Skip to content

Releases: fosrl/pangolin

1.15.0

23 Jan 19:48
@oschwartz10612 oschwartz10612
1.15.0
40f2262
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
1.15.0 Latest
Latest

Read the Announcement

Read the full announcement with discussion of new features: Pangolin 1.15: iOS and Android apps, device approvals and posture, 1 year anniversary, stability, and more

What's Changed

  • Add store user device fingerprint information (OS, serial number, hostname, etc)
  • Add store user device posture information (auto updates, encryption, biometrics, etc) (EE)
  • Add user device approvals for admins; explicitly approve a user’s device before it can connect to resources (EE)
  • Add support for organization only scoped identity providers for true multi-tenancy (EE)
  • Add block user device and machine
  • Add archive user device and machine client
  • Add show Site and Client install commands on credentials tab
  • Add option to set rule priorities in blueprints
  • Add Russian, Bulgarian, and Czech languages
  • Add apply blueprint through the cli
  • Fix tab key not working to navigation between host and port inputs on resource target forms
  • Fix logo URL optional in custom org branding (EE)
  • Fix confirm delete button working without confirm text
  • General UI improvements
  • Various other bug fixes

New Contributors

Full Changelog: https://github.com/fosrl/pangolin/compare/1.14.1...1.15.0

How to Update

Important

Always back up your config app-data before updating. This will allow you to easily roll back if the update breaks your configuration. You will not be able to easily downgrade otherwise.

View documentation

Contributors

JackMyers001, JanGrosse, and 2 other contributors
Assets 4
Loading

1.15.0-rc.0

21 Jan 23:54
@oschwartz10612 oschwartz10612
1.15.0-rc.0
49001f6
This commit was signed with the committer’s verified signature.
oschwartz10612 Owen Schwartz
GPG key ID: 8271FDFFD9E0CCBD
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
1.15.0-rc.0 Pre-release
Pre-release

RC

A Release Candidate (RC) is a near-final software version, stable but undergoing last tests before official release. It has all features and no known bugs.

  • Users: Use cautiously due to potential undiscovered bugs. Not for critical systems unless prepared for issues. Report bugs.
  • Developers/Testers: Perform crucial final validation and thorough testing, especially of recent changes, to catch last-minute major issues.
  • Backup: Always back up data before installing an RC to allow rollback if problems arise.
  • Feedback: Provide feedback; it's vital for a robust final release.

What's Changed

Note

Some things like fingerprinting and posture info coming in new clients as they are released. Please update clients when released to test.

  • Add store user device fingerprint information (OS, serial number, hostname, etc)
  • Add store user device posture information (auto updates, encryption, biometrics, etc) (EE)
  • Add user device approvals for admins; explicitly approve a user’s device before it can connect to resources (EE)
  • Add support for organization only scoped identity providers for true multi-tenancy (EE)
  • Add block user device and machine
  • Add archive user device and machine client
  • Add show Site and Client install commands on credentials tab
  • Add option to set rule priorities in blueprints
  • Add Russian, Bulgarian, and Czech languages
  • Fix logo URL optional in custom org branding (EE)
  • Fix confirm delete button working without confirm text
  • General UI improvements
  • Various other bug fixes

New Contributors

Full Changelog: 1.14.1...1.15.0-rc.0

How to Update

Important

Always back up your config app-data before updating. This will allow you to easily roll back if the update breaks your configuration. You will not be able to easily downgrade otherwise.

View documentation

Contributors

JackMyers001, JanGrosse, and 2 other contributors
Loading
0 Join discussion

1.14.1

24 Dec 21:33
@oschwartz10612 oschwartz10612
1.14.1
2ca400a

Choose a tag to compare

View all tags
1.14.1

What's Changed

  • Fix mobile header dissapearing after closing virtual keyboard
  • Add flags.disable_product_help_banners to disable product help banners
  • Fix machine client credentials page always showing the same ID
  • UI enhancements
  • Fix raw resources throwing a nextjs error
  • Fix blueprint not accepting ALL

Full Changelog: 1.14.0...1.14.1

How to Update

Important

Always back up your config app-data before updating. This will allow you to easily roll back if the update breaks your configuration. You will not be able to easily downgrade otherwise.

