Skip to main content

Flags

id
string
required
Newt ID generated by Pangolin to identify the client.Example: 31frd0uzbjvp721
secret
string
required
A unique secret used to authenticate the client ID with the websocket.Example: h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6
Keep this secret private and secure. It’s used for authentication.
endpoint
string
required
The endpoint where both Gerbil and Pangolin reside for websocket connections.Example: https://pangolin.example.com
port
integer
Port for the peers to connect to Newt on. This can be used to keep a static port open in firewalls instead of default random ports.Example: 34534
mtu
integer
MTU for the internal WireGuard interface.Default: 1280
dns
string
DNS server to use for resolving the endpoint.Default: 9.9.9.9
log-level
string
The log level to use for Newt output.Options: DEBUG, INFO, WARN, ERROR, FATALDefault: INFO
ping-interval
string
Interval for pinging the server.Default: 3s
ping-timeout
string
Timeout for each ping.Default: 5s
docker-socket
string
Set the Docker socket path for container discovery integration.Example: /var/run/docker.sock
docker-enforce-network-validation
boolean
Validate the container target is on the same network as the Newt process.Default: false
health-file
string
Check if connection to WireGuard server (Pangolin) is ok. Creates a file if ok, removes it if not ok. Can be used with Docker healthcheck to restart Newt.Example: /tmp/healthy
updown
string
Script to be called when targets are added or removed.Example: /path/to/updown.sh
blueprint-file
string
Path to blueprint file to define Pangolin resources and configurations.Example: /path/to/blueprint.yaml
no-cloud
boolean
Don’t fail over to the cloud when using managed nodes in Pangolin Cloud.Default: false
disable-clients
boolean
Disable clients on the WireGuard interface.Default: false (clients enabled)
interface
string
Name of the WireGuard interface.Default: newt
metrics
boolean
Enable Prometheus /metrics exporter.Default: true
otlp
boolean
Enable OTLP exporters (metrics/traces) to OTEL_EXPORTER_OTLP_ENDPOINT.Default: false
metrics-admin-addr
string
Admin/metrics bind address.Default: 127.0.0.1:2112
metrics-async-bytes
boolean
Enable async bytes counting (background flush; lower hot path overhead).Default: false
region
string
Optional region resource attribute for telemetry and metrics.Example: us-west-2
enforce-hc-cert
boolean
Enforce certificate validation for health checks.Default: false (accepts any cert)
tls-client-cert-file
string
Path to client certificate file (PEM/DER format) for mTLS.Example: /path/to/client.crt
tls-client-key
string
Path to client private key file (PEM/DER format) for mTLS.Example: /path/to/client.key
tls-client-ca
string
Path to CA certificate file for validating remote certificates (can be specified multiple times).Example: /path/to/ca.crt
tls-client-cert
string
Path to client certificate (PKCS12 format) - DEPRECATED: use --tls-client-cert-file and --tls-client-key instead.Example: /path/to/client.p12
prefer-endpoint
string
Prefer this endpoint for the connection (if set, will override the endpoint from the server).Example: https://preferred.endpoint.com

