How Olm Works
Registers with Pangolin
Using the Olm ID and a secret, the client will make HTTP requests to Pangolin to receive a session token. Using that token, it will connect to a websocket and maintain that connection. Control messages will be sent over the websocket.Establishes WireGuard Tunnel
When Olm receives WireGuard control messages, it will use the information encoded (endpoint, public key) to bring up a WireGuard tunnel using native system interfaces. It will ping over the tunnel to ensure the peer on the Gerbil side is brought up.Creates Virtual Network Interface
Olm creates a virtual network adapter on your computer just like a traditional VPN. This allows you to access resources on your private network as if you were physically connected to it.Configuration Arguments
Olm ID generated by Pangolin to identify the client.Example:
31frd0uzbjvp721A unique secret used to authenticate the client ID with the websocket.Example:
h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6Keep this secret private and secure. It’s used for authentication.
The endpoint where both Gerbil and Pangolin reside for websocket connections.Example:
https://pangolin.example.comMTU for the WireGuard interface.Default:
1280DNS server to use for resolving the endpoint.Default:
8.8.8.8The log level to use for Olm output.Options:
DEBUG, INFO, WARN, ERROR, FATALDefault: INFOInterval for pinging the server.Default:
3sTimeout for each ping.Default:
5sEnable NAT hole punching mode instead of relaying through the VPS.Default:
falseThis is EXPERIMENTAL. While functional, it does not always connect reliably and can fall back to relaying.
Path to a configuration file containing the same arguments as command line.Example:
/etc/olm/config.yamlConfiguration Examples
Basic Configuration
With Hole Punching
With Custom MTU and DNS
With Health Check
Environment Variables
All CLI arguments can be set using environment variables as an alternative to command line flags. Environment variables are particularly useful when running Olm in containerized environments.Endpoint of your Pangolin server (equivalent to
--endpoint)Olm ID generated by Pangolin (equivalent to
--id)Olm secret for authentication (equivalent to
--secret)MTU for the WireGuard interface (equivalent to
--mtu)Default: 1280DNS server to use for resolving the endpoint (equivalent to
--dns)Default: 8.8.8.8Log level (equivalent to
--log-level)Default: INFOInterval for pinging the server (equivalent to
--ping-interval)Default: 3sTimeout for each ping (equivalent to
--ping-timeout)Default: 5sEnable NAT hole punching mode (equivalent to
--holepunch)Default: falsePath to health file for connection monitoring (equivalent to
--health-file)Load the config from this file instead of command line arguments (equivalent to
--config-file)When both environment variables and CLI arguments are provided, CLI arguments take precedence.
Troubleshooting
Connection Issues
- Check credentials: Ensure the ID and secret are correct
- Verify endpoint: Make sure the endpoint URL is accessible
- Check firewall: Ensure port 21820 is open on your VPS
- Verify site configuration: Make sure your Newt site has
--accept-clientsenabled
Permission Issues
- Linux/macOS: Run with sudo or ensure proper capabilities
- Windows: Run as administrator or install as a service
- LXC containers: Configure tun device access
Performance Issues
- Try hole punching: Use
--holepunchfor better performance - Adjust MTU: Try different MTU values if experiencing packet loss
- Check network: Ensure stable internet connection
Security Considerations
- Keep your client secret secure and private
- Use HTTPS endpoints only
- Regularly rotate client credentials
- Monitor client connections in the dashboard
- Use firewall rules to restrict access to specific resources