View documentation

Loading

1.14.0

23 Dec 03:21
@miloschwartz miloschwartz
1.14.0
7e9f18b
This commit was signed with the committer’s verified signature.
oschwartz10612 Owen Schwartz
GPG key ID: 8271FDFFD9E0CCBD
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
1.14.0

What's Changed

New Contributors

Full Changelog: 1.13.1...1.14.0

Recommended Versions

Pangolin is backward compatible with older versions of its components. However, access to new features requires that all components be updated to their latest versions. We strongly recommend keeping everything up to date to ensure you benefit from the newest functionality, improvements, and fixes.

  • Pangolin 1.14.0+
  • Badger 1.3.1+
  • Gerbil 1.3.0+
  • Olm 1.3.0+
    • Note: If you're using a client for macOS, Windows, or Pangolin CLI, simply update to the latest versions.
  • Newt 1.8.0+

CROWDSEC USERS PLEASE READ

Due to an earlier misconfiguration of the health check for Crowdsec installs you may get rate limited due to Crowdsec's new policies. Please follow the info in this discussion to make the change to prevent rate limiting.

How to Update

Important

Always back up your config app-data before updating. This will allow you to easily roll back if the update breaks your configuration. You will not be able to easily downgrade otherwise.

View documentation

Badger Supports Real IP with Cloudflare Proxy

Badger 1.3.0 supports pulling the real IP when behind the Cloudflare Proxy. Support for this is enabled by default. Read more in the Badger release notes.

Port Firewalling and ICMP Ping Support in Private Resources

Private resources now support more granular access controls for ports and protocols. For TCP and UDP traffic, you can choose to allow all ports, block all ports, or define a specific set of allowed ports and port ranges.

In addition, private resources now support ICMP ping. Previously, ICMP traffic was always blocked, preventing you from using tools like ping to test connectivity. With this update, ICMP ping is enabled by default and can also be disabled at any time through the resource’s firewall settings.

image

Wildcard Alias

Private resources now support wildcard DNS aliases. Instead of defining a single, explicit alias, you can now use a wildcard like *.vpn.internal, which will resolve all matching subdomains to the destination host.

This is useful, for example, when running a reverse proxy (such as Traefik) alongside the site connector (Newt). Multiple services can be routed by hostname and served over HTTPS with valid certificates, while remaining accessible only privately over the tunnel.

Use Private DNS Servers with Pangolin Clients

Pangolin clients on Windows, macOS, and Linux now support routing DNS queries through the secure tunnel. This allows you to configure a self-hosted or private DNS server that the client will use whenever it is connected.

When this feature is enabled, all DNS resolution is performed over the tunnel instead of the local network. As long as you have a private resource configured that grants the client access to the DNS server, queries will be securely resolved within your private infrastructure.

To use this feature, please update your client to the latest available versions.

Contributors

depado, oschwartz10612, and 8 other contributors
Loading

1.14.0-rc.0

22 Dec 02:49
@oschwartz10612 oschwartz10612
1.14.0-rc.0
972febf
This commit was signed with the committer’s verified signature.
oschwartz10612 Owen Schwartz
GPG key ID: 8271FDFFD9E0CCBD
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
1.14.0-rc.0 Pre-release
Pre-release

RC

A Release Candidate (RC) is a near-final software version, stable but undergoing last tests before official release. It has all features and no known bugs.

  • Users: Use cautiously due to potential undiscovered bugs. Not for critical systems unless prepared for issues. Report bugs.
  • Developers/Testers: Perform crucial final validation and thorough testing, especially of recent changes, to catch last-minute major issues.
  • Backup: Always back up data before installing an RC to allow rollback if problems arise.
  • Feedback: Provide feedback; it's vital for a robust final release.

