We put together a short video covering the new alerting feature introduced in Pangolin 1.18.
It lets you send alerts when things like sites, resources, or standalone health checks change status, so you can get notified when something goes offline instead of finding out from a user later.
We’re also curious what integrations people would find useful next.
Would you rather see Discord, Slack, or something else?
Hello everyone!
Pangolin 1.18 brings HTTPS support for private resources, multi-site high availability routing, uptime tracking, health checks, alert rules, wildcard resources, and more. Let's dig in!
GitHub: https://github.com/fosrl/pangolin
Pangolin is an open-source, identity-aware remote access platform. Use it to securely expose authenticated web applications and private VPN resources to anyone with peer-to-peer zero-trust networking.
Private HTTP is a new resource type for web workloads. It behaves like a public resource with a domain name and valid TLS but nothing is exposed on the public internet. The hostname resolves to a reverse proxy running in the site connector (Newt) and only serves traffic when the user has an active Pangolin client connection.
Private resources now support multiple site connectors. Pangolin routes traffic through whichever path is best at the time and automatically fails over if a site goes offline.
Set the subdomain field to * on a public resource and Pangolin routes every hostname at that level through the same resource and tunnel. Access rules and auth apply across all matched hostnames, and the original Host header is preserved for downstream routing.
1.18 also adds uptime tracking on sites and resources, standalone health checks (HTTP and TCP) that can watch anything on your network, alert rules with email, webhook, the ability to import an identity provider across organizations, and a handful of UI improvements and bug fixes.
Check out the full blog post for details on everything in this release: https://pangolin.net/news/1-18-release
As always, available for self-hosting via the Community or Enterprise editions or on Pangolin Cloud. The Enterprise is free for personal use.
If you haven't starred us on GitHub yet, it genuinely helps. Thank you!
I am busy moving from a fully manual setup including traefik + TS to pangolin.
Is pangolin ready to fully replace TS?
I tried changing the default networks pangolin uses for gerbil and newt to a different range so it won't interfere with TS but am still hitting a few problems.
It looks like I can replace most of TS's functionality with pangolin but am not sure on a few key points. i.e. currently I use an adguardhome instance as my DNS for all clients and machines across TS. I basically enforce the DNS so not quite sure if this can be fully replicated with pangolin?
Any pointers are welcome.
P.S. The basic issue I have while running both is that with the TS enforced DNS, I can't seem to manage to connect to any private HTTPS resources as TS's DNS resolves to the external IP. I only get to see the "Private Placeholder Screen" even though pangolin on my client device is connected to the network but.
Crowdsec included.
Our continued coverage of Pangolin 1.18 features next up is private HA resources!
We cover how to set it up, what it looks and what an actual failover looks like!
CrowdSec Manager v2.4.0 is out.
This release brings a major visibility upgrade with optional GeoIP enrichment for dashboard data. When configured, CrowdSec Manager enriches both CrowdSec and Traefik dashboard views with location and network context (country, ASN, etc.). Instead of just raw IPs, you get much better insight into where your traffic, alerts, bans, and repeat offenders are coming from.
Big focus in v2.4.0: GeoIP-enriched dashboards
Other new changes in v2.4.0
Docker Imagehhftechnology/crowdsec-manager:2.4.0
Keep CrowdSec Manager private and access it securely over your Pangolin/WireGuard VPN (do not expose it directly to the internet).
Example Docker Compose (Pangolin + GeoIP):
services:
crowdsec-manager:
image: hhftechnology/crowdsec-manager:2.4.0
container_name: crowdsec-manager
restart: unless-stopped
ports:
- "<PANGOLIN_VPN_IP>:8080:8080"
environment:
- PORT=8080
- ENVIRONMENT=production
- TRAEFIK_DYNAMIC_CONFIG=/etc/traefik/dynamic_config.yml
- TRAEFIK_CONTAINER_NAME=traefik
- TRAEFIK_STATIC_CONFIG=/etc/traefik/traefik_config.yml
- GEOIP_DATABASE_PATH=/app/geoip/GeoLite2-City.mmdb
- CROWDSEC_METRICS_URL=http://crowdsec:6060/metrics
- ALERT_LIST_LIMIT=5000
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /root/config:/app/config
- /root/docker-compose.yml:/app/docker-compose.yml
- ./backups:/app/backups
- ./data:/app/data
- ./geoip/GeoLite2-City.mmdb:/app/geoip/GeoLite2-City.mmdb:ro
networks:
- pangolin
networks:
