Updating docs for 1.15.0

2026-02-08 05:56:45 +00:00 · 2026-01-22 16:13:34 -08:00
parent 795de4996f
commit 36254ae405
13 changed files with 153 additions and 217 deletions
--- a/docs.json
+++ b/docs.json
@@ -124,10 +124,8 @@
                                "group": "Remote Nodes",
                                "icon": "circle-nodes",
                                "pages": [
-                                    "manage/remote-node/ha",
+                                    "manage/remote-node/understanding-nodes",
                                    "manage/remote-node/nodes",
                                    "manage/remote-node/quick-install-remote",
                                    "manage/remote-node/convert-remote",
                                    "manage/remote-node/config-file"
                                ]
                            },
@@ -177,6 +175,7 @@
                                    "self-host/community-guides/geolite2automation"
                                ]
                            },
                            "self-host/ha",
                            "self-host/supporter-program",
                            "self-host/enterprise-edition"
                        ]
--- a/images/android_battery.png
+++ b/images/android_battery.png
--- a/images/mac-client-preferences.png
+++ b/images/mac-client-preferences.png
--- a/manage/blueprints.mdx
+++ b/manage/blueprints.mdx
@@ -29,12 +29,12 @@ Some features in this documentation are marked with **(EE)**, indicating they ar
 YAML config can be applied using Docker labels, API, from a Newt site, or in the UI. _Application through a CLI tool is planned._
-<Card title="Newt YAML">
+<Card title="CLI YAML">
-    Newt automatically discovers and applies blueprints defined in YAML format when passing the `--blueprint-file` argument. For example
+    You can apply blueprints directly through the Pangolin CLI.
 ```bash
-    newt --blueprint-file /path/to/blueprint.yaml <other-args>
+pangolin apply blueprint --file /path/to/blueprint.yaml
 ```
 </Card>
@@ -49,6 +49,16 @@ YAML config can be applied using Docker labels, API, from a Newt site, or in the
 </Card>
 <Card title="Newt YAML">
    Newt automatically discovers and applies blueprints defined in YAML format when passing the `--blueprint-file` argument. For example
    ```bash
    newt --blueprint-file /path/to/blueprint.yaml <other-args>
    ```
 </Card>
 <Card title="API YAML">
    You can also apply blueprints directly through the Pangolin API with an API key. [Take a look at the API documentation for more details.](https://api.pangolin.net/v1/docs/#/Organization/put_org__orgId__blueprint)
@@ -86,9 +96,15 @@ public-resources:
      - action: allow
        match: ip
        value: 1.1.1.1
        priority: 1
      - action: deny
        match: cidr
        value: 2.2.2.2/32
        priority: 2
      - action: allow
        match: asn
        value: AS13335
        priority: 3
      - action: pass
        match: path
        value: /admin
@@ -203,6 +219,9 @@ private-resources:
    mode: host
    destination: 192.168.1.100
    site: lively-yosemite-toad
    tcp-ports: "22,3389"
    udp-ports: "*"
    disable-icmp: false
    roles:
      - Developer
      - DevOps
@@ -216,6 +235,9 @@ private-resources:
    mode: cidr
    destination: 10.0.0.0/24
    site: lively-yosemite-toad
    tcp-ports: "80,443,8000-9000"
    udp-ports: "53,123"
    disable-icmp: true
    users:
      - admin@example.com
 ```
@@ -452,8 +474,9 @@ public-resources:
 | Property | Type | Required | Description | Constraints |
 |----------|------|----------|-------------|-------------|
 | `action` | string | Yes | Rule action (`allow`, `deny`, or `pass`) | - |
-| `match` | string | Yes | Match type (`cidr`, `path`, `ip`, or `country`) | - |
+| `match` | string | Yes | Match type (`cidr`, `path`, `ip`, `country`, or `asn`) | - |
-| `value` | string | Yes | Value to match against | Format depends on match type. For `country` match, use `ALL` to match all countries |
+| `value` | string | Yes | Value to match against | Format depends on match type. For `ip`: valid IPv4/IPv6 address. For `cidr`: valid CIDR notation. For `country`: 2-letter country code or `ALL`. For `asn`: `AS<number>` format or `ALL` |
 | `priority` | number | No | Rule priority for evaluation order | Integer value, lower numbers evaluated first |
 ### Private Resources
@@ -465,6 +488,9 @@ These are resources used with Pangolin clients (e.g., SSH, RDP).
