From 4ac01fecf948ea4070aa953f710ab123ac01f3ca Mon Sep 17 00:00:00 2001 From: Laurence Date: Wed, 18 Feb 2026 07:48:26 +0000 Subject: [PATCH 1/9] enhance: clarify Netcup DNS-01 UDP firewall workaround --- self-host/advanced/wild-card-domains.mdx | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/self-host/advanced/wild-card-domains.mdx b/self-host/advanced/wild-card-domains.mdx index 5a5b3b4..0d0dd47 100644 --- a/self-host/advanced/wild-card-domains.mdx +++ b/self-host/advanced/wild-card-domains.mdx @@ -255,6 +255,12 @@ Traefik supports most DNS providers. You can find a full list of supported provi - Check API token permissions and scope - Ensure DNS propagation has completed - Review provider-specific configuration + + + **Known issue with Netcup**: DNS-01 can fail on Netcup due to how their provider firewall handles UDP. DNS replies may be treated as inbound traffic **from source port `53`** and get dropped. + + **Workaround**: Allow **ingress UDP** with **source port `53`** (to your server's UDP ports, or `ANY`). Repeat this for other UDP-based services if needed. + @@ -262,4 +268,4 @@ Traefik supports most DNS providers. You can find a full list of supported provi **Solution**: Delete the `acme.json` file to force new certificate generation. - \ No newline at end of file + From fae58ba9fb0fc856c18b598f531101887f2ef757 Mon Sep 17 00:00:00 2001 From: Laurence Date: Wed, 18 Feb 2026 07:56:13 +0000 Subject: [PATCH 2/9] reword it to be generic instead of focusing on netcup --- self-host/advanced/wild-card-domains.mdx | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/self-host/advanced/wild-card-domains.mdx b/self-host/advanced/wild-card-domains.mdx index 0d0dd47..a3db599 100644 --- a/self-host/advanced/wild-card-domains.mdx +++ b/self-host/advanced/wild-card-domains.mdx @@ -255,12 +255,8 @@ Traefik supports most DNS providers. You can find a full list of supported provi - Check API token permissions and scope - Ensure DNS propagation has completed - Review provider-specific configuration + - If your DNS provider has a firewall in place, ensure it allows incoming DNS traffic (typically UDP on port **53**). Adding an ingress rule to permit such traffic may help resolve the issue, especially if the firewall is stateless. - - **Known issue with Netcup**: DNS-01 can fail on Netcup due to how their provider firewall handles UDP. DNS replies may be treated as inbound traffic **from source port `53`** and get dropped. - - **Workaround**: Allow **ingress UDP** with **source port `53`** (to your server's UDP ports, or `ANY`). Repeat this for other UDP-based services if needed. - From 2bcb4b2fecea52cecbf4cedfaa54309f6e07d58a Mon Sep 17 00:00:00 2001 From: miloschwartz Date: Wed, 25 Feb 2026 16:53:04 -0800 Subject: [PATCH 3/9] update ssh doc and links to cloud --- docs.json | 1 + manage/access-control/approvals.mdx | 2 +- manage/access-control/login-page.mdx | 2 +- manage/clients/fingerprinting.mdx | 2 +- manage/domains.mdx | 4 ++-- manage/identity-providers/add-an-idp.mdx | 6 ++--- manage/identity-providers/azure.mdx | 2 +- manage/identity-providers/google.mdx | 2 +- manage/remote-node/understanding-nodes.mdx | 2 +- manage/ssh.mdx | 28 ++++++++++++++++++---- 10 files changed, 35 insertions(+), 16 deletions(-) diff --git a/docs.json b/docs.json index 41a213a..f0112d4 100644 --- a/docs.json +++ b/docs.json @@ -91,6 +91,7 @@ "manage/access-control/rules", "manage/access-control/forwarded-headers", "manage/access-control/login-page", + "manage/ssh", "manage/geoblocking", "manage/asnblocking", "manage/access-control/mfa", diff --git a/manage/access-control/approvals.mdx b/manage/access-control/approvals.mdx index 62cb70b..63425b1 100644 --- a/manage/access-control/approvals.mdx +++ b/manage/access-control/approvals.mdx @@ -10,7 +10,7 @@ import PangolinCloudTocCta from "/snippets/pangolin-cloud-toc-cta.mdx"; - Only available in Pangolin Cloud and [Enterprise Edition](/self-host/enterprise-edition). + Only available in [Pangolin Cloud](https://app.pangolin.net/auth/signup) and [Enterprise Edition](/self-host/enterprise-edition). By default, any client configured with valid credentials can connect to