What's Changed

New Contributors

Full Changelog: 1.13.1...1.14.0-rc.0

Recommended Versions

Pangolin is backward compatible with older versions of its components. However, access to new features requires that all components be updated to their latest versions. We strongly recommend keeping everything up to date to ensure you benefit from the newest functionality, improvements, and fixes.

  • Pangolin 1.14.0+
  • Badger 1.3.0+
  • Gerbil 1.3.0+
  • Olm 1.3.0+
  • Newt 1.8.0+

How to Update

Important

Always back up your config app-data before updating. This will allow you to easily roll back if the update breaks your configuration. You will not be able to easily downgrade otherwise.

View documentation

Badger Supports Real IP with Cloudflare Proxy

Badger 1.3.0 supports pulling the real IP when behind the Cloudflare Proxy. Support for this is enabled by default. Read more in the Badger release notes.

Port Firewalling and ICMP Ping Support in Private Resources

Private resources now support more granular access controls for ports and protocols. For TCP and UDP traffic, you can choose to allow all ports, block all ports, or define a specific set of allowed ports and port ranges.

In addition, private resources now support ICMP ping. Previously, ICMP traffic was always blocked, preventing you from using tools like ping to test connectivity. With this update, ICMP ping is enabled by default and can also be disabled at any time through the resource’s firewall settings.

image

Use Private DNS Servers with Pangolin Clients

Pangolin clients on Windows, macOS, and Linux now support routing DNS queries through the secure tunnel. This allows you to configure a self-hosted or private DNS server that the client will use whenever it is connected.

When this feature is enabled, all DNS resolution is performed over the tunnel instead of the local network. As long as you have a private resource configured that grants the client access to the DNS server, queries will be securely resolved within your private infrastructure.

To use this feature, please update your client to the latest available versions.

Contributors

depado, oschwartz10612, and 8 other contributors
Loading
2 Join discussion

1.13.1

13 Dec 18:00
@oschwartz10612 oschwartz10612
1.13.1
f2d4c2f
This commit was signed with the committer’s verified signature.
oschwartz10612 Owen Schwartz
GPG key ID: 8271FDFFD9E0CCBD
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
1.13.1

What's Changed

Full Changelog: 1.13.0...1.13.1

How to Update

Important

Always back up your config app-data before updating. This will allow you to easily roll back if the update breaks your configuration. You will not be able to easily downgrade otherwise.

View documentation

Loading

1.13.0

11 Dec 23:19
@oschwartz10612 oschwartz10612
1.13.0
5d6ee45
This commit was signed with the committer’s verified signature.
oschwartz10612 Owen Schwartz
GPG key ID: 8271FDFFD9E0CCBD
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
1.13.0

What's Changed

  • Rename Clients to Machine Clients
  • Rename Client Resources to Private Resources
  • Rename Proxy Resources to Public Resources
  • Add user-device clients that allow users to connect to private resources like a VPN
  • Add Host and CIDR option to Private Resources
  • Add “magic DNS” alias to Private Resources
  • Add manage user devices modal to user profile dropdown
  • Add ability to regenerate/rotate credentials on Sites, Clients, and Remote Nodes (EE)
  • Add Request Analytics page with basic request statistics, request map, and graphs
  • Add optional new version available notification to sidebar
  • Add optional new features notification to sidebar
  • Add support for Private Resources, Machine Clients, and User Devices in Blueprints
  • Add SNI input field to health check form
  • Add generate password reset code to users table in Server Admin page
  • Add contact admin warning in forgot password page when SMTP not set up
  • Add role to Badger passthrough header
  • Add new access/audit log retention policy: keep until end of next year
  • Add option to edit animal-themed identifier (niceId) on Sites, Resources, and Clients
  • Fix broken inputs in edit health check form
  • Fix custom branding login/signup page subtitle not displaying
  • Fix empty path strip preventing create resource
  • Fix custom healthy HTTP codes not respected
  • Fix save resource overwrite custom headers input
  • Fix various blueprint inconsistencies and annoyances
  • Fix display of setup token after CrowdSec installation
  • Improve speed of request logging by removing blocking db operations
  • General UI enhancements

Breaking

Warning

This requires an update to Gerbil, Newt, Olm, and Pangolin.