pangolin:
external: true
services:
tailscale:
image: tailscale/tailscale:latest
container_name: tailscale-crowdsec
hostname: crowdsec-manager-ts
environment:
- TS_AUTHKEY=your_auth_key_here
- TS_STATE_DIR=/var/lib/tailscale
volumes:
- tailscale-data:/var/lib/tailscale
- /dev/net/tun:/dev/net/tun
cap_add:
- net_admin
- sys_module
ports:
- "127.0.0.1:8080:8080"
networks:
pangolin:
aliases:
- crowdsec-manager
restart: unless-stopped
crowdsec-manager:
image: hhftechnology/crowdsec-manager:2.4.0
container_name: crowdsec-manager
network_mode: service:tailscale
restart: unless-stopped
environment:
- PORT=8080
- ENVIRONMENT=production
- TRAEFIK_DYNAMIC_CONFIG=/etc/traefik/dynamic_config.yml
- TRAEFIK_CONTAINER_NAME=traefik
- TRAEFIK_STATIC_CONFIG=/etc/traefik/traefik_config.yml
- GEOIP_DATABASE_PATH=/app/geoip/GeoLite2-City.mmdb
- CROWDSEC_METRICS_URL=http://crowdsec:6060/metrics
- ALERT_LIST_LIMIT=5000
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /root/config:/app/config
- /root/docker-compose.yml:/app/docker-compose.yml
- ./backups:/app/backups
- ./data:/app/data
- ./geoip/GeoLite2-City.mmdb:/app/geoip/GeoLite2-City.mmdb:ro
depends_on:
tailscale:
condition: service_started
networks:
pangolin:
external: true
volumes:
tailscale-data:
driver: local
GeoIP Setup
Download the free GeoLite2-City.mmdb from MaxMind and mount it as shown above.
Links
GitHub: https://github.com/hhftechnology/crowdsec_manager
Forums: https://forum.hhf.technology Cord: https://discord.gg/HDCt9MjyMJ
Pangolin VPN Discussion: https://github.com/hhftechnology/crowdsec_manager/discussions/31
I’m looking for feedback, especially on the new GeoIP dashboards and the Android app. Bug reports and feature ideas are very welcome!
Hi all,
I’m running Pangolin as part of a self-hosted setup and would really like to use certificates issued by my own Smallstep CA for boundary services. I have a ... .home.arpa setup I cannot use letsencrypt for and would really like to certify my subdomains.
The goal is to keep services private, avoid exposing them publicly just for ACME/Let’s Encrypt flows, and still have clean HTTPS with certificates trusted by my own devices.
--
Use case:
Internal homelab services behind Pangolin
Private/internal DNS names
Smallstep CA issuing certificates
Pangolin using those certs for reverse proxy TLS
Hi everyone,
I’m setting up private HTTPS resources using pangolin. Traffic is routed through newt container to my caddy container.
My Caddy instance currently only listens on TLS port 443 and uses virtual hosts, so it relies on correct SNI + Host header matching to route traffic properly.
For public resources, I can set the SNI and host header, but this seems to be missing for private HTTPS Resources?
Is it possible to explicitly set or override SNI and/or the Host header for private HTTPS resources in a similar way?
I got the setup working if I use HTTP Pangolin/Newt to Caddy, though with this setup I would need to maintain two vHosts per site (one for https traffic not coming from pangolin and one for http). Is there something I'm currently overlooking?
Thanks for your input and advice!
Has anyone been able to get Mealie working successfully with Pangolin? I've had it proxied in the past with SWAG, and on my home network I can access it directly at IP:port.
I've got it proxied through Pangolin at the moment and the healthcheck appears OK, but whenever I try to access it, I get a 500 error
We created a quick introduction video for private http resources, how to configure them and how the certificate generation works at the high level.
What feature should we highlight next from 1.18?
I updated my Pangolin instance to v18.0 yesterday and then to v18.1 this AM. I noticed something new that I think may be causing trouble with accessing my self-hosted apps.
In the Public: Resources tab, there is a new icon that shows that the certificates for my subdomains are pending.
If I click on any of my resources to edit them, a new title bar appears indicating that the certificates are pending for that resource.
Can anyone help me understand what is going on? When I check the acme.json file, I can see it was updated today (reboot following Pangolin update).
It appears that this is impacting my ability to reach resources that are directly proxied by Pangolin, i.e.; Pangolin-->Newt-->Nextcloud = Site can't be reached
This also occurs when proxying services locally on the same VPS as Pangolin.
However, most of my resources aren't affected (yet) because I run most of my resources behind SWAG internally, i.e,; Pangolin-->Newt-->SWAG-->Vaultwarden = site reachable
Also, I have configured Pangolin/Traefik to use DNS challenge to pull domain/wildcard certificates.
Let me know if anyone has any ideas why my certs are pending.
Thanks!!!