an organization. To enhance security, you can enable device approvals, which require each new device to be manually approved by an administrator before it can connect. diff --git a/manage/access-control/login-page.mdx b/manage/access-control/login-page.mdx index 5e2995a..dc36958 100644 --- a/manage/access-control/login-page.mdx +++ b/manage/access-control/login-page.mdx @@ -10,7 +10,7 @@ import PangolinCloudTocCta from "/snippets/pangolin-cloud-toc-cta.mdx"; -Custom auth pages are only available in Pangolin Cloud. +Custom auth pages are only available in [Pangolin Cloud](https://app.pangolin.net/auth/signup). Custom organization authentication pages let you serve the login page at your own domain instead of the default `app.pangolin.net`. This provides better user experience and brand consistency. diff --git a/manage/clients/fingerprinting.mdx b/manage/clients/fingerprinting.mdx index e9a70cd..7b97e29 100644 --- a/manage/clients/fingerprinting.mdx +++ b/manage/clients/fingerprinting.mdx @@ -33,7 +33,7 @@ The following device attributes are collected on each device when available: ## Available Posture Checks - Posture checks are only collected on Pangolin Cloud and self-hosted [Enterprise Edition](/self-host/enterprise-edition). + Posture checks are only collected on [Pangolin Cloud](https://app.pangolin.net/auth/signup) and self-hosted [Enterprise Edition](/self-host/enterprise-edition). Posture checks are also collected on each platform; this is device state that diff --git a/manage/domains.mdx b/manage/domains.mdx index 3ba10bf..abbfb46 100644 --- a/manage/domains.mdx +++ b/manage/domains.mdx @@ -32,7 +32,7 @@ More about self-hosted DNS and networking can be found in the [DNS & Networking ### Domain Delegation (NS Records) -Cloud & [Enterprise Edition](/self-host/enterprise-edition) Only +[Pangolin Cloud](https://app.pangolin.net/auth/signup) & [Enterprise Edition](/self-host/enterprise-edition) Only Gives Pangolin full DNS control over your domain. @@ -44,7 +44,7 @@ Domain delegation is ideal when you want Pangolin to manage your entire domain a ### Single Domain (CNAME Records) -Cloud & [Enterprise Edition](/self-host/enterprise-edition) Only +[Pangolin Cloud](https://app.pangolin.net/auth/signup) & [Enterprise Edition](/self-host/enterprise-edition) Only Single domain is limited to the exact domain you specify. diff --git a/manage/identity-providers/add-an-idp.mdx b/manage/identity-providers/add-an-idp.mdx index 8c78a44..fc83fc7 100644 --- a/manage/identity-providers/add-an-idp.mdx +++ b/manage/identity-providers/add-an-idp.mdx @@ -39,7 +39,7 @@ Here is an example using Microsoft Azure Entra ID as SSO for Pangolin: Organization identity providers are configured per organization and only apply to that specific organization. Each org can have its own identity providers, allowing for authentication methods based on the organization's needs. - Available in Pangolin Cloud and [Enterprise Edition](/self-host/enterprise-edition). For [Enterprise Edition](/self-host/enterprise-edition), you must set `app.identity_provider_mode: "org"` in the [private config file](/self-host/advanced/private-config-file#param-identity-provider-mode) `privateConfig.yml`. + Available in [Pangolin Cloud](https://app.pangolin.net/auth/signup) and [Enterprise Edition](/self-host/enterprise-edition). For [Enterprise Edition](/self-host/enterprise-edition), you must set `app.identity_provider_mode: "org"` in the [private config file](/self-host/advanced/private-config-file#param-identity-provider-mode) `privateConfig.yml`. ### Global Identity Providers @@ -64,7 +64,7 @@ This can be used to connect to any external identity provider that supports the ### Google -Google IdP is only available in Pangolin Cloud or self-hosted [Enterprise Edition](/self-host/enterprise-edition) with organization identity providers. See above to enable. +Google IdP is only available in [Pangolin Cloud](https://app.pangolin.net/auth/signup) or self-hosted [Enterprise Edition](/self-host/enterprise-edition) with organization identity providers. See above to enable. Easily set up Google Workspace authentication for your organization. Users can sign