with common private networks (192.168.x.x, 10.x.x.x, etc.), the documentation also states that you should change it if it conflicts with your network environment.

In my case, the VPN worked fine over Wi-Fi but failed on 4G/5G. This strongly suggests a routing conflict with the mobile network, which also relies on CGNAT. Since the ports (51820/udp and 21820/udp) were correctly opened and reachable, the issue was not network exposure but the internal tunnel addressing.

The fix was to update the Pangolin configuration (config.yml) in the gerbil section, replacing: subnet_group: "100.89.137.0/20"

with a non-conflicting private range: subnet_group: "10.250.0.0/16"

Final working configuration:
gerbil:
start_port: 51820
clients_start_port: 21820
base_endpoint: "xx.xx.comr"
subnet_group: "10.250.0.0/16"
block_size: 24
site_block_size: 30

Summary:
• The problem was caused by a subnet conflict in Pangolin’s internal VPN network.
• The fix is to change subnet_group in config.yml to a range that does not overlap with your environment.
• This resolves issues where the VPN works on Wi-Fi but fails on mobile networks.

<!-- gh-comment-id:4164793101 --> @Mathdbn commented on GitHub (Mar 31, 2026): The issue was not related to open ports, but to the internal subnet used by Gerbil. By default, Pangolin uses the subnet 100.89.137.0/20, which belongs to the CGNAT address space. While this range is intended to avoid conflicts with common private networks (192.168.x.x, 10.x.x.x, etc.), the documentation also states that you should change it if it conflicts with your network environment. In my case, the VPN worked fine over Wi-Fi but failed on 4G/5G. This strongly suggests a routing conflict with the mobile network, which also relies on CGNAT. Since the ports (51820/udp and 21820/udp) were correctly opened and reachable, the issue was not network exposure but the internal tunnel addressing. The fix was to update the Pangolin configuration (config.yml) in the gerbil section, replacing: subnet_group: "100.89.137.0/20" with a non-conflicting private range: subnet_group: "10.250.0.0/16" Final working configuration: gerbil: start_port: 51820 clients_start_port: 21820 base_endpoint: "xx.xx.comr" subnet_group: "10.250.0.0/16" block_size: 24 site_block_size: 30 Summary: • The problem was caused by a subnet conflict in Pangolin’s internal VPN network. • The fix is to change subnet_group in config.yml to a range that does not overlap with your environment. • This resolves issues where the VPN works on Wi-Fi but fails on mobile networks.

GiteaMirror commented 2026-04-30 05:11:14 -05:00

Author

Owner

Copy Link

@latiche commented on GitHub (Apr 14, 2026):

I have the same issue (client stuck on "Registering" when adding private resource)
I thought it would be a similar cause since I am also testing on LTE network with CGNAT so I updated the gerbil section as you did
Unfortunately, that was not enough to solve the issue for me

edit : I am having this issue : https://github.com/fosrl/olm/issues/108

For reference, if you change the subnet, you either have to recreate all sites / resources, or update database

here is what I did (docker) :

cd /opt/pangolin
docker compose down
cd /opt/pangolin/config/db
cp db.sqlite db.sqlite.backup
apt install sqllite3
sqlite3
UPDATE sites SET subnet = REPLACE(subnet, '100.89', '10.250') WHERE subnet LIKE '100.89%'; UPDATE sites SET address = REPLACE(address, '100.90', '10.251') WHERE address LIKE '100.90%';
UPDATE orgs SET subnet = REPLACE(subnet, '100.90', '10.251') WHERE subnet LIKE '100.90%';
UPDATE orgs SET utilitySubnet = REPLACE(utilitySubnet, '100.96', '10.252') WHERE utilitySubnet LIKE '100.96%';
UPDATE exitNodes SET address = REPLACE(address, '100.89', '10.250') WHERE address LIKE '100.89%';
UPDATE clients SET subnet = REPLACE(subnet, '100.90', '10.251') WHERE subnet LIKE '100.90%';
SELECT * FROM clients;
SELECT * FROM sites;
SELECT * FROM orgs;
SELECT * FROM exitNodes;
docker compose down && docker compose up -d

