Releases: fosrl/pangolin
1.15.4
843b13eWhat's Changed
- Use
fosrl/pangolin-clicontainer in Machine Client install commands - Fix newly created site not showing in private resource site dropdown
Full Changelog: 1.15.3...1.15.4
1.15.3
What's Changed
- Add use Pangolin CLI for machine clients install commands
- Add default org and role mapping when creating an identity provider
- Add
app.identity_provider_modefor toggling between global and org scoped identity providers (EE) - Add
flags.disable_enterprise_featuresto hide Enterprise Edition features in Community Edition - Fix machine clients being fingerprinted
- Fix machine clients name being overriden
- Various other small bug fixes and improvements
Full Changelog: 1.15.2...1.15.3
How to Update
Important
Always back up your config app-data before updating. This will allow you to easily roll back if the update breaks your configuration. You will not be able to easily downgrade otherwise.
1.15.2
b4c0134What's Changed
- Add show user display name on user device
- Add
--network hostto Newt Docker Run install method - Other minor bug fixes and improvements
Full Changelog: 1.15.1...1.15.2
How to Update
Important
Always back up your config app-data before updating. This will allow you to easily roll back if the update breaks your configuration. You will not be able to easily downgrade otherwise.
1.15.1
37c4a7bWhat's Changed
- Fix orphan device on archive (client fails to connect when archived from the user view)
- Fix logo url not saving
Full Changelog: 1.15.0...1.15.1
Warning
For the clients feature to work you need to have updated Gerbil to 1.3.0 and have UDP port 21820 open on the VPS firewall and in the docker compose file.
How to Update
Important
Always back up your config app-data before updating. This will allow you to easily roll back if the update breaks your configuration. You will not be able to easily downgrade otherwise.
1.15.0
Read the Announcement
Read the full announcement with discussion of new features: Pangolin 1.15: iOS and Android apps, device approvals and posture, 1 year anniversary, stability, and more
What's Changed
- Add store user device fingerprint information (OS, serial number, hostname, etc)
- Add store user device posture information (auto updates, encryption, biometrics, etc) (EE)
- Add user device approvals for admins; explicitly approve a user’s device before it can connect to resources (EE)
- Add support for organization only scoped identity providers for true multi-tenancy (EE)
- Add block user device and machine
- Add archive user device and machine client
- Add show Site and Client install commands on credentials tab
- Add option to set rule priorities in blueprints
- Add Russian, Bulgarian, and Czech languages
- Add apply blueprint through the cli
- Fix tab key not working to navigation between host and port inputs on resource target forms
- Fix logo URL optional in custom org branding (EE)
- Fix confirm delete button working without confirm text
- General UI improvements
- Various other bug fixes
Warning
For the clients feature to work you need to have updated Gerbil to 1.3.0 and have UDP port 21820 open on the VPS firewall and in the docker compose file.
New Contributors
- @ruxenburg made their first contribution in #2172
- @JackMyers001 made their first contribution in #2204
- @K0lin made their first contribution in #2273
- @JanGrosse made their first contribution in #2209
Full Changelog: https://github.com/fosrl/pangolin/compare/1.14.1...1.15.0
How to Update
Important
Always back up your config app-data before updating. This will allow you to easily roll back if the update breaks your configuration. You will not be able to easily downgrade otherwise.
Contributors
Assets 4
1.15.0-rc.0
49001f6RC
A Release Candidate (RC) is a near-final software version, stable but undergoing last tests before official release. It has all features and no known bugs.
- Users: Use cautiously due to potential undiscovered bugs. Not for critical systems unless prepared for issues. Report bugs.
- Developers/Testers: Perform crucial final validation and thorough testing, especially of recent changes, to catch last-minute major issues.
- Backup: Always back up data before installing an RC to allow rollback if problems arise.
- Feedback: Provide feedback; it's vital for a robust final release.
What's Changed
Note
Some things like fingerprinting and posture info coming in new clients as they are released. Please update clients when released to test.
- Add store user device fingerprint information (OS, serial number, hostname, etc)
- Add store user device posture information (auto updates, encryption, biometrics, etc) (EE)
- Add user device approvals for admins; explicitly approve a user’s device before it can connect to resources (EE)
- Add support for organization only scoped identity providers for true multi-tenancy (EE)
- Add block user device and machine
- Add archive user device and machine client
- Add show Site and Client install commands on credentials tab
- Add option to set rule priorities in blueprints
- Add Russian, Bulgarian, and Czech languages
- Fix logo URL optional in custom org branding (EE)
- Fix confirm delete button working without confirm text
- General UI improvements
- Various other bug fixes
New Contributors
- @ruxenburg made their first contribution in #2172
- @JackMyers001 made their first contribution in #2204
- @K0lin made their first contribution in #2273
- @JanGrosse made their first contribution in #2209
Full Changelog: 1.14.1...1.15.0-rc.0
How to Update
Important
Always back up your config app-data before updating. This will allow you to easily roll back if the update breaks your configuration. You will not be able to easily downgrade otherwise.
