CLI basics and installation
9 answersLearn what PandaVPN CLI is, how it differs from the desktop app, and how to install it.
Q What is Panda CLI?
Panda CLI is Panda’s command-line client and supports the following through the terminal:
- Login and account management
- Node refresh and node connection
- Switching between PandaVPN / Proxy / WireGuard / Auto modes
- System proxy configuration
- Split rules
- Split DNS configuration
- Kill-switch protection
- Auto-connect
- Logs and diagnostics
It is suitable for internal beta users, developers, advanced users, and testing scenarios that require scripted operations.
Q What is the difference between Panda CLI and the desktop client?
Panda CLI is operated through the command line and is better suited for:
- Automated testing
- Remote troubleshooting
- Scripted connections
- Viewing detailed diagnostic information
- Validating low-level behaviors such as Kill-switch, DNS, routing, and system proxy
The desktop client is better suited for everyday graphical operations by regular users.
Note: The legacy Qt desktop client and CLI are not recommended to manage VPN / system proxy at the same time, to avoid overwriting each other’s configuration.
Q Why does Panda CLI need a daemon / service?
Some capabilities require system-level permissions, such as:
- Creating TUN / WireGuard network interfaces
- Modifying DNS
- Setting the system proxy
- Applying the Kill-switch
- Repairing routes
- Managing the packet VPN runtime
Therefore, the CLI performs these operations through the platform-specific daemon / service.
Daemon forms on different platforms:
| Platform | Daemon form |
|---|---|
| macOS | LaunchDaemon / privileged helper |
| Linux | systemd service |
| Windows | Windows Service |
Q What are the differences between the installation methods for Windows / macOS / Linux?
The key difference is: On Windows and macOS, the service is usually installed automatically through the installer, while on Linux users usually need to manually run sudo panda service install.
| Platform | Recommended installation method | Need to manually install service? |
|---|---|---|
| Windows | Installer | Usually no; the installer will elevate privileges and register Windows Service |
| macOS | .pkg installer | Usually no; the installer will install LaunchDaemon / helper |
| Linux | binary + systemd service | Requires running sudo panda service install |
On Windows, you only need to run the following in an administrator PowerShell if you are not using the installer and are placing the binary manually:
panda service install windows
On macOS, this is only needed for development and debugging, when not using the .pkg installer, or when the daemon does not start automatically:
sudo panda start
On Linux, we recommend:
sudo panda service install
panda service status
Q Are the installation steps for Windows ARM64 and AMD64 / x64 the same?
Yes. The main difference is the architecture of the installation package you download.
| Architecture | Applicable devices |
|---|---|
| Windows x64 / AMD64 | Most Intel / AMD Windows computers |
| Windows ARM64 | Windows on ARM devices |
The installation steps, commands, and service management method are the same. The installer will automatically elevate privileges and register the Windows Service.
Connection modes and routing
10 answersUnderstand CLI connection modes, routing options, smart connect, nodes, and current status.
Q What modes does Panda CLI support?
Mainly supports:
| Mode | Description |
|---|---|
auto |
Default mode. Recommends a runtime based on API / node metadata, and falls back to PandaVPN global if it fails |
proxy |
Local SOCKS5 / HTTP / PAC proxy |
pandavpn |
PandaVPN packet VPN / TUN runtime |
wireguard |
WireGuard packet VPN |
Common settings:
panda mode auto
panda mode pandavpn global
panda mode proxy global
panda mode wireguard
openvpn is currently not recommended as a mainline mode in user documentation.
Q How should you choose between auto, proxy, pandavpn, and wireguard?
Recommendation:
| Scenario | Recommended mode |
|---|---|
| New users / everyday connections | auto |
| Want to always use global VPN | pandavpn global |
| Only want the browser or system proxy to go through Panda | proxy |
| Need Kill-switch | auto, pandavpn, or wireguard |
| The node provides WireGuard metadata | auto or wireguard |
| Need deep validation of Split rules / Split DNS | pandavpn |
Note: mode proxy and Kill-switch are mutually exclusive.
Q What is mode auto?
mode auto is the new default mode.
