Merge branch '1.14.0' into dev

2026-02-08 05:56:45 +00:00 · 2025-12-22 14:32:47 -05:00
parent 7c02b91650 c52b68395c
commit e251ad115c
4 changed files with 59 additions and 45 deletions
--- a/manage/clients/configure-client.mdx
+++ b/manage/clients/configure-client.mdx
@@ -21,15 +21,15 @@ Refer to the [documentation in the official repository](https://github.com/fosrl

 <ResponseField name="id" type="string" required>
  Olm ID generated by Pangolin to identify the client.
-  
+
  **Example**: `31frd0uzbjvp721`
 </ResponseField>

 <ResponseField name="secret" type="string" required>
  A unique secret used to authenticate the client ID with the websocket.
-  
+
  **Example**: `h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6`
-  
+
  <Warning>
  Keep this secret private and secure. It's used for authentication.
  </Warning>
@@ -37,7 +37,7 @@ Refer to the [documentation in the official repository](https://github.com/fosrl

 <ResponseField name="endpoint" type="string" required>
  The endpoint where both Gerbil and Pangolin reside for websocket connections.
-  
+
  **Example**: `https://pangolin.example.com`
 </ResponseField>

@@ -51,81 +51,87 @@ Refer to the [documentation in the official repository](https://github.com/fosrl

 <ResponseField name="mtu" type="integer">
  MTU for the internal WireGuard interface.
-  
+
  **Default**: `1280`
 </ResponseField>

 <ResponseField name="dns" type="string">
  DNS server to use to resolve the endpoint.
-  
+
  **Default**: `8.8.8.8`
 </ResponseField>

 <ResponseField name="upstream-dns" type="string">
  Upstream DNS server(s), comma-separated.
-  
+
  **Default**: `8.8.8.8:53`
 </ResponseField>

 <ResponseField name="log-level" type="string">
  The log level to use for Olm output.
-  
+
  **Options**: `DEBUG`, `INFO`, `WARN`, `ERROR`, `FATAL`
-  
+
  **Default**: `INFO`
 </ResponseField>

 <ResponseField name="ping-interval" type="string">
  Interval for pinging the server.
-  
+
  **Default**: `3s`
 </ResponseField>

 <ResponseField name="ping-timeout" type="string">
  Timeout for each ping.
-  
+
  **Default**: `5s`
 </ResponseField>

 <ResponseField name="interface" type="string">
  Name of the WireGuard interface.
-  
+
  **Default**: `olm`
 </ResponseField>

 <ResponseField name="enable-api" type="boolean">
  Enable API server for receiving connection requests.
-  
+
  **Default**: `false`
 </ResponseField>

 <ResponseField name="http-addr" type="string">
  HTTP server address (e.g., ':9452').
-  
+
  **Default**: `:9452`
 </ResponseField>

 <ResponseField name="socket-path" type="string">
  Unix socket path (or named pipe on Windows).
-  
+
  **Default**: `/var/run/olm.sock` (Linux/macOS) or `olm` (Windows)
 </ResponseField>

 <ResponseField name="disable-holepunch" type="boolean">
  Disable hole punching.
-  
+
  **Default**: `false`
 </ResponseField>

 <ResponseField name="override-dns" type="boolean">
  Override system DNS settings.
-  
+
+  **Default**: `false`
+</ResponseField>
+
+<ResponseField name="tunnel-dns" type="boolean">
+  Force connectivity to the upstream DNS server to go via the tunnel to a resource.
+
  **Default**: `false`
 </ResponseField>

 <ResponseField name="disable-relay" type="boolean">
  Disable relay connections.
-  
+
  **Default**: `false`
 </ResponseField>

@@ -159,87 +165,87 @@ When both environment variables and CLI arguments are provided, CLI arguments ta

 <ResponseField name="MTU" type="integer">
  MTU for the internal WireGuard interface (equivalent to `--mtu`)
-  
+
  **Default**: `1280`
 </ResponseField>

 <ResponseField name="DNS" type="string">
  DNS server to use to resolve the endpoint (equivalent to `--dns`)
-  
+
  **Default**: `8.8.8.8`
 </ResponseField>

