Sync with newt and olm readme

2026-03-06 18:56:45 +00:00 · 2025-12-10 16:24:42 -05:00
parent c31b0cecde
commit 00b0150fea
4 changed files with 442 additions and 69 deletions
--- a/manage/clients/add-client.mdx
+++ b/manage/clients/add-client.mdx
@@ -63,7 +63,7 @@ Clients can relay traffic through a Pangolin server - through Gerbil specificall

 While functional, it does not always connect reliably and can fall back to relaying. We plan to work to improve the reliability over time by implementing more methods for those behind CGNAT or hard nats.

-Take a look at [these docs](https://tailscale.com/kb/1361/firewall) for some firewall changes you might be able to make to improve hole punch reliability and performance.
+Take a look at Tailscale's recommendations [these docs](https://tailscale.com/kb/1361/firewall) for some firewall changes you might be able to make to improve hole punch reliability and performance.

 This should help to:
 - Increase performance (speed/bandwidth)
--- a/manage/clients/configure-client.mdx
+++ b/manage/clients/configure-client.mdx
@@ -41,18 +41,32 @@ Refer to the [documentation in the official repository](https://github.com/fosrl
  **Example**: `https://pangolin.example.com`
 </ResponseField>

+<ResponseField name="org" type="string">
+  Organization ID to connect to.
+</ResponseField>
+
+<ResponseField name="user-token" type="string">
+  User authentication token.
+</ResponseField>
+
 <ResponseField name="mtu" type="integer">
-  MTU for the WireGuard interface.
+  MTU for the internal WireGuard interface.
  
  **Default**: `1280`
 </ResponseField>

 <ResponseField name="dns" type="string">
-  DNS server to use for resolving the endpoint.
+  DNS server to use to resolve the endpoint.
  
  **Default**: `8.8.8.8`
 </ResponseField>

+<ResponseField name="upstream-dns" type="string">
+  Upstream DNS server(s), comma-separated.
+  
+  **Default**: `8.8.8.8:53`
+</ResponseField>
+
 <ResponseField name="log-level" type="string">
  The log level to use for Olm output.
  
@@ -73,16 +87,46 @@ Refer to the [documentation in the official repository](https://github.com/fosrl
  **Default**: `5s`
 </ResponseField>

-<ResponseField name="holepunch" type="boolean">
-  Enable NAT hole punching mode instead of relaying through the VPS.
+<ResponseField name="interface" type="string">
+  Name of the WireGuard interface.
+  
+  **Default**: `olm`
+</ResponseField>
+
+<ResponseField name="enable-api" type="boolean">
+  Enable API server for receiving connection requests.
  
  **Default**: `false`
 </ResponseField>

-<ResponseField name="config-file" type="string">
-  Path to a configuration file containing the same arguments as command line.
+<ResponseField name="http-addr" type="string">
+  HTTP server address (e.g., ':9452').
  
-  **Example**: `/etc/olm/config.yaml`
+  **Default**: `:9452`
+</ResponseField>
+
+<ResponseField name="socket-path" type="string">
+  Unix socket path (or named pipe on Windows).
+  
+  **Default**: `/var/run/olm.sock` (Linux/macOS) or `olm` (Windows)
+</ResponseField>
+
+<ResponseField name="disable-holepunch" type="boolean">
+  Disable hole punching.
+  
+  **Default**: `false`
+</ResponseField>
+
+<ResponseField name="override-dns" type="boolean">
+  Override system DNS settings.
+  
+  **Default**: `false`
+</ResponseField>
+
+<ResponseField name="disable-relay" type="boolean">
+  Disable relay connections.
+  
+  **Default**: `false`
 </ResponseField>

 ### Environment Variables
@@ -105,46 +149,141 @@ When both environment variables and CLI arguments are provided, CLI arguments ta
  Olm secret for authentication (equivalent to `--secret`)
 </ResponseField>

-<ResponseField name="OLM_MTU" type="integer">
-  MTU for the WireGuard interface (equivalent to `--mtu`)
+<ResponseField name="ORG" type="string">
+  Organization ID to connect to (equivalent to `--org`)
+</ResponseField>
+
+<ResponseField name="USER_TOKEN" type="string">
+  User authentication token (equivalent to `--user-token`)
+</ResponseField>
+
+<ResponseField name="MTU" type="integer">
+  MTU for the internal WireGuard interface (equivalent to `--mtu`)
  