Minimum Versions:

  • Pangolin 1.13.0+
  • Gerbil 1.3.0+
  • Newt 1.7.0+
  • Olm 1.2.0+
  • Remove remote subnets from sites in favor of Private Resources
  • Remove site:port proxy on Client Resources in favor of Private Resources
  • Remove client to site associations in favor of Private Resources
  • Remove --accept-clients flag from Newt; clients are on by default now with option to disable with --disable-clients
  • Remove flag.enable_clients from Pangolin config
  • Remove branding.favicon_path from private Pangolin config
    • To customize the icon, mount your favicon to /app/public/favicon.ico in the container
  • Remove branding.login.title_text and branding.signup.title_text from private Pangolin config
    • Only subtitle customization is supported (there is no longer a title on these pages)

Note

We've done our best to migrate Client Resources and Clients to the new Private Resources and Machine Clients. All pre-existing clients are now Machine Clients, and all Client Resources are now Private Resources. We've also attempted to migrate all pre-existing site associations to Private Resource access controls, and remote subnets to CIDR Private Resources. However, please review your configuration after updating to ensure everything has been migrated correctly.

Full Changelog: 1.12.3...1.13.0

How to Update

Important

Always back up your config app-data before updating. This will allow you to easily roll back if the update breaks your configuration. You will not be able to easily downgrade otherwise.

View documentation

Private Resources, User Devices, and Machine Clients

Note

This is still in beta. We will work towards getting out of beta by early 2026.

This release introduces a major evolution of Pangolin’s networking model enabling private remote access via user clients. This update transforms it into a fully self‑hosted, open‑source alternative to Twingate using WireGuard under the hood. You can now access resources privately on the local network running Newt when connected and logged in to a Pangolin Client (available on Windows, Mac, and Linux).

Overview

  • Newt still acts as your Site Connector, establishing a secure control and data plane over WireGuard.
  • Private Resources define what’s accessible, like specific hosts on local networks or the entire local networks.
  • Clients (human or machine) connect securely to the private network and gain access to defined resources using their familiar LAN‑style addresses.

This effectively “flattens” your internal topology: once connected, resources across all sites are accessible without manually connecting to each individual site.

dashboard

User Devices

User Devices bring private network access directly to end users. Users can download Pangolin Client for their system and log in to their familiar Pangolin account. These authenticated clients connect securely through Pangolin and gain access to permitted Private Resources.

  • Native GUI clients are available for macOS and Windows.
  • CLI clients are available for Linux and macOS, with Windows CLI support coming soon.
  • All clients support the full feature set including WireGuard‑based encryption, NAT traversal, DNS alias, and peer‑to‑peer connections when possible for direct networking.
  • Mobile apps for Android and iOS will be coming in 2026.
Windows Client Mac Client
windows mac

Private Resources

Private Resources represent network targets reachable through your site connectors. These can be defined at different granularities:

  • Host Resources: Point directly to an individual host (e.g., 192.168.1.210).
  • CIDR Resources: Expose an entire subnet or range (e.g., 192.168.1.0/24).

When a client connects to the Pangolin network, they can access these Private Resources using the same LAN addresses without any port forwarding, route table setup, DNS configuration, VPN configuration, or proxy redirection needed.

Each Private Resource also supports a “magic DNS” alias, allowing friendly hostnames like mynas.internal to resolve automatically when connected. This simplifies navigation and behaves naturally across operating systems and clients.

Fine‑grained access control allows admins to assign which users, roles, and machine clients can access each Private Resource.

Port and protocol based restrictions coming soon.