 <ResponseField name="UPSTREAM_DNS" type="string">
  Upstream DNS server(s), comma-separated (equivalent to `--upstream-dns`)
-  
+
  **Default**: `8.8.8.8:53`
 </ResponseField>

 <ResponseField name="LOG_LEVEL" type="string">
  Log level (equivalent to `--log-level`)
-  
+
  **Default**: `INFO`
 </ResponseField>

 <ResponseField name="PING_INTERVAL" type="string">
  Interval for pinging the server (equivalent to `--ping-interval`)
-  
+
  **Default**: `3s`
 </ResponseField>

 <ResponseField name="PING_TIMEOUT" type="string">
  Timeout for each ping (equivalent to `--ping-timeout`)
-  
+
  **Default**: `5s`
 </ResponseField>

 <ResponseField name="INTERFACE" type="string">
  Name of the WireGuard interface (equivalent to `--interface`)
-  
+
  **Default**: `olm`
 </ResponseField>

 <ResponseField name="ENABLE_API" type="boolean">
  Enable API server for receiving connection requests (equivalent to `--enable-api`)
-  
+
  Set to "true" to enable
-  
+
  **Default**: `false`
 </ResponseField>

 <ResponseField name="HTTP_ADDR" type="string">
  HTTP server address (equivalent to `--http-addr`)
-  
+
  **Default**: `:9452`
 </ResponseField>

 <ResponseField name="SOCKET_PATH" type="string">
  Unix socket path or Windows named pipe (equivalent to `--socket-path`)
-  
+
  **Default**: `/var/run/olm.sock` (Linux/macOS) or `olm` (Windows)
 </ResponseField>

 <ResponseField name="DISABLE_HOLEPUNCH" type="boolean">
  Disable hole punching (equivalent to `--disable-holepunch`)
-  
+
  Set to "true" to disable
-  
+
  **Default**: `false`
 </ResponseField>

 <ResponseField name="OVERRIDE_DNS" type="boolean">
  Override system DNS settings (equivalent to `--override-dns`)
-  
+
  Set to "true" to enable
-  
+
  **Default**: `false`
 </ResponseField>

 <ResponseField name="DISABLE_RELAY" type="boolean">
  Disable relay connections (equivalent to `--disable-relay`)
-  
+
  Set to "true" to disable
-  
+
  **Default**: `false`
 </ResponseField>

@@ -249,7 +255,7 @@ When both environment variables and CLI arguments are provided, CLI arguments ta

 ### Loading secrets from files

-You can use `CONFIG_FILE` to define a location of a config file to store the credentials between runs. 
+You can use `CONFIG_FILE` to define a location of a config file to store the credentials between runs.

 ```
 $ cat ~/.config/olm-client/config.json
@@ -276,9 +282,9 @@ $ cat ~/.config/olm-client/config.json
 }
 ```

-This file is also written to when olm first starts up. So you do not need to run every time with --id and secret if you have run it once! 
+This file is also written to when olm first starts up. So you do not need to run every time with --id and secret if you have run it once!

-Default locations: 
+Default locations:

 - **macOS**: `~/Library/Application Support/olm-client/config.json`
 - **Windows**: `%PROGRAMDATA%\olm\olm-client\config.json`
@@ -286,4 +292,4 @@ Default locations:

 ### API

-Olm can be started with a HTTP or socket API to configure and manage it. See the [API documentation](https://github.com/fosrl/olm/blob/main/API.md) for more details.
+Olm can be started with a HTTP or socket API to configure and manage it. See the [API documentation](https://github.com/fosrl/olm/blob/main/API.md) for more details.
--- a/manage/resources/private/alias.mdx
+++ b/manage/resources/private/alias.mdx
@@ -3,7 +3,7 @@ title: "Aliases"
 description: "Set a friendly alias hostname that resolves to a host"
 ---

-Aliases provide a secondary, user-friendly address for any of your Resources, allowing users to access the Resource using this alternate name in addition to the original address. 
+Aliases provide a secondary, user-friendly address for any of your Resources, allowing users to access the Resource using this alternate name in addition to the original address.