Its behavior is:
- API node / smart connect prioritizes the runtime based on
meta.protocol; - If WireGuard is recommended, it will try WireGuard first;
- If WireGuard metadata, address allocation, runtime startup, handshake, or connectivity probing fails, it falls back to PandaVPN global compiled from the SS payload;
SS,OPENVPN, unknown, or missing protocols use PandaVPN global as the fallback;mode autodoes not accept a policy parameter, and the resolved runtime is always global.
Recommended for new users:
panda mode auto
panda connect
Q What is the difference between global, gfwlist, direct-region, and proxy-region?
| Policy | Meaning |
|---|---|
global | Everything goes through the proxy / tunnel |
gfwlist | default direct; GFWList matches go through the proxy / tunnel |
direct-region in | default proxy / tunnel; matches for the two-letter country code in go direct |
proxy-region us | default direct; matches for the two-letter country code us go through the proxy / tunnel |
direct-region is the recommended syntax; bypass-region / bypass are compatibility aliases.
For example:
panda mode pandavpn direct-region in
Equivalent to the compatibility alias:
panda mode pandavpn bypass-region in
Q What is PandaVPN’s explicit split long command?
The new version supports a more complete split profile syntax:
panda mode pandavpn split default direct proxy-region <cc>
panda mode pandavpn split default proxy direct-region <cc>
Common tokens:
| Token | Meaning |
|---|---|
default direct |
Default to direct connection when no rule matches |
default proxy |
Default to tunnel when no rule matches |
proxy-region <cc> |
Route the specified region through the tunnel |
direct-region <cc> |
Use direct connection for the specified region |
gfwlist |
Enable GFWList source |
direct-lan |
Direct connection for LAN |
proxy-lan |
Route LAN through the tunnel as well |
custom-rules |
Enable custom split rules |
exclude-custom-rules |
Do not load custom split rules |
Examples:
panda mode pandavpn split default direct proxy-region us custom-rules
panda mode pandavpn split default proxy direct-region in direct-lan custom-rules
Long commands are not recommended for beginner documentation. They are better suited for advanced split routing documentation.
Diagnostics and logs
9 answersUse these questions for doctor, repair, logs, system proxy, Split rules, Split DNS, and Kill-switch behavior.
Q What does panda doctor do?
doctor is a read-only diagnostic command used to view the current key status of Panda CLI.
panda doctor
panda doctor --json
Short form:
panda do
Focus on:
runtime
kill_switch
selected_node
vpn_dns
dns_lockdown
split_policy
system_proxy_state
vpn_routes
last_error
Q What is panda trace?
trace is used to see which rule, DNS action, and route a target will use.
panda trace example.com:443
panda trace 8.8.8.8:53 --json
Note: full trace capability requires an active PandaVPN packet runtime. Without a compatible runtime, only limited validation is available, or it falls back to legacy trace.
Q Why are two Panda daemons competing for routes?
This usually happens because the official service / LaunchDaemon is installed, and you also manually ran:
sudo panda start
sudo panda start starts an unmanaged daemon, which may manage the following at the same time as the official daemon:
- VPN routes
- DNS
- TUN
- system proxy
- Kill-switch
The rule is: keep only one daemon.
Common handling on macOS / Linux:
panda disconnect
panda kill-switch off
sudo panda stop
panda repair
panda doctor
On Linux, if you use systemd service, restart the official service afterwards:
sudo panda service restart
panda doctor
On macOS, if installed with .pkg, usually let LaunchDaemon / helper manage the daemon, and do not use sudo panda start long-term as your daily startup method.
Q How do I exit Panda daemon?
If you only want to disconnect the VPN, you do not need to exit the daemon:
panda disconnect
panda kill-switch off
If you really want to stop the daemon:
sudo panda stop
Confirm:
panda status
If it shows panda daemon unavailable, it means the main daemon has stopped.
Note: The LaunchDaemon / helper installed by the macOS .pkg may be managed by the system. Regular users are not advised to manually stop the service frequently.