in with their Google accounts and access Pangolin resources using their existing Google credentials. Perfect for organizations already using Google Workspace for email, calendar, and other services. @@ -72,7 +72,7 @@ Easily set up Google Workspace authentication for your organization. Users can s ### Azure Entra ID -Azure Entra ID IdP is only available in Pangolin Cloud or self-hosted [Enterprise Edition](/self-host/enterprise-edition) with organization identity providers. See above to enable. +Azure Entra ID IdP is only available in [Pangolin Cloud](https://app.pangolin.net/auth/signup) or self-hosted [Enterprise Edition](/self-host/enterprise-edition) with organization identity providers. See above to enable. Integrate with Microsoft's enterprise identity platform to allow users to authenticate using their Azure Active Directory accounts. Ideal for organizations using Microsoft 365 or other Azure services, providing seamless single sign-on across your Microsoft ecosystem. diff --git a/manage/identity-providers/azure.mdx b/manage/identity-providers/azure.mdx index 0d4c613..35b974f 100644 --- a/manage/identity-providers/azure.mdx +++ b/manage/identity-providers/azure.mdx @@ -10,7 +10,7 @@ import PangolinCloudTocCta from "/snippets/pangolin-cloud-toc-cta.mdx"; -Azure SSO is only available on Pangolin Cloud and [Enterprise Edition](/self-host/enterprise-edition) deployments. In [Enterprise Edition](/self-host/enterprise-edition), you must set `app.identity_provider_mode: "org"` in your [private config file](/self-host/advanced/private-config-file) `privateConfig.yml`. +Azure SSO is only available on [Pangolin Cloud](https://app.pangolin.net/auth/signup) and [Enterprise Edition](/self-host/enterprise-edition) deployments. In [Enterprise Edition](/self-host/enterprise-edition), you must set `app.identity_provider_mode: "org"` in your [private config file](/self-host/advanced/private-config-file) `privateConfig.yml`. The following steps will integrate Microsoft SSO using the built in Azure Entra ID identity provider in Pangolin. diff --git a/manage/identity-providers/google.mdx b/manage/identity-providers/google.mdx index feb135a..4d18beb 100644 --- a/manage/identity-providers/google.mdx +++ b/manage/identity-providers/google.mdx @@ -10,7 +10,7 @@ import PangolinCloudTocCta from "/snippets/pangolin-cloud-toc-cta.mdx"; -Google SSO is only available on Pangolin Cloud and [Enterprise Edition](/self-host/enterprise-edition) deployments. In [Enterprise Edition](/self-host/enterprise-edition), you must set `app.identity_provider_mode: "org"` in your [private config file](/self-host/advanced/private-config-file#param-use-org-only-idp) `privateConfig.yml`. +Google SSO is only available on [Pangolin Cloud](https://app.pangolin.net/auth/signup) and [Enterprise Edition](/self-host/enterprise-edition) deployments. In [Enterprise Edition](/self-host/enterprise-edition), you must set `app.identity_provider_mode: "org"` in your [private config file](/self-host/advanced/private-config-file#param-use-org-only-idp) `privateConfig.yml`. The following steps will integrate Google SSO using the built in Google identity provider in Pangolin. diff --git a/manage/remote-node/understanding-nodes.mdx b/manage/remote-node/understanding-nodes.mdx index 5ffb5ba..97f8af3 100644 --- a/manage/remote-node/understanding-nodes.mdx +++ b/manage/remote-node/understanding-nodes.mdx @@ -10,7 +10,7 @@ import PangolinCloudTocCta from "/snippets/pangolin-cloud-toc-cta.mdx"; - Remote Nodes are available in Pangolin Cloud and self-hosted [Enterprise Edition](/self-host/enterprise-edition). + Remote Nodes are available in [Pangolin Cloud](https://app.pangolin.net/auth/signup) and self-hosted [Enterprise Edition](/self-host/enterprise-edition). Remote nodes, you run your own Pangolin node - your tunnels, SSL termination, and traffic all stay on your server and use your bandwidth. The difference is that management and monitoring are handled through our cloud or your central self-hosted [Enterprise Edition](/self-host/enterprise-edition) server. The node just handles terminating Wireguard tunnels, serving HTTP(S) traffic, and routing relayed