Machine Clients

All existing “Clients” have now been migrated and renamed to Machine Clients.
Machine Clients are designed for servers, services, and automated systems (like CICD runners, monitoring, or backups) that need ongoing access to Private Resources.

They authenticate using familiar ID and secret credentials, and retain full compatibility with pre‑existing integrations while benefiting from the unified Private Resource model.

Loading

1.13.0-rc.0

08 Dec 21:17
@miloschwartz miloschwartz
1.13.0-rc.0
b63a8fd
This commit was signed with the committer’s verified signature.
oschwartz10612 Owen Schwartz
GPG key ID: 8271FDFFD9E0CCBD
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
1.13.0-rc.0 Pre-release
Pre-release

RC

A Release Candidate (RC) is a near-final software version, stable but undergoing last tests before official release. It has all features and no known bugs.

  • Users: Use cautiously due to potential undiscovered bugs. Not for critical systems unless prepared for issues. Report bugs.
  • Developers/Testers: Perform crucial final validation and thorough testing, especially of recent changes, to catch last-minute major issues.
  • Backup: Always back up data before installing an RC to allow rollback if problems arise.
  • Feedback: Provide feedback; it's vital for a robust final release. Participate in the discussion linked at the bottom

Warning

MIGRATIONS MAY BREAK BETWEEN RC VERSIONS

What's Changed

  • Rename Clients to Machine Clients
  • Rename Client Resources to Private Resources
  • Rename Proxy Resources to Public Resources
  • Add user-device clients that allow users to connect to private resources like a VPN
  • Add Host and CIDR option to Private Resources
  • Add “magic DNS” alias to Private Resources
  • Add manage user devices modal to user profile dropdown
  • Add ability to regenerate/rotate credentials on Sites, Clients, and Remote Nodes (EE)
  • Add Request Analytics page with basic request statistics, request map, and graphs
  • Add optional new version available notification to sidebar
  • Add optional new features notification to sidebar
  • Add support for Private Resources, Machine Clients, and User Devices in Blueprints
  • Add SNI input field to health check form
  • Add generate password reset code to users table in Server Admin page
  • Add contact admin warning in forgot password page when SMTP not set up
  • Add role to Badger passthrough header
  • Add new access/audit log retention policy: keep until end of next year
  • Add option to edit animal-themed identifier (niceId) on Sites, Resources, and Clients
  • Fix broken inputs in edit health check form
  • Fix custom branding login/signup page subtitle not displaying
  • Fix empty path strip preventing create resource
  • Fix custom healthy HTTP codes not respected
  • Fix save resource overwrite custom headers input
  • Fix various blueprint inconsistencies and annoyances
  • Fix display of setup token after CrowdSec installation
  • General UI enhancements

Breaking

Warning

This requires an update to Gerbil, Newt, Olm, and Pangolin.

Minimum Versions:

  • Pangolin 1.13.0+
  • Gerbil 1.3.0+
  • Newt 1.7.0+
  • Olm 1.2.0+
  • Remove remote subnets from sites in favor of Private Resources
  • Remove site:port proxy on Client Resources in favor of Private Resources
  • Remove client to site associations in favor of Private Resources
  • Remove --accept-clients flag from Newt; clients are on by default now with option to disable with --disable-clients
  • Remove flag.enable_clients from Pangolin config
  • Remove branding.favicon_path from private Pangolin config
    • To customize the icon, mount your favicon to /app/public/favicon.ico in the container
  • Remove branding.login.title_text and branding.signup.title_text from private Pangolin config
    • Only subtitle customization is supported (there is no longer a title on these pages)

Note

We've done our best to migrate Client Resources and Clients to the new Private Resources and Machine Clients. All pre-existing clients are now Machine Clients, and all Client Resources are now Private Resources. We've also attempted to migrate all pre-existing site associations to Private Resource access controls, and remote subnets to CIDR Private Resources. However, please review your configuration after updating to ensure everything has been migrated correctly.

