github/pangolin
1
1
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-04-05 17:01:57 +02:00
Code Issues 85 Packages Projects Releases Wiki Activity

Inability to Forward Traffic on OpenWrt When Using --accept-clients #996

New Issue
Closed
opened 2026-04-05 18:05:35 +02:00 by MrUnknownDE · 0 comments
MrUnknownDE commented 2026-04-05 18:05:35 +02:00
Owner
Copy Link

Originally created by @burjuyz on 8/28/2025

I am trying to use newt on an OpenWrt router to provide access to my local LAN (192.168.10.0/24) for remote clients. This is often referred to as a "site-to-site" or "subnet router" configuration.

The newt client on the OpenWrt router is configured as a "site" (gateway) and runs with the --accept-clients flag. The local subnet is correctly configured as a "Resource" on the Pangolin server, associated with the OpenWrt client.

Remote clients (e.g., a Windows machine running newt) connect successfully. The remote client correctly receives the route for 192.168.10.0/24.

The Problem

While the tunnel is established, there is a fundamental issue with traffic forwarding:

  1. Pinging the Gateway's Virtual IP works: The remote client can successfully ping the virtual IP address of the OpenWrt newt instance (e.g., 100.90.128.1). This confirms that the tunnel itself is up and the newt process on the router is responsive.
  2. Pinging the LAN Fails: The remote client cannot ping any device on the local LAN (e.g., 192.168.10.200). The packets are lost.

Root Cause Analysis & Diagnostics

After extensive debugging, we have determined that the issue stems from the fact that newt operates entirely in userspace and does not create a kernel TUN/TAP interface.

This creates a disconnect between the newt process and the OpenWrt's kernel networking stack (which uses nftables).

Here’s what we've confirmed through diagnostics:

  • Encrypted traffic arrives: tcpdump on the router's WAN interface shows encrypted UDP packets arriving from the Pangolin server when the remote client sends a ping.
  • Decrypted packets never enter the kernel's forwarding path:
    • tcpdump on the br-lan interface (or any interface) never shows the decrypted ICMP packets.
    • Packet counters on the nftables FORWARD chain rules remain at zero.
    • This proves that the decrypted packet is never handed off from the newt process to the kernel for routing and firewall processing.
  • Kernel is correctly configured for forwarding: We have verified that net.ipv4.ip_forward = 1 and net.ipv4.conf.all.rp_filter = 0.
  • Firewall rules have no effect: We have tried multiple firewall configurations (both iptables-compat and native nftables via uci), including creating dedicated zones, masquerading (NAT), and explicit ACCEPT rules for the traffic. None of these rules are ever triggered because the packets never reach the firewall subsystem.

Conclusion

The core issue is a lack of integration between the userspace newt process and the kernel's routing and firewall engine. For traffic forwarding to work, the decrypted packets must be injected into the kernel's networking stack. The most standard and robust way to achieve this is by using a TUN virtual network interface.

Without the ability for newt to create or bind to a TUN interface, it appears impossible to use it as a proper subnet gateway on OpenWrt (and likely other Linux-based systems). The --accept-clients functionality seems to be broken for any scenario that requires kernel-level packet forwarding.

Suggested Solution / Feature Request

Please consider adding a feature to the newt client, possibly via a new command-line flag (e.g., --create-tun), that creates a TUN interface and forwards all site-to-site traffic through it. This would allow for seamless and standard integration with the host operating system's networking and firewall capabilities, making the subnet routing feature truly functional.

*Originally created by @burjuyz on 8/28/2025* I am trying to use `newt` on an OpenWrt router to provide access to my local LAN (`192.168.10.0/24`) for remote clients. This is often referred to as a "site-to-site" or "subnet router" configuration. The `newt` client on the OpenWrt router is configured as a "site" (gateway) and runs with the `--accept-clients` flag. The local subnet is correctly configured as a "Resource" on the Pangolin server, associated with the OpenWrt client. Remote clients (e.g., a Windows machine running `newt`) connect successfully. The remote client correctly receives the route for `192.168.10.0/24`. #### **The Problem** While the tunnel is established, there is a fundamental issue with traffic forwarding: 1. **Pinging the Gateway's Virtual IP works:** The remote client can successfully ping the virtual IP address of the OpenWrt `newt` instance (e.g., `100.90.128.1`). This confirms that the tunnel itself is up and the `newt` process on the router is responsive. 2. **Pinging the LAN Fails:** The remote client **cannot** ping any device on the local LAN (e.g., `192.168.10.200`). The packets are lost. #### **Root Cause Analysis & Diagnostics** After extensive debugging, we have determined that the issue stems from the fact that **`newt` operates entirely in userspace and does not create a kernel TUN/TAP interface.** This creates a disconnect between the `newt` process and the OpenWrt's kernel networking stack (which uses `nftables`). Here’s what we've confirmed through diagnostics: * **Encrypted traffic arrives:** `tcpdump` on the router's WAN interface shows encrypted UDP packets arriving from the Pangolin server when the remote client sends a ping. * **Decrypted packets never enter the kernel's forwarding path:** * `tcpdump` on the `br-lan` interface (or `any` interface) **never** shows the decrypted ICMP packets. * Packet counters on the `nftables` `FORWARD` chain rules remain at zero. * This proves that the decrypted packet is never handed off from the `newt` process to the kernel for routing and firewall processing. * **Kernel is correctly configured for forwarding:** We have verified that `net.ipv4.ip_forward = 1` and `net.ipv4.conf.all.rp_filter = 0`. * **Firewall rules have no effect:** We have tried multiple firewall configurations (both `iptables-compat` and native `nftables` via `uci`), including creating dedicated zones, masquerading (NAT), and explicit `ACCEPT` rules for the traffic. None of these rules are ever triggered because the packets never reach the firewall subsystem. #### **Conclusion** The core issue is a lack of integration between the userspace `newt` process and the kernel's routing and firewall engine. For traffic forwarding to work, the decrypted packets must be injected into the kernel's networking stack. The most standard and robust way to achieve this is by using a **TUN virtual network interface**. Without the ability for `newt` to create or bind to a TUN interface, it appears impossible to use it as a proper subnet gateway on OpenWrt (and likely other Linux-based systems). The `--accept-clients` functionality seems to be broken for any scenario that requires kernel-level packet forwarding. #### **Suggested Solution / Feature Request** Please consider adding a feature to the `newt` client, possibly via a new command-line flag (e.g., `--create-tun`), that creates a TUN interface and forwards all site-to-site traffic through it. This would allow for seamless and standard integration with the host operating system's networking and firewall capabilities, making the subnet routing feature truly functional.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Improvement
Improvement
Improvement
Improvement
Look Into
Security
Security
api
api
authentication
authentication
authentication
authentication
authentication
authentication
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
config
config
config
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
docker
docker
docker
docker
docker
documentation
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
go
go
go
go
go
go
go
go
go
go
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
networking
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
question
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
ui
ui
ui
ui
ui
ui
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
MrUnknownDE
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github/pangolin#996
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?