client connections - it is essentially a remote networking hub. diff --git a/manage/ssh.mdx b/manage/ssh.mdx index a5a8820..a852fa5 100644 --- a/manage/ssh.mdx +++ b/manage/ssh.mdx @@ -7,14 +7,24 @@ import PangolinCloudTocCta from "/snippets/pangolin-cloud-toc-cta.mdx"; + +Only available in [Pangolin Cloud](https://app.pangolin.net/auth/signup) and [Enterprise Edition](/self-host/enterprise-edition). + + ## Overview Pangolin includes a built-in SSH client so you can connect to remote servers and manage them directly from the terminal. You use your existing Pangolin identity—no separate SSH keys to create or copy. Pangolin generates and signs temporary access keys, pushes them to the remote server, and creates or updates your user account there. All of this happens automatically when you start a connection. You can SSH into any Pangolin site or private resource. Two components handle SSH on the server side: -- **Newt (site connector)** — Runs as a daemon and handles SSH for the host it runs on. -- **Auth daemon** — Handles SSH for other servers on the same network. It can run inside Newt or as a separate process on another machine (for example, a bastion Newt plus auth daemons on other hosts). + + + Runs as a daemon and handles SSH for the host it runs on. Use this when the machine you want to SSH into is the same server running Newt. + + + Handles SSH for other servers on the same network. Run the auth daemon on each target host; Newt on a bastion proxies connections to them. + + You connect using the Pangolin CLI as the SSH client. The tunnel can be provided by the CLI or by another Pangolin client (e.g. the macOS app); you can run the GUI for the tunnel and use the CLI only for SSH if you prefer. @@ -175,6 +185,8 @@ On every host that should accept Pangolin SSH (and is not running Newt), run the sudo pangolin auth-daemon --pre-shared-key ``` +To use a non-default port, add `--port ` and set the same port in the resource’s SSH settings in the dashboard. + #### Run as a systemd service Create a systemd unit so the auth daemon runs on boot: @@ -193,7 +205,7 @@ User=root WantedBy=multi-user.target ``` -Replace `` with the same value used on Newt. Then: +Replace `` with the same value used on Newt. If you use a custom port (set in the resource’s SSH settings), add `--port ` to `ExecStart`. Then: ```bash sudo systemctl daemon-reload @@ -212,9 +224,13 @@ On each of these hosts, configure the SSH server as in [Configure the SSH server ### Step 4: Ensure network connectivity -- **Newt → auth daemon:** Newt must be able to reach **TCP port 22123** on each server running the auth daemon (used for HTTPS between Newt and the auth daemon). +- **Newt → auth daemon:** Newt must be able to reach the auth daemon port on each target server (default **TCP 22123**; configurable in the resource’s SSH settings and via the auth daemon’s `--port` flag). - **Clients → SSH:** Port **22** must be open for SSH to each target server (from wherever your users connect—often only within your private network). + +To change the auth daemon port from the default 22123, configure the port in the resource’s SSH settings in Pangolin and pass the same port with `--port` when starting the auth daemon. + + These ports do not need to be exposed to the public internet. They only need to be reachable within the network where Newt and the target servers live. @@ -280,4 +296,6 @@ Pangolin derives the remote username from your Pangolin identity (the part befor ### How does Newt communicate with the external auth daemon? -Newt talks to the auth daemon over **HTTPS** on **TCP 22123**. When you SSH into a server that uses the external auth daemon, Newt calls the auth daemon on that host to create or update your user and resolve principals. Port 22123 only needs to be open between Newt and the auth daemon hosts on your internal network; it should not be exposed to the internet. +Newt talks to the auth daemon over **HTTPS**. **TCP 22123** is used by default. When you SSH into a server that uses the external auth daemon, Newt calls the auth daemon on that host to create or update your user and resolve principals. Port 22123 only needs to be