 | `mode` | string | Yes | Resource mode (`host` or `cidr`) | - |
 | `destination` | string | Yes | Target IP address, hostname, or CIDR block | For `host` mode: IP address or domain. For `cidr` mode: valid CIDR notation |
 | `site` | string | Yes | Site identifier where the resource is located | - |
 | `tcp-ports` | string | No | TCP port ranges to allow | Port range string (e.g., `"80,443,8000-9000"`), defaults to `"*"` (all ports) |
 | `udp-ports` | string | No | UDP port ranges to allow | Port range string (e.g., `"53,123,5000-6000"`), defaults to `"*"` (all ports) |
 | `disable-icmp` | boolean | No | Disable ICMP (ping) for this resource | Defaults to `false` |
 | `alias` | string | No | Fully qualified domain name alias | Must be a valid FQDN (e.g., example.com). Required when destination is a domain in `host` mode |
 | `roles` | array | No | Allowed SSO roles | Cannot include "Admin" role |
 | `users` | array | No | Allowed user emails | Must be valid email addresses |
--- a/manage/clients/configure-client.mdx
+++ b/manage/clients/configure-client.mdx
@@ -3,12 +3,23 @@ title: "Configure Clients"
 description: "Configure Olm for connecting to Pangolin clients"
 ---
-## Mac and Windows
+## GUI Clients (Mac, Windows, Android, iOS/iPadOS)
-Each respective client has a preferences window with all currently available configuration parameters like DNS override and preferred DNS servers. In your desktop client, click the menu bar or system tray icon, select More in the menu, and click Preferences.
+Each respective client has a preferences window with all currently available configuration parameters like DNS override and preferred DNS servers. In your desktop client, click the menu bar or system tray icon, select More in the menu, and click Preferences. In the mobile apps, navigate to the Setting screen.
-<Frame caption="Screenshot of how to access preferences window on Mac client. The steps are the same on Windows.">
+### Android Battery Optimization
-  <img src="/images/mac-client-preferences.png" centered/>
+
 To ensure Pangolin functions correctly in the background on Android devices, it's recommended to disable battery optimization for the app. This prevents the operating system from restricting its background activities, which could lead to disconnections.
 1. Open the **Settings** app on your Android device.
 2. Navigate to **Apps & notifications** (or simply **Apps** on some devices).
 3. Find and select the Pangolin app from the list of installed apps.
 4. Tap on **App battery usage**.
 5. Select **Allow background usage** and enable if disabled.
 6. From the options menu, choose **Unrestricted**.
 <Frame>
 	<img src="/images/android_battery.png" alt="Android Battery Optimization Settings"   style={{width: "250px", height: "auto"}} />
 </Frame>
 ## Pangolin CLI
--- a/manage/clients/install-client.mdx
+++ b/manage/clients/install-client.mdx
@@ -56,6 +56,57 @@ description: "Install native clients for Mac, Windows, and Linux"
   - Click the Pangolin icon in the menu bar and select Log in.
 ## iOS/iPadOS
 - [Pangolin on the App Store](https://apps.apple.com/us/app/pangolin-client/id6757407406) - This is the official page to download the latest Pangolin app for iOS and iPadOS.
 ### Installation Steps
 1. **Download and install the Pangolin app**
   Download and install the Pangolin app from the App Store using the link above.
 2. **Launch Pangolin**
   Open the Pangolin app from your home screen.
 3. **Install the VPN configuration**
   When prompted, allow Pangolin to add VPN configurations to your device.
   You may be asked to enter your device passcode or use Face ID/Touch ID to authorize the VPN configuration.
 4. **Log in with your Pangolin account**
   Log in on your Pangolin Cloud account or your self-hosted Pangolin instance.
 5. **Connect to Pangolin**
   Tap the Connect button to establish a VPN connection.
 ## Android
 - [Pangolin on Google Play](https://play.google.com/store/apps/details?id=net.pangolin.Pangolin) - This is the official page to download the latest Pangolin app for Android devices.
 - [All Versions](https://github.com/fosrl/android/releases) - The releases section of this repository contains release notes and download artifacts for the latest version and all older versions.
 ### Installation Steps
 1. **Download and install the Pangolin app**
   Download and install the Pangolin app from the Google Play Store using the link above.