  **Default**: `1280`
 </ResponseField>

-<ResponseField name="OLM_DNS" type="string">
-  DNS server to use for resolving the endpoint (equivalent to `--dns`)
+<ResponseField name="DNS" type="string">
+  DNS server to use to resolve the endpoint (equivalent to `--dns`)
  
  **Default**: `8.8.8.8`
 </ResponseField>

-<ResponseField name="OLM_LOG_LEVEL" type="string">
+<ResponseField name="UPSTREAM_DNS" type="string">
+  Upstream DNS server(s), comma-separated (equivalent to `--upstream-dns`)
+  
+  **Default**: `8.8.8.8:53`
+</ResponseField>
+
+<ResponseField name="LOG_LEVEL" type="string">
  Log level (equivalent to `--log-level`)
  
  **Default**: `INFO`
 </ResponseField>

-<ResponseField name="OLM_PING_INTERVAL" type="string">
+<ResponseField name="PING_INTERVAL" type="string">
  Interval for pinging the server (equivalent to `--ping-interval`)
  
  **Default**: `3s`
 </ResponseField>

-<ResponseField name="OLM_PING_TIMEOUT" type="string">
+<ResponseField name="PING_TIMEOUT" type="string">
  Timeout for each ping (equivalent to `--ping-timeout`)
  
  **Default**: `5s`
 </ResponseField>

-<ResponseField name="OLM_HOLEPUNCH" type="boolean">
-  Enable NAT hole punching mode (equivalent to `--holepunch`)
+<ResponseField name="INTERFACE" type="string">
+  Name of the WireGuard interface (equivalent to `--interface`)
+  
+  **Default**: `olm`
+</ResponseField>
+
+<ResponseField name="ENABLE_API" type="boolean">
+  Enable API server for receiving connection requests (equivalent to `--enable-api`)
+  
+  Set to "true" to enable
  
  **Default**: `false`
 </ResponseField>

-<ResponseField name="OLM_HEALTH_FILE" type="string">
-  Path to health file for connection monitoring (equivalent to `--health-file`)
+<ResponseField name="HTTP_ADDR" type="string">
+  HTTP server address (equivalent to `--http-addr`)
+  
+  **Default**: `:9452`
 </ResponseField>

-<ResponseField name="OLM_CONFIG_FILE" type="string">
-  Load the config from this file instead of command line arguments (equivalent to `--config-file`)
+<ResponseField name="SOCKET_PATH" type="string">
+  Unix socket path or Windows named pipe (equivalent to `--socket-path`)
+  
+  **Default**: `/var/run/olm.sock` (Linux/macOS) or `olm` (Windows)
 </ResponseField>
+
+<ResponseField name="DISABLE_HOLEPUNCH" type="boolean">
+  Disable hole punching (equivalent to `--disable-holepunch`)
+  
+  Set to "true" to disable
+  
+  **Default**: `false`
+</ResponseField>
+
+<ResponseField name="OVERRIDE_DNS" type="boolean">
+  Override system DNS settings (equivalent to `--override-dns`)
+  
+  Set to "true" to enable
+  
+  **Default**: `false`
+</ResponseField>
+
+<ResponseField name="DISABLE_RELAY" type="boolean">
+  Disable relay connections (equivalent to `--disable-relay`)
+  
+  Set to "true" to disable
+  
+  **Default**: `false`
+</ResponseField>
+
+<ResponseField name="CONFIG_FILE" type="string">
+  Set to the location of a JSON file to load secret values
+</ResponseField>
+
+### Loading secrets from files
+
+You can use `CONFIG_FILE` to define a location of a config file to store the credentials between runs. 
+
+```
+$ cat ~/.config/olm-client/config.json
+{
+  "id": "spmzu8rbpzj1qq6",
+  "secret": "f6v61mjutwme2kkydbw3fjo227zl60a2tsf5psw9r25hgae3",
+  "endpoint": "https://app.pangolin.net",
+  "org": "",
+  "userToken": "",
+  "mtu": 1280,
+  "dns": "8.8.8.8",
+  "upstreamDNS": ["8.8.8.8:53"],
+  "interface": "olm",
+  "logLevel": "INFO",
+  "enableApi": false,
+  "httpAddr": "",
+  "socketPath": "/var/run/olm.sock",
+  "pingInterval": "3s",
+  "pingTimeout": "5s",
+  "disableHolepunch": false,
+  "overrideDNS": false,
+  "disableRelay": false,
+  "tlsClientCert": ""
+}
+```
+
+This file is also written to when olm first starts up. So you do not need to run every time with --id and secret if you have run it once! 
+
+Default locations: 
+
+- **macOS**: `~/Library/Application Support/olm-client/config.json`
+- **Windows**: `%PROGRAMDATA%\olm\olm-client\config.json`
+- **Linux/Others**: `~/.config/olm-client/config.json`
+
+### API
+
+Olm can be started with a HTTP or socket API to configure and manage it. See the [API documentation](https://github.com/fosrl/olm/blob/main/API.md) for more details.
--- a/manage/clients/install-client.mdx
+++ b/manage/clients/install-client.mdx
@@ -49,7 +49,7 @@ If you're looking for a CLI interface for a client, we recommend using Pangolin

