Good question. I think absolute worse case scenario the tunnel and VPS is compromised and someone is able to gain access to the private network. We advise people in the docs to always consider this a possibility and secure Newt and what is has access to. A slightly worse case is there is a bypass in the forward auth and someone can get access to the webpage of a private service without passing the user/pass auth etc.

We are always looking for security experts to review the code and to pen test the application. Please hammer it and let us know at security@fossorial.io if there are any issues!

I’m running pangolin for a couple months now and instead of newt I use my router WireGuard Client in a VLAN. Any „wanted“ traffic is then routed via DNAT/firewall to my home server.