open between Newt and the auth daemon hosts on your internal network; it should not be exposed to the internet. + +To use a different port, set the port in the resource’s SSH settings in the Pangolin dashboard and pass the same port to the auth daemon with the `--port` flag (e.g. `pangolin auth-daemon --pre-shared-key --port 22124`). Newt and the auth daemon must use the same port. From e09772c1128d561368c708c8ccaa5b8d4adfdb41 Mon Sep 17 00:00:00 2001 From: miloschwartz Date: Wed, 25 Feb 2026 17:07:13 -0800 Subject: [PATCH 4/9] add windows cli and generate org ca to pangctl --- manage/clients/install-client.mdx | 14 ++++++++++---- self-host/advanced/container-cli-tool.mdx | 18 ++++++++++++++++++ 2 files changed, 28 insertions(+), 4 deletions(-) diff --git a/manage/clients/install-client.mdx b/manage/clients/install-client.mdx index 8bec90d..d589e18 100644 --- a/manage/clients/install-client.mdx +++ b/manage/clients/install-client.mdx @@ -113,23 +113,29 @@ import PangolinCloudTocCta from "/snippets/pangolin-cloud-toc-cta.mdx"; Tap the Connect button to establish a VPN connection. On the first connection, you may be prompted to allow the VPN connection. -## Pangolin CLI (Linux) +## Pangolin CLI (Linux, macOS, Windows) -Pangolin CLI is the recommended way to run a client using a command line interface on Mac or Linux. Support for Windows is coming soon. +Pangolin CLI is the recommended way to run a client using a command line interface on Mac and Linux. + +Pangolin CLI can run on Windows, but the CLI VPN functionality is not supported. You can still use Pangolin CLI on Windows for SSH alongside the Windows GUI client. Pangolin CLI supports running as user device with authentication or a machine client. -### Quick Install (Recommended) + +### Quick Install (Recommended) — Linux and macOS Use this command to automatically install Pangolin CLI. It detects your system architecture automatically and always pulls the latest version, adding `pangolin` to your PATH: ```bash curl -fsSL https://static.pangolin.net/get-cli.sh | bash ``` +### Windows + +Go to [GitHub releases](https://github.com/fosrl/cli/releases) and download the latest **MSI installer** or **EXE** for Windows. ### Manual Download -Binaries for Linux and macOS are available in the [GitHub releases](https://github.com/fosrl/cli/releases) for ARM and AMD64 (x86_64) architectures. +Binaries for all platforms are available in the [GitHub releases](https://github.com/fosrl/cli/releases) for ARM and AMD64 (x86_64) architectures. Download and install manually: diff --git a/self-host/advanced/container-cli-tool.mdx b/self-host/advanced/container-cli-tool.mdx index 22ef980..e4fb681 100644 --- a/self-host/advanced/container-cli-tool.mdx +++ b/self-host/advanced/container-cli-tool.mdx @@ -124,3 +124,21 @@ This command permanently deletes the client and its associated data: This action cannot be undone. Ensure you have backups if needed. + +## Generate Org CA Keys + +Generate an SSH CA public/private key pair for an organization and store them in the database. The private key is encrypted with the server secret. + +```bash +docker exec -it pangolin pangctl generate-org-ca-keys --orgId "org-123" +``` + +### Options + +- `--orgId` (required): The organization ID +- `--secret` (optional): Server secret used to encrypt the CA private key. If omitted, the secret is read from the config file (`config.yml` or `config.yaml` in the config directory). +- `--force` (optional, default: `false`): Overwrite existing CA keys for the organization if they already exist + + +If the organization already has CA keys, the command fails unless you pass `--force`. Using `--force` overwrites the existing keys; ensure you have a backup or understand the impact before overwriting. + From 2ea66562029205f55af3bf4eab7e9e97a3014352 Mon Sep 17 00:00:00 2001 From: miloschwartz Date: Wed, 25 Feb 2026 17:42:00 -0800 Subject: [PATCH 5/9] fix ref --- manage/ssh.