Hello,
I have a question regarding CrowdSec Manager, which I would like to install on a Pangolin instance.
I understand that CrowdSec reads the Traefik files from the local Pangolin server.
How can CrowdSec read files from an AdGuard Home instance, for example, which would be on another server, in order to retrieve them from this CrowdSec Manager instance?
AdGuard Home would be behind Pangolin and protected by it.
There is surely a connection between CrowdSec installed on my AdGuard Home machine and CrowdSec installed on my Pangolin machine, but I don’t see how to establish this connection securely, if it exists.
Thank you
Best approach: Install a lightweight CrowdSec Agent on your AdGuard Home server and connect it to the CrowdSec Manager (LAPI) on Pangolin.
This is the cleanest, most secure, and officially recommended way for multi-server setups.
Recommended Architecture
- Pangolin server → Runs the full CrowdSec (LAPI + Manager + bouncer for Traefik).
- AdGuard Home server → Runs only the CrowdSec Agent (parses logs locally) and forwards alerts/decisions to Pangolin’s LAPI.
Step-by-Step Setup
-
On Pangolin Server (Manager/LAPI)
-
On AdGuard Home Server (Install Agent)
- Install CrowdSec (agent-only is fine):
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
sudo apt install crowdsec
- Register the agent to your Pangolin LAPI:
Edit /etc/crowdsec/local_api_credentials.yaml:url: http://<PANGOLIN_INTERNAL_IP_OR_TUNNEL_HOSTNAME>:8080
login: adguard-agent
password: <the_token_you_generated>
- Restart CrowdSec:
sudo systemctl restart crowdsec
-
Configure AdGuard Home Log Acquisition
Install the AdGuard Home parser/collection:
sudo cscli parsers install LePresidente/adguardhome-logs
sudo cscli collections install LePresidente/adguardhome
Then create /etc/crowdsec/acquis.d/adguardhome.yaml:
filenames:
- /path/to/adguardhome/logs/query.log # or wherever your logs are (often /var/log/adguardhome/ or /opt/adguardhome/data/)
- /path/to/adguardhome/logs/*.log
labels:
type: adguardhome
Restart CrowdSec on AdGuard server.
-
Secure Communication
Since AdGuard Home is behind Pangolin (via Newt tunnel), use the internal tunnel hostname/IP for the LAPI URL. This keeps everything encrypted over the WireGuard-based tunnel — no need to expose port 8080 publicly.
Alternative Options (Less Ideal)
- Log Centralization: Forward AdGuard logs via rsyslog/journald to Pangolin, then read them centrally. More complex and higher latency.
- NFS/SMB Mount: Mount the log directory from AdGuard to Pangolin. Works but not great for real-time and adds complexity.
Why Agent + Central LAPI is Best
- Logs are parsed close to the source (low latency, respects local paths).
- Decisions are centralized (one source of truth for bans).
- Secure (uses the existing Pangolin tunnel).
- Scalable if you add more services later.
would you like me to give you the exact commands to your OS (Docker? Linux distro?) or help the current setup on Pangolin first?
also, feel free to join the Discord mentioned if you want live 1:1 help — but I’m happy to walk you through it here too, sorry for delayed response, was away from desk.
Thanks for this tutorial 
- On crowdsec-manager, you can’t see the connected machines, only bouncer.
Perhaps I’m mistaken, but if so, this feature should be added to crowdsec-manager.
It would also be helpful to be able to see which machine banned the IP address and to sort the logs by machine.
- Another thing, the IP address that CrowdSec sees is that of Newt on Pangolin in my configuration.
Indeed, I created a public resource by filtering the IP addresses of my servers, and it’s redirecting to CrowdSec 8080. Is there a way to get the server’s IP address directly instead of the Newt IP address on Pangolin in the list of machines?
Thanks