Hi, I have and ubuntu vm with newt and it works well but pangolin dashboard shows downtime 100% despite being online and working
newt logs are fine too
[newt] 2026-05-03T07:31:39.x INFO: 2026/05/03 07:31:39 Newt version 1.12.3
[newt] 2026-05-03T07:31:40.x INFO: 2026/05/03 07:31:40 Server version: 1.18.1
[newt] 2026-05-03T07:31:40.x INFO: 2026/05/03 07:31:40 Websocket connected
[newt] 2026-05-03T07:31:40.x INFO: 2026/05/03 07:31:40 Connecting to endpoint: xx.xx.xx.xx
[newt] 2026-05-03T07:31:40.x INFO: 2026/05/03 07:31:40 Tunnel connection to server established successfully!
[newt] 2026-05-03T07:31:40.x INFO: 2026/05/03 07:31:40 Started tcp proxy to xx.xx.xx.xx
[newt] 2026-05-03T07:31:40.x INFO: 2026/05/03 07:31:40 Started tcp proxy to xx.xx.xx.xx
[newt] 2026-05-03T07:31:40.x INFO: 2026/05/03 07:31:40 Started tcp proxy to xx.xx.xx.xx
[newt] 2026-05-03T07:32:00.x INFO: 2026/05/03 07:32:00 SendMessageInterval timed out after 10 attempts for message type: newt/wg/get-config
Any ideas? thx
At the moment I have a NPM on my hs, which can redirect me to local services and to vps services too through Tailscale. Now I'd like to use Pangolin for this, but I don't know how.
How I use Tailscale and NPM is the following: I have my admin.mydomain.com directed to my server's Tailscale IP. In case of Dockge, NPM redirects to 172.17.0.1, for local instance, and for the server's instacen it redirects me to the Tailscale IP of the VPS. Now I'd like to change Tailscale to Pangolin, but I couldn't figure out how could I make the two PC see each others like they don with Tailscale.
Hey guys,
my SMPT won't work and I don't know why, Claude also don't know.
This is my config, I'm using mailbox.org and there an application passwort:
# To see all available options, please visit the docs:
# https://docs.pangolin.net/
gerbil:
start_port: 51820
base_endpoint: "pangolin.domain.cloud"
app:
dashboard_url: "https://pangolin.domain.cloud"
log_level: "info"
telemetry:
anonymous_usage: true
domains:
domain1:
base_domain: "domain.cloud"
server:
secret: "longsecret"
cors:
origins: ["https://pangolin.domain.cloud"]
methods: ["GET", "POST", "PUT", "DELETE", "PATCH"]
allowed_headers: ["X-CSRF-Token", "Content-Type"]
credentials: false
maxmind_db_path: "./config/GeoLite2-Country.mmdb"
email:
smtp_host: smtp.mailbox.org
smtp_port: 587
smtp_user: name@mailbox.org
smtp_pass: "abcd-abcd-abcd-abcd"
smtp_secure: false
no_reply: name@domain.cloud
flags:
require_email_verification: false
disable_signup_without_invite: true
disable_user_create_org: false
allow_raw_resources: true
2026-05-03T19:09:39+00:00 [error]: Invalid login: 535 5.7.8 Error: authentication failed:
Stack: Error: Invalid login: 535 5.7.8 Error: authentication failed:
at SMTPConnection._formatError (/app/node_modules/nodemailer/lib/smtp-connection/index.js:887:19)
at SMTPConnection._actionAUTHComplete (/app/node_modules/nodemailer/lib/smtp-connection/index.js:1695:34)
at SMTPConnection.<anonymous> (/app/node_modules/nodemailer/lib/smtp-connection/index.js:626:26)
at SMTPConnection._processResponse (/app/node_modules/nodemailer/lib/smtp-connection/index.js:1072:20)
at SMTPConnection._onData (/app/node_modules/nodemailer/lib/smtp-connection/index.js:847:14)
at SMTPConnection._onSocketData (/app/node_modules/nodemailer/lib/smtp-connection/index.js:217:44)
at TLSSocket.emit (node:events:509:28)
at addChunk (node:internal/streams/readable:563:12)
at readableAddChunkPushByteMode (node:internal/streams/readable:514:3)
at Readable.push (node:internal/streams/readable:394:5) {"code":"EAUTH","response":"535 5.7.8 Error: authentication failed: ","responseCode":535,"command":"AUTH PLAIN"}
as most of us are using VPS in a shared environment to host pangolin, what are your thoughts on this issue?
it is possible for someone on the shared server to reach root access, and with that access they may be able to access the files on your VPS.
due to this, for now i was planning to shutdown newt on my home machine to stop the pangolin service on my VPS until i know my provider (hetzner) has patched their systems.
Hello, I have problem with all private resources. I have installed pangolin iOS client and connected. When I access no matter which private resource for example opnsense.domain.com, I get the login screen, I log in and after that I get Private Placeholder Screen: This domain is being used on a private resource. Please connect using the Pangolin client to access this resource.
It happens with all private resources
I made a mistake when assigning the range and am already using the org, so I'd rather not delete it and start from scratch 😞