 2. **Launch Pangolin**
   Open the Pangolin app from your app drawer or home screen.
 3. **Log in with your Pangolin account**
   Log in on your Pangolin Cloud account or your self-hosted Pangolin instance. 
 4. **Connect to Pangolin**
   Tap the Connect button to establish a VPN connection. On the first connection, you may be prompted to allow the VPN connection.
 ## Pangolin CLI (Linux)
 Pangolin CLI is the recommended way to run a client using a command line interface on Mac or Linux. Support for Windows is coming soon.
--- a/manage/remote-node/config-file.mdx
+++ b/manage/remote-node/config-file.mdx
@@ -37,10 +37,10 @@ managed:
  </Expandable>
 </ResponseField>
-### Managed Configuration
+### Remote Node Configuration
 <ResponseField name="managed" type="object">
-  Managed deployment configuration for connecting self-hosted instances to managed services.
+  Settings for connecting the remote node to the Pangolin head server.
  <Expandable title="Managed">
    {/* <ResponseField name="name" type="string">
--- a/manage/remote-node/convert-remote.mdx
+++ b/manage/remote-node/convert-remote.mdx
@@ -1,129 +0,0 @@
 ---
 title: "Convert to Remote Node"
 description: "Learn how to convert your Community or Enterprise Edition Pangolin instance to a remote node"
 ---
 ## Who is this for? 
 Use this guide if you have a self-hosted Pangolin instance and want to convert it to a remote node deployment. It's pretty easy!
 ## What will happen to my data? 
 <Warning>
 **Always backup your data before updating.** Copy your `config` directory to a safe location so you can roll back if needed.
 </Warning>
 Your existing Pangolin data will stay in the database, so feel free to try a remote node deployment without losing anything. If you want to go back, just reverse these steps.
 ## Migration
 <Steps>
 <Step title="Sign up">
    Create an account on [Pangolin Cloud](https://app.pangolin.net/auth/signup) if you don't have one already.
 </Step>
 <Step title="Generate credentials">
    In the Pangolin Cloud dashboard, navigate to the "Self-hosted" section and generate a new ID and secret for this node. Make sure to copy this config, as you'll need it later.
 </Step>
 <Step title="Prepare your instance">
  On your self-hosted Pangolin server:
  1. Stop the Pangolin service:
     ```bash
     docker-compose down
     ```
  2. Ensure you have a backup of your `config` directory.
  3. Make sure your instance is [up to date](/self-host/how-to-update) with the latest versions of Pangolin, Gerbil, and Traefik.
 </Step>
 <Step title="Paste in the credentials">
    Edit your `config/config.yml` and paste the generated ID and secret managed config at the bottom of the file:
    ```yaml
    managed:
        id: <your-generated-id>
        secret: <your-generated-secret>
    ```
    You can leave the rest of your config the same.
 </Step>
 <Step title="Update your docker-compose">
    We need to update your `docker-compose.yml` file to use the new managed configuration. Its a good idea to backup the old one.
    First change the gerbil port `443:443` to `443:8443`. This will send traffic to the Gerbil SNI proxy server before hitting Traefik downstream.
    ```
    gerbil:
        ports:
            - "443:8443" # <----- It should look like this now
    ```
    Second, add a volume to sync the certs and file based Traefik config between Pangolin and Traefik. At the bottom of the file:
    ```yaml
    volumes:
        pangolin-data:
    ```
    Then in Traefik:
    ```yaml
    traefik:
        volumes:
            - ./config/traefik:/etc/traefik:ro # Volume to store the Traefik configuration
            - ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates
            - ./config/traefik/logs:/var/log/traefik # Volume to store Traefik logs
            # Shared volume for certificates and dynamic config in file mode
            - pangolin-data:/var/certificates:ro
            - pangolin-data:/var/dynamic:ro
    ```
    And in Pangolin
    ```yaml
    pangolin:
        volumes:
            - ./config:/app/config
            - pangolin-data:/var/certificates
            - pangolin-data:/var/dynamic
    ```
 </Step>
 <Step title="Change the repo and tag">
    Update the Pangolin repo to use the remote node image. In your `docker-compose.yml`, change the `pangolin` service to use the remote image:
    ```yaml
    pangolin:
        image: fosrl/pangolin-node:latest
    ```
 </Step>
 <Step title="Add ping to Traefik">
    Edit your `config/traefik/traefik_config.yml` file to add a ping endpoint for health checks. Add this to the bottom of the file:
    ```yaml
    ping:
        entryPoint: "web"
    ```
 </Step>
 <Step title="Bring up the stack">
    Start the updated stack with Docker Compose:
    ```bash
    docker-compose up -d
    ```
 </Step>
 <Step title="Configure your account">
    Pangolin is now controlled through the [Pangolin Cloud](https://app.pangolin.net/auth/signup) dashboard. Make sure to bring your domain and recreate your sites and resources.