Contributors
Assets 4
1.14.1
What's Changed
- Fix mobile header dissapearing after closing virtual keyboard
- Add flags.disable_product_help_banners to disable product help banners
- Fix machine client credentials page always showing the same ID
- UI enhancements
- Fix raw resources throwing a nextjs error
- Fix blueprint not accepting ALL
Full Changelog: 1.14.0...1.14.1
Warning
For the clients feature to work you need to have updated Gerbil to 1.3.0 and have UDP port 21820 open on the VPS firewall and in the docker compose file.
How to Update
Important
Always back up your config app-data before updating. This will allow you to easily roll back if the update breaks your configuration. You will not be able to easily downgrade otherwise.
1.14.0
7e9f18bWhat's Changed
- Add port firewalling for Private Resources by @oschwartz10612 in #2087
- Add option to disable icmp packets over private resources by @oschwartz10612 in #2097
- Add option to pull client relay port from config by @oschwartz10612 in #2098
- Add option to make the 21820 port configurable by @oschwartz10612 in #2102
- Add wildcard alias resources by @oschwartz10612 in #2103
- Add OIDC authentication error response support by @buggystick in #2033
- Add login page customization (EE) by @Fredkiss3 in #1846
- Allow changing site on private resources by @oschwartz10612 in #2112
- Add ASN-based resource rule matching by @WildeTechSolutions in #2095
- Fix: filter dates evaluated at module load time by @depado in #2116
- Refactor: save button positionning by @Fredkiss3 in #1989
- Fix: Adding the blueprints list/get access via API by @huzky-v in #2104
- Refactor: Update
<DomainPicker />to accept default values by @Fredkiss3 in #2034 - Fix: Extend Basic Auth compatibility with browsers #1698 by @jln-brtn in #1951
- Add maintenance screen support (EE) by @oschwartz10612 in #2128
- Fix: Prevent cache memory leak with maxKeys limit and conditional caching by @djcrafts in #2133
- Fix: Support public-resources and private-resources in Docker blueprint labels by @djcrafts in #2132
- Fix: Add missing gnupg utility during Docker installation by @mgruszkiewicz in #2068
- ci: parallelize test workflow by @water-sucks in #2084
- feat(setup): allow declaring a server setup token through env variable by @water-sucks in #2080
- Small UI Improvements
New Contributors
- @mgruszkiewicz made their first contribution in #2068
- @buggystick made their first contribution in #2033
- @depado made their first contribution in #2116
- @huzky-v made their first contribution in #2104
- @WildeTechSolutions made their first contribution in #2095
- @djcrafts made their first contribution in #2133
Full Changelog: 1.13.1...1.14.0
Recommended Versions
Pangolin is backward compatible with older versions of its components. However, access to new features requires that all components be updated to their latest versions. We strongly recommend keeping everything up to date to ensure you benefit from the newest functionality, improvements, and fixes.
- Pangolin 1.14.0+
- Badger 1.3.1+
- Gerbil 1.3.0+
- Olm 1.3.0+
- Note: If you're using a client for macOS, Windows, or Pangolin CLI, simply update to the latest versions.
- Newt 1.8.0+
Warning
For the clients feature to work you need to have updated Gerbil to 1.3.0 and have UDP port 21820 open on the VPS firewall and in the docker compose file.
CROWDSEC USERS PLEASE READ
Due to an earlier misconfiguration of the health check for Crowdsec installs you may get rate limited due to Crowdsec's new policies. Please follow the info in this discussion to make the change to prevent rate limiting.
How to Update
Important
Always back up your config app-data before updating. This will allow you to easily roll back if the update breaks your configuration. You will not be able to easily downgrade otherwise.
Badger Supports Real IP with Cloudflare Proxy
Badger 1.3.0 supports pulling the real IP when behind the Cloudflare Proxy. Support for this is enabled by default. Read more in the Badger release notes.
Port Firewalling and ICMP Ping Support in Private Resources
Private resources now support more granular access controls for ports and protocols. For TCP and UDP traffic, you can choose to allow all ports, block all ports, or define a specific set of allowed ports and port ranges.
In addition, private resources now support ICMP ping. Previously, ICMP traffic was always blocked, preventing you from using tools like ping to test connectivity. With this update, ICMP ping is enabled by default and can also be disabled at any time through the resource’s firewall settings.
Wildcard Alias
Private resources now support wildcard DNS aliases. Instead of defining a single, explicit alias, you can now use a wildcard like *.vpn.internal, which will resolve all matching subdomains to the destination host.
This is useful, for example, when running a reverse proxy (such as Traefik) alongside the site connector (Newt). Multiple services can be routed by hostname and served over HTTPS with valid certificates, while remaining accessible only privately over the tunnel.
Use Private DNS Servers with Pangolin Clients
Pangolin clients on Windows, macOS, and Linux now support routing DNS queries through the secure tunnel. This allows you to configure a self-hosted or private DNS server that the client will use whenever it is connected.