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manage/ssh.mdx b/manage/ssh.mdx index a852fa5..876c8f8 100644 --- a/manage/ssh.mdx +++ b/manage/ssh.mdx @@ -21,7 +21,7 @@ You can SSH into any Pangolin site or private resource. Two components handle SS Runs as a daemon and handles SSH for the host it runs on. Use this when the machine you want to SSH into is the same server running Newt. - + Handles SSH for other servers on the same network. Run the auth daemon on each target host; Newt on a bastion proxies connections to them. From ded2274b6280cc6d2a1eb55360a7881daa71b509 Mon Sep 17 00:00:00 2001 From: miloschwartz Date: Thu, 26 Feb 2026 22:09:39 -0800 Subject: [PATCH 6/9] add windows config --- manage/clients/configure-client.mdx | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/manage/clients/configure-client.mdx b/manage/clients/configure-client.mdx index 0c8db10..1ee8e71 100644 --- a/manage/clients/configure-client.mdx +++ b/manage/clients/configure-client.mdx @@ -47,6 +47,32 @@ This is the DNS server that will be used if Override DNS is enabled or DNS Over This is a fallback DNS server that the system can use if the primary server is unavailable. Ordering and priority of the server is not guaranteed, but it provides redundancy for DNS resolution. Not used when override DNS (aliases) are disabled. +## Windows Client (Advanced) + +On Windows, you can preconfigure the Pangolin GUI client by editing the JSON config at `%LOCALAPPDATA%\Pangolin\pangolin.json` before the user signs in. This file uses the following fields: + +- **DNSOverride** / **DNSTunnel**: Match the **Enable Aliases (Override DNS)** and **DNS Over Tunnel** preferences, controlling whether the client takes over DNS and whether DNS goes through the tunnel. +- **PrimaryDNS** / **SecondaryDNS**: Set the upstream DNS servers used when override/tunnel DNS is enabled. +- **DefaultServerURL**: When set, skips the deployment option screen; all login flows start directly with this server URL. +- **AuthPath**: Optional path appended to the server URL for authentication, for example `/auth/org/my-org` to always send users to a specific organization or branded login page. Most deployments should leave this unset. +- **UserSettingsDisabled**: Disables the settings form in the GUI so users cannot change these values themselves. + +As a system administrator, you can script placing this file into `%LOCALAPPDATA%\Pangolin\pangolin.json` to preconfigure user installations and automate rollouts. + + + For enterprise customers, contact us if you need a custom MSI installer with baked-in configuration; we can maintain custom installers as an add-on to your enterprise license. + + +### Windows client log level + +To configure the log level for the Windows client system-wide, edit `%ProgramData%\Pangolin\pangolin.json`. For example: + +```json +{ "logLevel": "debug" } +``` + +The default log level is `info`. + ## Android Battery Optimization To ensure Pangolin functions correctly in the background on Android devices, it's recommended to disable battery optimization for the app. This prevents the operating system from restricting its background activities, which could lead to disconnections. From d970bf3de8c48d7314865bcf712c08e56653ec86 Mon Sep 17 00:00:00 2001 From: miloschwartz Date: Thu, 26 Feb 2026 22:26:06 -0800 Subject: [PATCH 7/9] update windows client config formatting --- manage/clients/configure-client.mdx | 40 ++++++++++++++++++++++++----- 1 file changed, 34 insertions(+), 6 deletions(-) diff --git a/manage/clients/configure-client.mdx b/manage/clients/configure-client.mdx index 1ee8e71..538e1f6 100644 --- a/manage/clients/configure-client.mdx +++ b/manage/clients/configure-client.mdx @@ -49,13 +49,41 @@ This is a fallback DNS server that the system can use if the primary server is u ## Windows Client (Advanced) -On Windows, you can preconfigure the Pangolin GUI client by editing the JSON config at `%LOCALAPPDATA%\Pangolin\pangolin.json` before the user signs in. This file uses the following fields: +On Windows, you can preconfigure the Pangolin GUI client by editing the JSON config at `%LOCALAPPDATA%\Pangolin\pangolin.json` before the user signs in (for example, `C:\Users\USER\AppData\Local\Pangolin\pangolin.json`). -- **DNSOverride** / **DNSTunnel**: Match the **Enable Aliases (Override DNS)** and **DNS Over Tunnel** preferences, controlling whether