Environment Variables

All CLI arguments can be set using environment variables as an alternative to command line flags. Environment variables are particularly useful when running Newt in containerized environments.
When both environment variables and CLI arguments are provided, CLI arguments take precedence.
PANGOLIN_ENDPOINT
string
Endpoint of your Pangolin server (equivalent to --endpoint)
NEWT_ID
string
Newt ID generated by Pangolin (equivalent to --id)
NEWT_SECRET
string
Newt secret for authentication (equivalent to --secret)
PORT
integer
Port for the peers to connect to Newt on (equivalent to --port)
MTU
integer
MTU for the internal WireGuard interface (equivalent to --mtu)Default: 1280
DNS
string
DNS server to use for resolving the endpoint (equivalent to --dns)Default: 9.9.9.9
CONFIG_FILE
string
Load the config JSON from this file instead of in the home folder.
BLUEPRINT_FILE
string
Path to blueprint file to define Pangolin resources and configurations (equivalent to --blueprint-file).
NO_CLOUD
boolean
Don’t fail over to the cloud when using managed nodes in Pangolin Cloud (equivalent to --no-cloud).Default: false
LOG_LEVEL
string
Log level (equivalent to --log-level)Default: INFO
DOCKER_SOCKET
string
Path to Docker socket for container discovery (equivalent to --docker-socket)
PING_INTERVAL
string
Interval for pinging the server (equivalent to --ping-interval)Default: 3s
PING_TIMEOUT
string
Timeout for each ping (equivalent to --ping-timeout)Default: 5s
UPDOWN_SCRIPT
string
Path to updown script for target add/remove events (equivalent to --updown)
DOCKER_ENFORCE_NETWORK_VALIDATION
boolean
Validate container targets are on same network (equivalent to --docker-enforce-network-validation)Default: false
HEALTH_FILE
string
Path to health file for connection monitoring (equivalent to --health-file)
DISABLE_CLIENTS
boolean
Disable clients on the WireGuard interface (equivalent to --disable-clients).Default: false
INTERFACE
string
Name of the WireGuard interface (equivalent to --interface)Default: newt
NEWT_METRICS_PROMETHEUS_ENABLED
boolean
Enable Prometheus /metrics exporter (equivalent to --metrics).Default: true
NEWT_METRICS_OTLP_ENABLED
boolean
Enable OTLP exporters (metrics/traces) to OTEL_EXPORTER_OTLP_ENDPOINT (equivalent to --otlp).Default: false
NEWT_ADMIN_ADDR
string
Admin/metrics bind address (equivalent to --metrics-admin-addr).Default: 127.0.0.1:2112
NEWT_METRICS_ASYNC_BYTES
boolean
Enable async bytes counting (background flush; lower hot path overhead, equivalent to --metrics-async-bytes).Default: false
NEWT_REGION
string
Optional region resource attribute for telemetry and metrics (equivalent to --region).
ENFORCE_HC_CERT
boolean
Enforce certificate validation for health checks (equivalent to --enforce-hc-cert).Default: false
TLS_CLIENT_CERT
string
Path to client certificate file (PEM/DER format) for mTLS (equivalent to --tls-client-cert-file)
TLS_CLIENT_KEY
string
Path to client private key file (PEM/DER format) for mTLS (equivalent to --tls-client-key)
TLS_CLIENT_CAS
string
Comma-separated list of CA certificate file paths for validating remote certificates (equivalent to multiple --tls-client-ca flags)
TLS_CLIENT_CERT_PKCS12
string
Path to client certificate (PKCS12 format) - DEPRECATED: use TLS_CLIENT_CERT and TLS_CLIENT_KEY instead

Loading secrets from files

You can use CONFIG_FILE to define a location of a config file to store the credentials between runs. 
$ cat ~/.config/newt-client/config.json
{
  "id": "spmzu8rbpzj1qq6",
  "secret": "f6v61mjutwme2kkydbw3fjo227zl60a2tsf5psw9r25hgae3",
  "endpoint": "https://app.pangolin.net",
  "tlsClientCert": ""
}
This file is also written to when newt first starts up. So you do not need to run every time with —id and secret if you have run it once! Default locations:
  • macOS: ~/Library/Application Support/newt-client/config.json
  • Windows: %PROGRAMDATA%\newt\newt-client\config.json
  • Linux/Others: ~/.config/newt-client/config.json