Full Changelog: 1.12.3...1.13.0-rc.0

How to Update

Important

Always back up your config app-data before updating. This will allow you to easily roll back if the update breaks your configuration. You will not be able to easily downgrade otherwise.

View documentation

Private Resources, User Devices, and Machine Clients

Note

This is still in beta. We will work towards getting out of beta by early 2026.

This release introduces a major evolution of Pangolin’s networking model enabling private remote access via user clients. This update transforms it into a fully self‑hosted, open‑source alternative to Twingate using WireGuard under the hood. You can now access resources privately on the local network running Newt when connected and logged in to a Pangolin Client (available on Windows, Mac, and Linux).

Overview

  • Newt still acts as your Site Connector, establishing a secure control and data plane over WireGuard.
  • Private Resources define what’s accessible, like specific hosts on local networks or the entire local networks.
  • Clients (human or machine) connect securely to the private network and gain access to defined resources using their familiar LAN‑style addresses.

This effectively “flattens” your internal topology: once connected, resources across all sites are accessible without manually connecting to each individual site.

dashboard

User Devices

User Devices bring private network access directly to end users. Users can download Pangolin Client for their system and log in to their familiar Pangolin account. These authenticated clients connect securely through Pangolin and gain access to permitted Private Resources.

  • Native GUI clients are available for macOS and Windows.
  • CLI clients are available for Linux and macOS, with Windows CLI support coming soon.
  • All clients support the full feature set including WireGuard‑based encryption, NAT traversal, DNS alias, and peer‑to‑peer connections when possible for direct networking.
  • Mobile apps for Android and iOS will be coming in 2026.
Windows Client Mac Client
windows mac

Private Resources

Private Resources represent network targets reachable through your site connectors. These can be defined at different granularities:

  • Host Resources: Point directly to an individual host (e.g., 192.168.1.210).
  • CIDR Resources: Expose an entire subnet or range (e.g., 192.168.1.0/24).

When a client connects to the Pangolin network, they can access these Private Resources using the same LAN addresses without any port forwarding, route table setup, DNS configuration, VPN configuration, or proxy redirection needed.

Each Private Resource also supports a “magic DNS” alias, allowing friendly hostnames like mynas.internal to resolve automatically when connected. This simplifies navigation and behaves naturally across operating systems and clients.

Fine‑grained access control allows admins to assign which users, roles, and machine clients can access each Private Resource.

Port and protocol based restrictions coming soon.

Machine Clients

All existing “Clients” have now been migrated and renamed to Machine Clients.
Machine Clients are designed for servers, services, and automated systems (like CICD runners, monitoring, or backups) that need ongoing access to Private Resources.

They authenticate using familiar ID and secret credentials, and retain full compatibility with pre‑existing integrations while benefiting from the unified Private Resource model.

Loading
12 Join discussion

1.12.3

04 Dec 23:18
@oschwartz10612 oschwartz10612
1.12.3
6e6fa77
This commit was signed with the committer’s verified signature.
miloschwartz Milo Schwartz
SSH Key Fingerprint: eIWugdg0kXi+A2Swxha3ZhdxemYNNll7cs1RQdqsWzU
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
1.12.3

What's Changed

Full Changelog: 1.12.2...1.12.3

Loading

1.12.2

09 Nov 01:30
@oschwartz10612 oschwartz10612
1.12.2
b0ff50a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
1.12.2

What's Changed

  • Update German translations for client and blueprint terms by @clemone210 in #1809
  • Enhancement #906/Resources Dashboard: Targets Column, Customizable Columns & Status Indicators by @Pallavikumarimdb in #1328
  • Fix typo in shareSeeOnce message by @robtec in #1824
  • Update resourceRawSettingsDescription with details by @hetlelid in #1830
  • Small Bug Fixes

New Contributors

Full Changelog: 1.12.1...1.12.2

Contributors

hetlelid, robtec, and 2 other contributors
Loading