Show HN: Pangolin – Open source alternative to Cloudflare Tunnels (github.com)
Pangolin is an open source self-hosted tunneled reverse proxy management server with identity and access control, designed to securely expose private resources through encrypted WireGuard tunnels running in user space.
We made Pangolin so you retain full control over your infrastructure while providing a user-friendly and feature-rich solution for managing proxies, authentication, and access, all with a clean and simple dashboard web UI.
GitHub: https://github.com/fosrl/pangolin
Deployment takes about 5 minutes on a VPS: https://docs.fossorial.io/Getting%20Started/quick-install
Demo by Lawrence Systems (YouTube): https://youtu.be/g5qOpxhhS7M?si=M1XTWLGLUZW0WzTv&t=723
Some use cases:
- Grant users access to your apps from anywhere using just a web-browser
- Proxy behind CGNAT
- One application load balancer across multiple clouds and on-premises
- Easily expose services on IoT and edge devices for field monitoring
- Bring localhost online for easy access
A few key features: - No port forwarding and hide your public IP for self-hosting
- Create proxies to multiple different private networks
- OAuth2/OIDC identity providers
- Role-based access control
- Raw TCP and UDP support
- Resource-specific pin codes, passwords, email OTP
- Self-destructing shareable links
- API for automation
- WAF with CrowdSec and Geoblocking
57 comments
[ 0.33 ms ] story [ 69.8 ms ] threadPangolin uses Traefik under the hood to do the actual HTTP proxying. A plugin, Badger, provides a way to authenticate every request with Pangolin. A second service, Gerbil, provides a WireGuard management server that Pangolin can use to create peers for connectivity. And finally, there is Newt, a CLI tool and Docker container that connects back to Gerbil with WireGuard fully in user space and proxies your local resources. This means that you do not need to run a privileged process or container in order to expose your services!
Traefik is awesome, and one of the biggest reasons is it's extensibility and robustness.
It absolutely does not get enough attention!
https://github.com/traefik/traefik/releases/expanded_assets/...
Thanks for building this. I’ll be trying it out when I get home tonight.
I love working with CF Tunnels but I got frustrated with their lackluster web admin ux that I recently decided to have Claude whip up a quick terminal interface for it
so, kind of an uneducated question (from someone who isn't heavily involved in actual infrastructure)... I haven't used CF tunnels, and the extent of my proxying private services has pretty much been either reverse proxy tunnels over SSH, or Tailscale. Where pretty much any service I want to test privately is located on some particular device, like, a single EC2 instance, or my laptop that's at home while I'm out on my phone. Could you explain in layman's terms what this solves that e.g. tailscale doesn't?
Can Pangolin also provide public access (currently I'm using Caddy as a reverse proxy)?
But pangolin seems to be similar to that setup with a good UI, and more control. Definitely trying it out.
Quick question: Can it handle multiple domain names? I point multiple domain to the vps hosting my npm it proxy's them from there. Does Pangolin, also support multiple domains pointing to it?
In other words: Let's say I have a VPS with eg. Keycloak running on it. I want to be able to access it for management purposes but don't want it exposed to other people on the internet. Would Pangolin be a way for me to do this?
can you give more details, would this be adapted to IoT devices running on MCUs like ESP32 etc?
Btw I like your short and clear CLA! Did you check the wording of the cla with a lawyer? In my project I wanted to replace the perpetual license granted by contributors by 'a license granted as long as the software is also proposed under the agpl', but that might make it too complicated to still keep it succinct and legally clear.
We have not had any concern about the CLA that we are aware of. It was important that we found a way to allow businesses to pay for something to fund the project while keeping it free for individual homelabbers so this was one effort in that regard.
Could you make a Dokploy template to let people deploy it easily?
https://github.com/netbirdio/netbird
https://aazar.me/posts/reincarnating-a-raspberry-pi
That being said, I believe Pangolin is one of the better and polished ones.
I have set up something similar just recently with an OPNSense box running DNS, the WireGuard instance and getting a wildcard Let's Encrypt cert that it pushes to my Synology reverse proxy (Nginx). So from my clients I can enable the WG tunnel only on my internal IP range, setting the internal DNS, so I don't have to have my public cert pointing to my IP. It works once setup for my home net. But for multi-site, Pangolin looks very polished and probably easier to set up.
Is Newt a custom implementation of a WireGuard server? Has it been security audited in some way?
As the project grows and we have more resources to spend we will try to work with some professional service to take a look for sure.