Secure management of private resources in distributed networks has historically been a challenge, especially in environments where firewall restrictions limit service exposure. Pangolin, a mesh reverse proxy server with encrypted tunnels, offers an effective solution by enabling secure remote access without the need to open ports. This open-source project presents itself as a self-hosted alternative to solutions like Cloudflare Tunnels, providing administrators with greater control over their infrastructure and security.
Secure Connectivity through WireGuard
Pangolin uses WireGuard-based encrypted tunnels to connect private sites to a central server. Thanks to its integration with Newt, a user-space WireGuard client, this system enables secure exposure of internal resources without the need to modify firewall settings. Its main features include:
✔ Secure reverse proxy for HTTP/HTTPS and TCP/UDP resources.
✔ Automated SSL certificate management through Let’s Encrypt.
✔ Load balancing for efficient traffic distribution.
✔ Compatibility with any WireGuard client, with optimized integration via Newt.
This approach significantly reduces security risks associated with opening ports, making Pangolin an ideal option for home labs, IoT, and enterprise environments with network restrictions.
Advanced Identity Management and Access Control
One of the standout features of Pangolin is its centralized authentication and access control system, which allows for granular permission management. Key functionalities include:
✅ Single sign-on (SSO) with integration into authentication platforms.
✅ Role-based access control to define permissions by user, IP, or URL.
✅ Support for multifactor authentication (TOTP) with backup codes.
✅ Additional authentication methods, such as temporary access links and resource-specific passwords.
These options ensure that only authorized users can access the services exposed through Pangolin, enhancing security without compromising usability.
Intuitive and Customizable Administration Interface
The system features a web-based control panel, designed to facilitate the management of sites, users, and resources. Notable features include:
🖥 Real-time monitoring of tunnel status and connectivity.
🌙 Dark and light mode for a better user experience.
📱 Mobile device compatibility for management anytime, anywhere.
This intuitive approach allows administrators to efficiently configure and manage their tunnels without requiring advanced networking knowledge.
Flexible Deployment in the Cloud or on Local Servers
Pangolin is designed to be highly portable and easy to deploy, whether in a cloud provider or on local infrastructure. Its configuration based on Docker Compose allows for quick and easy installation.
Example Deployment with Docker Compose:
services:
pangolin:
image: fosrl/pangolin:latest
container_name: pangolin
restart: unless-stopped
ports:
- "443:443"
volumes:
- pangolin_data:/data
Thanks to its modular design, users can connect multiple sites to a central server, ensuring unified resource management in distributed environments.
Pangolin Use Cases
Pangolin is ideal for a variety of scenarios where secure access to private resources is required without modifying network configurations. Examples include:
🔹 Home labs without the ability to open ports: Allows secure access to internal servers without complicated NAT or firewall configurations.
🔹 Distributed IoT infrastructure: Facilitates secure connection of IoT devices to a central server without compromising security.
🔹 Secure remote access to corporate networks: Enables companies to manage access for authorized users without relying on external solutions.
Self-Hosted Alternative to Cloudflare Tunnels
While Cloudflare Tunnels is a popular option for the secure exposure of resources, Pangolin offers a self-managed alternative, eliminating dependence on external services and providing greater control over infrastructure.
Additionally, Pangolin is inspired by solutions like Authentik and Authelia, adopting a robust approach to identity management and authentication, making it an attractive option for those seeking privacy and security without compromises.
Project Status and Future Updates
Currently, Pangolin has exited its beta phase and has reached version 1.0.0, incorporating key improvements such as:
📌 Support for multiple domains, allowing management of various resources from a single server.
📌 Advanced access rules, allowing permission definitions based on IPs, CIDR ranges, and specific routes.
📌 Integration with CrowdSec, with automated installation for increased security against attacks.
The development team continues to work on new features, including:
🔹 Support for LDAP and Google authentication.
🔹 VPN capabilities with NAT hole-punching.
🔹 Increased granularity in access and proxy rules.
Conclusion
Pangolin stands out as a powerful and flexible solution for secure remote access management, offering a self-hosted alternative to Cloudflare Tunnels without sacrificing ease of use or performance.
With a focus on security, centralized authentication, and ease of deployment, Pangolin is an excellent choice for system administrators, businesses, and tech enthusiasts seeking complete control over their private resources without relying on third parties.
For more information and downloads, the project is available on GitHub.