fosrl/pangolin 1.13.0-rc.0

on GitHub

RC

A Release Candidate (RC) is a near-final software version, stable but undergoing last tests before official release. It has all features and no known bugs.

• Users: Use cautiously due to potential undiscovered bugs. Not for critical systems unless prepared for issues. Report bugs.
• Developers/Testers: Perform crucial final validation and thorough testing, especially of recent changes, to catch last-minute major issues.
• Backup: Always back up data before installing an RC to allow rollback if problems arise.
• Feedback: Provide feedback; it's vital for a robust final release. Participate in the discussion linked at the bottom

What's Changed

• Rename Clients to Machine Clients
• Rename Client Resources to Private Resources
• Rename Proxy Resources to Public Resources
• Add user-device clients that allow users to connect to private resources like a VPN
• Add Host and CIDR option to Private Resources
• Add “magic DNS” alias to Private Resources
• Add manage user devices modal to user profile dropdown
• Add ability to regenerate/rotate credentials on Sites, Clients, and Remote Nodes (EE)
• Add Request Analytics page with basic request statistics, request map, and graphs
• Add optional new version available notification to sidebar
• Add optional new features notification to sidebar
• Add support for Private Resources, Machine Clients, and User Devices in Blueprints
• Add SNI input field to health check form
• Add generate password reset code to users table in Server Admin page
• Add contact admin warning in forgot password page when SMTP not set up
• Add role to Badger passthrough header
• Add new access/audit log retention policy: keep until end of next year
• Add option to edit animal-themed identifier (niceId) on Sites, Resources, and Clients
• Fix broken inputs in edit health check form
• Fix custom branding login/signup page subtitle not displaying
• Fix empty path strip preventing create resource
• Fix custom healthy HTTP codes not respected
• Fix save resource overwrite custom headers input
• Fix various blueprint inconsistencies and annoyances
• Fix display of setup token after CrowdSec installation
• General UI enhancements

Breaking

• Remove remote subnets from sites in favor of Private Resources
• Remove site:port proxy on Client Resources in favor of Private Resources
• Remove client to site associations in favor of Private Resources
• Remove --enable-clients flag from Newt; clients are on by default now with option to disable with --disable-clients
• Remove flag.enable_clients from Pangolin config
• Remove branding.favicon_path from private Pangolin config
  • To customize the icon, mount your favicon to /app/public/favicon.ico in the container
• Remove branding.login.title_text and branding.signup.title_text from private Pangolin config
  • Only subtitle customization is supported (there is no longer a title on these pages)

Full Changelog: 1.12.3...1.13.0-rc.0

How to Update

View documentation

Private Resources, User Devices, and Machine Clients

This release introduces a major evolution of Pangolin’s networking model enabling private remote access via user clients. This update transforms it into a fully self‑hosted, open‑source alternative to Twingate using WireGuard under the hood. You can now access resources privately on the local network running Newt when connected and logged in to a Pangolin Client (available on Windows, Mac, and Linux).

Overview

• Newt still acts as your Site Connector, establishing a secure control and data plane over WireGuard.
• Private Resources define what’s accessible, like specific hosts on local networks or the entire local networks.
• Clients (human or machine) connect securely to the private network and gain access to defined resources using their familiar LAN‑style addresses.

This effectively “flattens” your internal topology: once connected, resources across all sites are accessible without manually connecting to each individual site.

User Devices

User Devices bring private network access directly to end users. Users can download Pangolin Client for their system and log in to their familiar Pangolin account. These authenticated clients connect securely through Pangolin and gain access to permitted Private Resources.

• Native GUI clients are available for macOS and Windows.
• CLI clients are available for Linux and macOS, with Windows CLI support coming soon.
• All clients support the full feature set including WireGuard‑based encryption, NAT traversal, DNS alias, and peer‑to‑peer connections when possible for direct networking.
• Mobile apps for Android and iOS will be coming in 2026.

Windows Client	Mac Client

Private Resources

Private Resources represent network targets reachable through your site connectors. These can be defined at different granularities:

• Host Resources: Point directly to an individual host (e.g., 192.168.1.210).
• CIDR Resources: Expose an entire subnet or range (e.g., 192.168.1.0/24).

When a client connects to the Pangolin network, they can access these Private Resources using the same LAN addresses without any port forwarding, route table setup, DNS configuration, VPN configuration, or proxy redirection needed.

Each Private Resource also supports a “magic DNS” alias, allowing friendly hostnames like mynas.internal to resolve automatically when connected. This simplifies navigation and behaves naturally across operating systems and clients.

Fine‑grained access control allows admins to assign which users, roles, and machine clients can access each Private Resource.

Port and protocol based restrictions coming soon.

Machine Clients

All existing “Clients” have now been migrated and renamed to Machine Clients.
Machine Clients are designed for servers, services, and automated systems (like CICD runners, monitoring, or backups) that need ongoing access to Private Resources.

They authenticate using familiar ID and secret credentials, and retain full compatibility with pre‑existing integrations while benefiting from the unified Private Resource model.