<!-- gh-comment-id:4242622736 --> @latiche commented on GitHub (Apr 14, 2026): I have the same issue (client stuck on "Registering" when adding private resource) I thought it would be a similar cause since I am also testing on LTE network with CGNAT so I updated the gerbil section as you did Unfortunately, that was not enough to solve the issue for me edit : I am having this issue : https://github.com/fosrl/olm/issues/108 For reference, if you change the subnet, you either have to recreate all sites / resources, or update database here is what I did (docker) : ``` cd /opt/pangolin docker compose down cd /opt/pangolin/config/db cp db.sqlite db.sqlite.backup apt install sqllite3 sqlite3 UPDATE sites SET subnet = REPLACE(subnet, '100.89', '10.250') WHERE subnet LIKE '100.89%'; UPDATE sites SET address = REPLACE(address, '100.90', '10.251') WHERE address LIKE '100.90%'; UPDATE orgs SET subnet = REPLACE(subnet, '100.90', '10.251') WHERE subnet LIKE '100.90%'; UPDATE orgs SET utilitySubnet = REPLACE(utilitySubnet, '100.96', '10.252') WHERE utilitySubnet LIKE '100.96%'; UPDATE exitNodes SET address = REPLACE(address, '100.89', '10.250') WHERE address LIKE '100.89%'; UPDATE clients SET subnet = REPLACE(subnet, '100.90', '10.251') WHERE subnet LIKE '100.90%'; SELECT * FROM clients; SELECT * FROM sites; SELECT * FROM orgs; SELECT * FROM exitNodes; docker compose down && docker compose up -d ```

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

dependabot/npm_and_yarn/prod-patch-updates-64dd675a88

dependabot/npm_and_yarn/dev-minor-updates-10ef4f0f15

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

crowdin_dev

resource-policies

redis

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

dependabot/npm_and_yarn/next-intl-4.9.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.3

1.18.3-s.1

1.18.3-s.0

1.18.2-s.5

1.18.2-s.4

1.18.2-s.3

1.18.2-s.2

1.18.2-s.1

1.18.2

1.18.2-s.0

1.18.1-s.7

1.18.1-s.6

1.18.1-s.5

1.18.1-s.4

1.18.1-s.3

1.18.1-s.2

1.18.1

1.18.1-s.1

1.18.1-s.0

1.18.0-s.2

1.18.0-s.1

1.18.0

1.18.0-s.0

1.17.1-s.7

1.17.1-s.6

1.18.0-rc.0

1.17.1-s.5

1.17.1-s.4

1.17.1-s.3

1.17.1

1.17.1-s.2

1.17.1-s.1

1.17.1-s.0

1.17.0-s.4

1.17.0

1.17.0-s.3

1.17.0-s.2

1.17.0-s.1

1.17.0-s.0

1.17.0-rc.0

1.16.2-s.22

1.16.2-s.21

1.16.2-s.20

1.16.2-s.19

1.16.2-s.18

1.16.2-s.17

1.16.2-s.16

1.16.2-s.15

1.16.2-s.14

1.16.2-s.13

1.16.2-s.12

1.16.2-s.11

1.16.2-s.10

1.16.2-s.9

1.16.2-s.8

1.16.2-s.7

1.16.2-s.6

1.16.2-s.5

1.16.2-s.4

1.16.2-s.3

1.16.2-s.2

1.16.2-s.1

1.16.2

1.16.2-s.0

1.16.1-s.1

1.16.1

1.16.1-s.0

1.16.0

1.16.0-s.1

1.16.0-s.0

1.16.0-rc.0

1.15.4-s.10

1.15.4-s.9

1.15.4-s.8

1.15.4-s.7

1.15.4-s.6

1.15.4-s.5

1.15.4-s.4

1.15.4-s.3

1.15.4-s.2

1.15.4-s.1

1.15.4

1.15.4-s.0

1.15.3

1.15.3-s.1

1.15.3-s.0

1.15.2

1.15.1-s.1

1.15.1-s.0

1.15.1

1.15.0-s.5

1.15.0

1.15.0-s.4

1.15.0-s.3

1.15.0-s.2

1.15.0-s.1

1.15.0-s.0

1.15.0-rc.0

1.14.1-s.3

1.14.1-s.2

1.14.1-s.1

1.14.1-s.0

1.14.1

1.14.0-s.2

1.14.0

1.14.0-rc.0

1.13.1

1.13.1-s.0

1.13.0

1.13.0.s.0

1.13.0-rc.0

1.12.2-s.5

1.12.3

1.12.2-s.4

1.12.2-s.3

1.12.2-s.2

1.12.2-s.1

1.12.2

1.12.2-s.0

1.12.1

1.12.0

1.12.0-s.0

1.12.0-rc.0

1.11.1

1.11.1-s.0

1.11.0-s.5

1.11.0

1.11.0-s.4

1.11.0-s.3

1.11.0-s.2

1.11.0-s.1

1.11.0-s.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#8995