Docker Socket Integration

Newt can integrate with the Docker socket to provide remote inspection of Docker containers. This allows Pangolin to query and retrieve detailed information about containers running on the Newt client, including metadata, network configuration, port mappings, and more. Configuration: You can specify the Docker socket path using the --docker-socket CLI argument or by setting the DOCKER_SOCKET environment variable. If the Docker socket is not available or accessible, Newt will gracefully disable Docker integration and continue normal operation. Supported values include:
  • Local UNIX socket (default):
    You must mount the socket file into the container using a volume, so Newt can access it.
    unix:///var/run/docker.sock
  • TCP socket (e.g., via Docker Socket Proxy): tcp://localhost:2375
  • HTTP/HTTPS endpoints (e.g., remote Docker APIs): http://your-host:2375
  • SSH connections (experimental, requires SSH setup): ssh://user@host 
services:
    newt:
        image: fosrl/newt
        container_name: newt
        restart: unless-stopped
        volumes:
            - /var/run/docker.sock:/var/run/docker.sock:ro
        environment:
            - PANGOLIN_ENDPOINT=https://example.com
            - NEWT_ID=2ix2t8xk22ubpfy
            - NEWT_SECRET=nnisrfsdfc7prqsp9ewo1dvtvci50j5uiqotez00dgap0ii2
            - DOCKER_SOCKET=unix:///var/run/docker.sock
If the Docker socket is not available or accessible, Newt will gracefully disable Docker integration and continue normal operation.
Hostnames vs IPs When the Docker Socket Integration is used, depending on the network which Newt is run with, either the hostname (generally considered the container name) or the IP address of the container will be sent to Pangolin:
  • Running in Network Mode ‘host’: IP addresses will be used
  • Running in Network Mode ‘bridge’: IP addresses will be used
  • Running in docker-compose without a network specification: Docker compose creates a network for the compose by default, hostnames will be used
  • Running on docker-compose with defined network: Hostnames will be used
Docker Enforce Network Validation When run as a Docker container, Newt can validate that the target being provided is on the same network as the Newt container and only return containers directly accessible by Newt. Validation will be carried out against either the hostname/IP Address and the Port number to ensure the running container is exposing the ports to Newt. Validation is false by default. It can be enabled via setting the --docker-enforce-network-validation CLI argument or by setting the DOCKER_ENFORCE_NETWORK_VALIDATION environment variable.
If the Newt container is run with a network mode of host, this feature will not work. Running in host mode causes the container to share its resources with the host machine, making it impossible to retrieve specific host container information for network validation.

Updown Scripts

You can pass in an updown script for Newt to call when it is adding or removing a target: 
--updown "python3 test.py"
The script will be called with arguments when a target is added or removed: 
python3 test.py add tcp localhost:8556
python3 test.py remove tcp localhost:8556
Returning a string from the script in the format of a target (ip:dst so 10.0.0.1:8080) will override the target and use this value instead to proxy.
You can look at updown.py as a reference script to get started!

mTLS Authentication

Newt supports mutual TLS (mTLS) authentication if the server is configured to request a client certificate. You can use either a PKCS12 (.p12/.pfx) file or split PEM files for the client cert, private key, and CA.

Option 1: PKCS12 (Legacy)

This is the original method and still supported.
Requirements:
  • File must contain:
    • Client private key
    • Public certificate
    • CA certificate
  • Encrypted .p12 files are not supported
Example: 
newt \
--id 31frd0uzbjvp721 \
--secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6 \
--endpoint https://example.com \
--tls-client-cert ./client.p12

Option 2: Split PEM Files (Preferred)

You can now provide separate files for:
  • --tls-client-cert-file: client certificate (.crt or .pem)
  • --tls-client-key: client private key (.key or .pem)
  • --tls-client-ca: CA cert to verify the server (can be specified multiple times)
Example: 
newt \
--id 31frd0uzbjvp721 \
--secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6 \
--endpoint https://example.com \
--tls-client-cert-file ./client.crt \
--tls-client-key ./client.key \
--tls-client-ca ./ca.crt

NAT Traversal Tweaks

Newt supports NAT traversal to allow clients to connect directly to Newt sites without relaying through the Pangolin server, improving performance and reducing latency. In some environment depending on the NAT type and firewall, you may need to tweak some settings to get optimal connectivity in the firewall itself. Take a look at these docs for some firewall changes you might be able to make. Another option is to keep newt listening for client connections on a static port. This allows you to open a specific port in your firewall for Newt client connections instead of random high ports. You can do this by setting the --port flag or PORT environment variable and then opening this port in the your firewall to DNAT to Newt.