    <Tip>
    If you move your whole domain away from your VPS to Pangolin Cloud, make sure to update your `base_endpoint` under the `gerbil:` section of your `config.yml` to be the IP address of your instance otherwise we cant resolve your instance in DNS.
    </Tip>
    In the future, we plan to allow importing config!
 </Step>
 </Steps>
--- a/manage/remote-node/nodes.mdx
+++ b/manage/remote-node/nodes.mdx
@@ -1,44 +0,0 @@
 ---
 title: "Remote Nodes"
 description: "More reliable and low-maintenance self-hosted Pangolin server with extra bells and whistles"
 ---
 **Remote Nodes** are a option designed for people who want simplicity and extra reliability while still keeping their data private and self-hosted.
 With this option, you still run your own Pangolin node — your tunnels, SSL termination, and traffic all stay on your server. The difference is that management and monitoring are handled through our cloud dashboard, which unlocks a number of significant benefits.
 <Tip>
    You can deploy a remote Pangolin node in seconds [using the installer](/manage/remote-node/quick-install-remote). 
 </Tip>
 ## How It Works
 The remote node approach gives you the best of both worlds:
 - **You Host the Node**: You maintain complete control over your infrastructure and where your data flows. Your tunnels, SSL termination, and all traffic processing happen on your servers.
 - **We Handle Coordination**: Pangolin Cloud manages the control plane, DNS, certificate management, database, and backups through our cloud dashboard.
 - **Seamless Failover**: Deploy multiple nodes with automatic failover between them. If your nodes become unavailable, traffic can optionally fail over to our cloud infrastructure until you restore service.
 <Frame>
  <img src="/images/ha.svg" width="400" centered/>
 </Frame>
 ## Key Benefits
 ### Simpler Operations
 No need to run your own mail server or set up complex alerting. You'll get health checks and downtime alerts out of the box, making it much easier to monitor your infrastructure without additional complexity.
 ### Automatic Updates
 The cloud dashboard evolves quickly, so you get new features and bug fixes without having to manually pull new containers every time. Your self-hosted node stays current automatically.
 ### Less Maintenance
 No database migrations, backups, or extra infrastructure to manage. We handle that in the cloud, so you can focus on what matters most to your business.
 ### Cloud Failover
 If your node goes down, your tunnels can temporarily fail over to our cloud points of presence until you bring it back online. This ensures continuous availability even during maintenance windows.
 ### High Availability (PoPs)
 You can also attach multiple nodes to your account for redundancy and better performance. Deploy nodes across different regions or providers for maximum reliability.
 ### Future Enhancements
 We're planning to add more analytics, alerting, and management tools to make your deployment even more robust. You'll automatically benefit from these improvements as they're released.
--- a/manage/remote-node/understanding-nodes.mdx
+++ b/manage/remote-node/understanding-nodes.mdx
@@ -0,0 +1,38 @@
 ---
 title: "Remote Nodes"
 description: "Control your own Pangolin node with cloud management"
 ---
 <Note>
 	Remote Nodes are available in Pangolin Enterprise and Pangolin Cloud.
 </Note>
 Remote nodes, you run your own Pangolin node - your tunnels, SSL termination, and traffic all stay on your server and use your bandwidth. The difference is that management and monitoring are handled through our cloud or your central Pangolin Enterprise server. The node just handles terminating Wireguard tunnels, serving HTTP(S) traffic, and routing relayed client connections - it is essentially a remote networking hub.
 Think of different nodes as the "front doors" to your applications - users connect to the closest one, and it securely routes their requests to your backend services.
 <Tip>
    You can deploy a remote Pangolin node [using the installer](/manage/remote-node/quick-install-remote). 
 </Tip>
 ## How It Works
 - **Host the Node**: Run Gerbil, Traefik, and a light weight agent on your server that communicates with the central Pangolin control plane with a websocket connection.