 For instance, a router with the address `10.0.0.1` could be assigned the alias `router.internal`, and users could connect using either. Aliases are accessible to anyone who has access to the Resource, and they are exclusively accessible when connected with a Pangolin client, meaning they function without requiring any external DNS record setup. Furthermore, aliases are protocol agnostic, which means they will work with any network protocol, essentially acting as a pseudo-A record for an address that is only functional within the Pangolin environment.

@@ -17,7 +17,9 @@ Since aliases cannot be single-label domains, you must avoid using domain names

 ## Custom Upstream DNS

-Aliases work by overriding the DNS of your computer running the client so that all DNS requests are sent to the Pangolin client for resolution. The dns server on your computer is typically `100.96.128.1` which will forward request to an upstream server. By default, we use `9.9.9.9`, but this upstream address can be configured using [the flag](/manage/clients/configure-client) in the CLI / Olm or in the client settings.
+Aliases work by overriding the DNS of your computer running the client so that all DNS requests are sent to the Pangolin client for resolution. The dns server on your computer is typically `100.96.128.1` (the first address inside of your utility subnet on the org) when connected to the tunnel which will forward request to an upstream server. By default, we use `9.9.9.9`, but this upstream address can be configured using [the flag](/manage/clients/configure-client) in the CLI / Olm or in the client settings.
+
+**If you are attempting to set an upstream DNS server that is only accessible via the tunnel, ensure that you create a resource and check the tunnel DNS option in the client configuration settings or use the --tunnel-dns flag.** Otherwise, connectivity to the server may fail when connected to the tunnel.

 ## Disable Aliases

--- a/manage/resources/private/destinations.mdx
+++ b/manage/resources/private/destinations.mdx
@@ -26,9 +26,9 @@ Pangolin smooths away overlapping networks and arbitrarily chooses a single site

 It is recommended that you create overlapping resources only if absolutely required. If you do, use [Aliases](/manage/resources/private/alias) to explicitly defined which host should be used for a given FQDN or IP address and use the alias to connect.

-## Why is ICMP Pinging Not Working?
+## ICMP End to End?

-Because Newt sites are proxying traffic out of the secure tunnel, ICMP needs to be handled specially just like UDP and TCP. Right now, ICMP **is not supported** through the Pangolin client. If you need to ping hosts on the remote network, consider using TCP or UDP-based tools like `hping3` or `nping` as alternatives. We plan to add ICMP support in a future release.
+Pangolin supports testing connectivity to Resources using ICMP ping requests. However, it's important to note that while the Pangolin client can send ICMP echo requests to the destination, the actual ping request is captured and replayed from the Newt binary to the actually destination. This means that requests are not end to end but are still an effective way to test connectivity to a resource.

 ## Unicast Only?

--- a/self-host/advanced/config-file.mdx
+++ b/self-host/advanced/config-file.mdx
@@ -429,7 +429,7 @@ This section contains the complete reference for all configuration options in `c
      **Default**: `false`

      <Note>
-        When enabled, uses file-based dynamic configuration instead of API-based updates. 
+        When enabled, uses file-based dynamic configuration instead of API-based updates.
      </Note>
    </ResponseField>

@@ -461,6 +461,12 @@ This section contains the complete reference for all configuration options in `c
      **Example**: `51820`
    </ResponseField>

+    <ResponseField name="clients_start_port" type="integer">
+      Starting port for client WireGuard relay and hole punch port.
+
+      **Example**: `21820`
+    </ResponseField>
+
    <ResponseField name="use_subdomain" type="boolean">
      Whether to assign unique subdomains to Gerbil exit nodes.

@@ -823,6 +829,6 @@ Some configuration values can be set using environment variables for enhanced se

 | Name | Variable | Config |
 |------|----------|--------|
-| Server Secret | `SERVER_SECRET` | `server.secret` | 
+| Server Secret | `SERVER_SECRET` | `server.secret` |
 | Email Password | `EMAIL_SMTP_PASS` | `email.smtp_pass` |
 | PostgreSQL Connection String | `POSTGRES_CONNECTION_STRING` | `postgres.connection_string` |