Install Guide | Full Documentation

Tunneled Mesh Reverse Proxy Server with Access Control

Your own self-hosted zero trust tunnel.

Pangolin is a self-hosted tunneled reverse proxy server with identity and access control, designed to securely expose private resources on distributed networks. Acting as a central hub, it connects isolated networks — even those behind restrictive firewalls — through encrypted tunnels, enabling easy access to remote services without opening ports.

Sites page of Pangolin dashboard (dark mode) showing multiple tunnels connected to the central server.

Key Features

Reverse Proxy Through WireGuard Tunnel

• Expose private resources on your network without opening ports (firewall punching).
• Secure and easy to configure site-to-site connectivity via a custom user space WireGuard client, Newt.
• Built-in support for any WireGuard client.
• Automated SSL certificates (https) via LetsEncrypt.
• Support for HTTP/HTTPS and raw TCP/UDP services.
• Load balancing.

Identity & Access Management

• Centralized authentication system using platform SSO. Users will only have to manage one login.
• Define access control rules for IPs, IP ranges, and URL paths per resource.
• TOTP with backup codes for two-factor authentication.
• Create organizations, each with multiple sites, users, and roles.
• Role-based access control to manage resource access permissions.
• Additional authentication options include:
  • Email whitelisting with one-time passcodes.
  • Temporary, self-destructing share links.
  • Resource specific pin codes.
  • Resource specific passwords.

Simple Dashboard UI

• Manage sites, users, and roles with a clean and intuitive UI.
• Monitor site usage and connectivity.
• Light and dark mode options.
• Mobile friendly.

Easy Deployment

• Run on any cloud provider or on-premises.
• Docker Compose based setup for simplified deployment.
• Future-proof installation script for streamlined setup and feature additions.
• Use your preferred WireGuard client to connect, or use Newt, our custom user space client for the best experience.

Modular Design

• Extend functionality with existing Traefik plugins, such as Fail2Ban or CrowdSec.
• Attach as many sites to the central server as you wish.

Screenshots

Sites	Users	Share Link
Authentication	Connectivity

Deployment and Usage Example

1. Deploy the Central Server:

   • Deploy the Docker Compose stack onto a VPS hosted on a cloud platform like Amazon EC2, DigitalOcean Droplet, or similar. There are many cheap VPS hosting options available to suit your needs.

2. Domain Configuration:

   • Point your domain name to the VPS and configure Pangolin with your preferred settings.

3. Connect Private Sites:

   • Install Newt or use another WireGuard client on private sites.
   • Automatically establish a connection from these sites to the central server.

4. Configure Users & Roles

   • Define organizations and invite users.
   • Implement user- or role-based permissions to control resource access.

Use Case Example - Bypassing Port Restrictions in Home Lab:
Imagine private sites where the ISP restricts port forwarding. By connecting these sites to Pangolin via WireGuard, you can securely expose HTTP and HTTPS resources on the private network without any networking complexity.

Use Case Example - IoT Networks:
IoT networks are often fragmented and difficult to manage. By deploying Pangolin on a central server, you can connect all your IoT sites via Newt or another WireGuard client. This creates a simple, secure, and centralized way to access IoT resources without the need for intricate networking setups.

Similar Projects and Inspirations

Cloudflare Tunnels:
A similar approach to proxying private resources securely, but Pangolin is a self-hosted alternative, giving you full control over your infrastructure.

Authentik and Authelia:
These projects inspired Pangolin’s centralized authentication system for proxies, enabling robust user and role management.

Project Development / Roadmap

Note

Pangolin is under heavy development. The roadmap is subject to change as we fix bugs, add new features, and make improvements.

View the project board for more detailed info.

Licensing

Pangolin is dual licensed under the AGPLv3 and the Fossorial Commercial license. For inquiries about commercial licensing, please contact us.

Contributions

Please see CONTRIBUTING in the repository for guidelines and best practices.

Please post bug reports and other functional issues in the Issues section of the repository. For all feature requests, or other ideas, please use the Discussions section.