 Olm CLI is mainly only used for machine clients. Though the Pangolin CLI can also be used for machine clients, use Pangolin CLI if you expect to log in as a user.

-### Binary Installation
+### Binary Installation (Linux)

 #### Quick Install (Recommended)

@@ -118,6 +118,47 @@ WantedBy=multi-user.target
 Make sure to move the binary to `/usr/local/bin/olm` before creating the service!
 </Warning>

+### Docker
+
+You can also run it with Docker compose. For example, a service in your `docker-compose.yml` might look like this using environment vars (recommended):
+
+```yaml
+services:
+    olm:
+        image: fosrl/olm
+        container_name: olm
+        restart: unless-stopped
+        network_mode: host
+        devices:
+            - /dev/net/tun:/dev/net/tun
+        environment:
+            - PANGOLIN_ENDPOINT=https://example.com
+            - OLM_ID=31frd0uzbjvp721
+            - OLM_SECRET=h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6
+```
+
+You can also pass the CLI args to the container:
+
+```yaml
+services:
+    olm:
+        image: fosrl/olm
+        container_name: olm
+        restart: unless-stopped
+        network_mode: host
+        devices:
+            - /dev/net/tun:/dev/net/tun
+        command:
+            - --id 31frd0uzbjvp721
+            - --secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6
+            - --endpoint https://example.com
+```
+
+**Docker Configuration Notes:**
+
+- `network_mode: host` brings the olm network interface to the host system, allowing the WireGuard tunnel to function properly
+- `devices: - /dev/net/tun:/dev/net/tun` is required to give the container access to the TUN device for creating WireGuard interfaces
+
 ### Windows Service

 On Windows, olm has to be installed and run as a Windows service. When running it with the cli args, it will attempt to install and run the service to function like a cli tool. You can also run the following:
@@ -175,6 +216,16 @@ Get-EventLog -LogName Application -Source "OlmWireguardService" -Newest 10
 Olm creates a native tun interface. This usually requires sudo / admin permissions. Some notes:

 - **Windows**: Olm will run as a service. You can use the commands described [Configure Client](/manage/clients/configure-client) to manage it. You can use this to run it in the background if needed!
- **LXC containers**: Need to be configured to allow tun access. See [Tailscale's guide](https://tailscale.com/kb/1130/lxc-unprivileged).
+- **LXC containers**: Need to be configured to allow tun access. See below.
 - **Linux**: May require root privileges or specific capabilities to create tun interfaces.
 - **macOS**: May require additional permissions for network interface creation.
+
+#### LXC Container Configuration
+
+1. Create your LXC container.
+2. Go to the Resources tab of the container.
+3. Select Add. Then select Device Passthrough.
+4. On the Add Device prompt, enter dev/net/tun in the Device Path field and select Add.
+5. If the container is running, shut it down and start it up again.
+
+Once /dev/net/tun is available, the olm can run within the LXC.