Q How do I view logs?
panda log
panda log --lines 200
panda log --all
Clear logs:
panda log clear
Temporarily enable debug:
panda log level debug dns,tcp --ttl 10m
Restore default:
panda log level reset
Proxy and repair
5 answersUse these questions for doctor, repair, logs, system proxy, Split rules, Split DNS, and Kill-switch behavior.
Q What is the difference between panda repair and panda proxy repair?
panda repair is more comprehensive and may repair:
- VPN route
- DNS snapshot
- Kill-switch guard
- system proxy-related state
panda proxy repair mainly repairs system proxy drift for the current user.
panda repair
panda proxy repair
Q Is system proxy enabled by default?
On a Fresh install, the default is proxy system-proxy on.
If the user explicitly saved off, that configuration is preserved.
View or set:
panda proxy system-proxy on
panda proxy system-proxy off
panda proxy system-proxy lock-on
Note: under mode auto, pandavpn, and wireguard, the VPN runtime ignores the persisted system proxy preference; the VPN companion proxy remains available and uses scoped egress.
Q Why is the system proxy not taking effect on Windows?
Windows system proxy is the current user's HKCU WinINET setting and requires a per-user user-agent.
If you are in an SSH or non-interactive session, proxy repair may not always be able to start the user-agent automatically.
Recommended:
panda proxy status
panda proxy repair
panda doctor
If it still does not take effect, try again in a desktop login session.
Q Why does system proxy show as unsupported on Linux?
Linux Phase 1 mainly supports GNOME gsettings.
Environments such as KDE / XFCE may show as unsupported.
This does not necessarily affect the PandaVPN packet runtime, but it may affect the system proxy mode experience.
Q Why can’t Kill-switch be used with proxy mode?
The meaning of Kill-switch is to allow traffic only through TUN, while other normal traffic is blocked.
proxy mode is a standalone local proxy mode. It does not have packet VPN / TUN, nor does it provide equivalent DNS and routing protection. Therefore, Kill-switch does not support standalone proxy mode.
When you need Kill-switch, use:
panda mode auto
panda kill-switch on
Or:
panda mode pandavpn global
panda kill-switch on
Or:
panda mode wireguard
panda kill-switch on
Split rules and Kill-switch
11 answersUse these questions for doctor, repair, logs, system proxy, Split rules, Split DNS, and Kill-switch behavior.
Q Does Auto-connect mean automatic reconnection after a disconnect?
No.
Auto-connect mainly covers best-effort connect when the daemon / service starts, plus pending retry when the network is temporarily unavailable at startup.
Enable:
panda config auto-connect on
Disable:
panda config auto-connect off
It is not a general runtime automatic reconnection mechanism.
Q What are Split rules?
Split rules are used to specify that certain domains, keywords, regex, or IPs go through proxy, direct, or block.
Rule files:
split/rules/proxy.txt
split/rules/direct.txt
split/rules/block.txt
Common commands:
panda split rules list
panda split rules add proxy suffix:github.com
panda split rules add direct ip-cidr:10.0.0.0/8
panda split rules add block keyword:adservice
Q Will pending auto-connect be triggered automatically after login?
Current known limitation: after login, pending auto-connect waiting for retry will not be woken automatically.
After login, manually run:
panda connect
Q What syntax do Split rules support?
- Pattern
- Bare domain
- Example
example.com- Meaning
- Suffix match
- Pattern
domain:- Example
domain:api.example.com- Meaning
- Exact host
- Pattern
suffix:- Example
suffix:google.com- Meaning
- Suffix match
- Pattern
- Example
- Meaning
- google.com
- Suffix match
- Pattern
keyword:- Example
keyword:netflix- Meaning
- Substring match
- Pattern
regexp:- Example
regexp:.*\.cdn\.example\.com- Meaning
- Go regex
- Pattern
ip-cidr:- Example
ip-cidr:10.0.0.0/8- Meaning
- IP rule
Q Do I need to reconnect after changing Split DNS?
Usually no. Split DNS configuration changes are hot-loaded.
Common commands:
panda split dns status
panda split dns local set 223.5.5.5 114.114.114.114
panda split dns policy tunnel-only
panda split dns fake-ip on
If the platform does not support certain local DNS sources, doctor will show a warning.