When this feature is enabled, all DNS resolution is performed over the tunnel instead of the local network. As long as you have a private resource configured that grants the client access to the DNS server, queries will be securely resolved within your private infrastructure.
To use this feature, please update your client to the latest available versions.
Contributors
Assets 4
1.14.0-rc.0
972febfRC
A Release Candidate (RC) is a near-final software version, stable but undergoing last tests before official release. It has all features and no known bugs.
- Users: Use cautiously due to potential undiscovered bugs. Not for critical systems unless prepared for issues. Report bugs.
- Developers/Testers: Perform crucial final validation and thorough testing, especially of recent changes, to catch last-minute major issues.
- Backup: Always back up data before installing an RC to allow rollback if problems arise.
- Feedback: Provide feedback; it's vital for a robust final release.
What's Changed
- Add port firewalling for Private Resources by @oschwartz10612 in #2087
- Add option to disable icmp packets over private resources by @oschwartz10612 in #2097
- Add option to pull client relay port from config by @oschwartz10612 in #2098
- Add option to make the 21820 port configurable by @oschwartz10612 in #2102
- Add wildcard alias resources by @oschwartz10612 in #2103
- Add OIDC authentication error response support by @buggystick in #2033
- Add login page customization by @Fredkiss3 in #1846
- Allow changing site on private resources by @oschwartz10612 in #2112
- Add ASN-based resource rule matching by @WildeTechSolutions in #2095
- Fix: filter dates evaluated at module load time by @depado in #2116
- Refactor: save button positionning by @Fredkiss3 in #1989
- Fix: Adding the blueprints list/get access via API by @huzky-v in #2104
- Refactor: Update
<DomainPicker />to accept default values by @Fredkiss3 in #2034 - Fix: Extend Basic Auth compatibility with browsers #1698 by @jln-brtn in #1951
- Add maintenance screen support by @oschwartz10612 in #2128
- Fix: Prevent cache memory leak with maxKeys limit and conditional caching by @djcrafts in #2133
- Fix: Support public-resources and private-resources in Docker blueprint labels by @djcrafts in #2132
- Fix: Add missing gnupg utility during Docker installation by @mgruszkiewicz in #2068
- ci: parallelize test workflow by @water-sucks in #2084
- feat(setup): allow declaring a server setup token through env variable by @water-sucks in #2080
- Small UI Improvements
New Contributors
- @mgruszkiewicz made their first contribution in #2068
- @buggystick made their first contribution in #2033
- @depado made their first contribution in #2116
- @huzky-v made their first contribution in #2104
- @WildeTechSolutions made their first contribution in #2095
- @djcrafts made their first contribution in #2133
Full Changelog: 1.13.1...1.14.0-rc.0
Recommended Versions
Pangolin is backward compatible with older versions of its components. However, access to new features requires that all components be updated to their latest versions. We strongly recommend keeping everything up to date to ensure you benefit from the newest functionality, improvements, and fixes.
- Pangolin 1.14.0+
- Badger 1.3.0+
- Gerbil 1.3.0+
- Olm 1.3.0+
- Newt 1.8.0+
How to Update
Important
Always back up your config app-data before updating. This will allow you to easily roll back if the update breaks your configuration. You will not be able to easily downgrade otherwise.
Badger Supports Real IP with Cloudflare Proxy
Badger 1.3.0 supports pulling the real IP when behind the Cloudflare Proxy. Support for this is enabled by default. Read more in the Badger release notes.
Port Firewalling and ICMP Ping Support in Private Resources
Private resources now support more granular access controls for ports and protocols. For TCP and UDP traffic, you can choose to allow all ports, block all ports, or define a specific set of allowed ports and port ranges.
In addition, private resources now support ICMP ping. Previously, ICMP traffic was always blocked, preventing you from using tools like ping to test connectivity. With this update, ICMP ping is enabled by default and can also be disabled at any time through the resource’s firewall settings.
Use Private DNS Servers with Pangolin Clients
Pangolin clients on Windows, macOS, and Linux now support routing DNS queries through the secure tunnel. This allows you to configure a self-hosted or private DNS server that the client will use whenever it is connected.
When this feature is enabled, all DNS resolution is performed over the tunnel instead of the local network. As long as you have a private resource configured that grants the client access to the DNS server, queries will be securely resolved within your private infrastructure.
To use this feature, please update your client to the latest available versions.
Contributors
Assets 4
1.13.1
f2d4c2fWhat's Changed
- Fix newt proxies not getting created when creating new users
- Fix pagination issues
- Fix resource priority
- Minor UI improvements
- Update react CVE-2025-55184, CVE-2025-67779 & CVE-2025-55183
Full Changelog: 1.13.0...1.13.1
How to Update
Important
Always back up your config app-data before updating. This will allow you to easily roll back if the update breaks your configuration. You will not be able to easily downgrade otherwise.