 - **Delegate the DNS**: Your domain and DNS config is still controlled by the Pangolin control plane and the central DNS server routes to the right node when connecting.
 - **Certificates and Config**: The control plane pushes down WireGuard configs, SSL certificates, and routing rules to your node as you create resources and sites.
 - **Failover**: If you have multiple nodes, the control plane will failover between them. If one node becomes unavailable, traffic can optionally fail over to our cloud infrastructure or other nodes until you restore service.
 <Frame>
  <img src="/images/ha.svg" width="400" centered/>
 </Frame>
 ## Some Benefits
 ### Automatic Updates and Less Maintenance
 The cloud dashboard evolves quickly, so you get new features and bug fixes without having to manually pull new containers every time. Because the remote node is just handling the networking you do not need to do database migrations, or backups.
 ### Cloud Failover
 If your nodes goes down, your tunnels can temporarily fail over to our cloud points of presence or another node until you bring it back online. This ensures continuous availability. 
 ### High Availability (PoPs)
 You can attach multiple nodes to your account for redundancy and better performance. For example, deploy nodes across different regions or providers for decreased latency.
--- a/manage/resources/private/authentication.mdx
+++ b/manage/resources/private/authentication.mdx
@@ -16,3 +16,11 @@ When removing access to a resource, the client will automatically tear down the
    <Frame>
        <img src="/images/private_access_controls.png" centered/>
    </Frame>
 ### Port Restrictions
 By default, when access to a Resource is granted, all ports on that Resource are accessible. However, you can restrict access to specific ports on a Resource by defining port restrictions. When port restrictions are defined, only the specified ports will be accessible to users, roles, or machines that have access to the Resource. To specify specific ports, enter either a single port (e.g., `80`), a comma-separated list of ports (e.g., `80,443,8080`), or a port range using a hyphen (e.g., `8000-8100`).
 ### ICMP Access
 By default, ICMP (ping) access to Resources is enabled. To disable ICMP access, you can uncheck the "ICMP" option when configuring access to a Resource. This will prevent users, roles, or machines with access to the Resource to send ICMP echo requests (ping) to the Resource's destination.
--- a/manage/resources/private/destinations.mdx
+++ b/manage/resources/private/destinations.mdx
@@ -26,10 +26,10 @@ Pangolin smooths away overlapping networks and arbitrarily chooses a single site
 It is recommended that you create overlapping resources only if absolutely required. If you do, use [Aliases](/manage/resources/private/alias) to explicitly defined which host should be used for a given FQDN or IP address and use the alias to connect.
-## ICMP End to End?
+### ICMP End to End?
 Pangolin supports testing connectivity to Resources using ICMP ping requests. However, it's important to note that while the Pangolin client can send ICMP echo requests to the destination, **the actual ping request is captured and replayed from the Newt binary to the actually destination**. This means that requests are not end to end but are still an effective way to test connectivity to a resource.
-## Unicast Only?
+### Unicast Only?
 Right now unicast TCP and UDP traffic is supported through the Pangolin client. Multicast and broadcast traffic is not supported at this time.
--- a/manage/remote-node/ha.mdx
+++ b/manage/remote-node/ha.mdx
@@ -1,34 +1,10 @@
 ---
 title: "Highly Available Nodes"
-description: "Learn about Pangolin's network of nodes and how they provide highly available, low-latency access to your applications"
+description: "How Pangolin can be deployed in a cluster for high availability"
 ---
 Pangolin's nodes are an ability to put strategically located servers around the world that serve as entry points for user traffic to your applications. They form the foundation of Pangolin's distributed architecture, providing high availability and optimal performance.
 ## What Are Nodes?
 <CardGroup cols={2}>
 <Card title="Entry Points" icon="door-open">
  Handle incoming user requests before routing them to your applications.
 </Card>
 <Card title="Global Coverage" icon="globe">
  Located regionally to minimize latency for users in different regions.
 </Card>
 <Card title="High Availability" icon="shield-check">
  Multiple locations ensure your applications remain accessible even if individual locations fail.
 </Card>
 <Card title="Authentication" icon="key">
  Verify user identity and enforce access policies before allowing access.
 </Card>
 </CardGroup>
 <Info>
 Think of different nodes as the "front doors" to your applications - users connect to the closest one, and it securely routes their requests to your backend services.
 </Info>
 ## How Nodes Work
 <Steps>