the client takes over DNS and whether DNS goes through the tunnel. -- **PrimaryDNS** / **SecondaryDNS**: Set the upstream DNS servers used when override/tunnel DNS is enabled. -- **DefaultServerURL**: When set, skips the deployment option screen; all login flows start directly with this server URL. -- **AuthPath**: Optional path appended to the server URL for authentication, for example `/auth/org/my-org` to always send users to a specific organization or branded login page. Most deployments should leave this unset. -- **UserSettingsDisabled**: Disables the settings form in the GUI so users cannot change these values themselves. + + JSON configuration for the Windows Pangolin client stored in `pangolin.json`. + + + + When true, matches the **Enable Aliases (Override DNS)** preference and lets the client take over DNS resolution for Pangolin resources. + + + + When true, matches the **DNS Over Tunnel** preference and sends DNS queries through the Pangolin tunnel. + + + + Primary upstream DNS server used when override/tunnel DNS is enabled. + + + + Optional secondary upstream DNS server used as a fallback when the primary is unavailable. + + + + When set, skips the deployment option screen during login; all login flows start directly with this server URL. + + + + Optional path appended to the server URL for authentication, for example `/auth/org/my-org` to always send users to a specific organization or branded login page. Most deployments should leave this unset. + + + + When true, hides and disables the settings form in the GUI so users cannot change these values themselves. + + + As a system administrator, you can script placing this file into `%LOCALAPPDATA%\Pangolin\pangolin.json` to preconfigure user installations and automate rollouts. From 1e400e81bb4e5c52bad2a02230d5c2f4703107d2 Mon Sep 17 00:00:00 2001 From: miloschwartz Date: Thu, 26 Feb 2026 22:33:54 -0800 Subject: [PATCH 8/9] update docs --- manage/clients/configure-client.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manage/clients/configure-client.mdx b/manage/clients/configure-client.mdx index 538e1f6..fc2a864 100644 --- a/manage/clients/configure-client.mdx +++ b/manage/clients/configure-client.mdx @@ -49,7 +49,7 @@ This is a fallback DNS server that the system can use if the primary server is u ## Windows Client (Advanced) -On Windows, you can preconfigure the Pangolin GUI client by editing the JSON config at `%LOCALAPPDATA%\Pangolin\pangolin.json` before the user signs in (for example, `C:\Users\USER\AppData\Local\Pangolin\pangolin.json`). +On Windows, you can centrally preconfigure the Pangolin GUI client by editing the JSON config at `%LOCALAPPDATA%\Pangolin\pangolin.json` before the user signs in (for example, `C:\Users\USER\AppData\Local\Pangolin\pangolin.json`). This is useful for system administrators who want to enforce consistent DNS behavior and login flows across many machines without relying on end users to choose the right options. In particular, `defaultServerURL` and `authPath` let you direct users straight to the correct server and, if needed, a specific organization-branded login page on every launch. JSON configuration for the Windows Pangolin client stored in `pangolin.json`. From 3d215693b18a6e1c312bc155ed1cd739d632f061 Mon Sep 17 00:00:00 2001 From: miloschwartz Date: Fri, 27 Feb 2026 12:08:12 -0800 Subject: [PATCH 9/9] add note to integration api --- manage/integration-api.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manage/integration-api.mdx b/manage/integration-api.mdx index 1baf62a..fe923cb 100644 --- a/manage/integration-api.mdx +++ b/manage/integration-api.mdx @@ -54,7 +54,7 @@ Organization API keys are created by organization admins and have limited scope ### Root API Keys -Root API keys have some extra permissions and can execute operations across orgs. They are only available in the Community Edition of Pangolin: +Root API keys have some extra permissions and can execute operations across orgs. They are only available in the fully self-hosted editions of Pangolin: Root API keys have elevated permissions and should be used carefully. Only create them when you need server-wide access.