←back to thread

Show HN: Pangolin – Open source alternative to Cloudflare Tunnels

(github.com)
478 points miloschwartz | 2 comments | 10 Jul 25 21:50 UTC | HN request time: 0s | source

Pangolin is an open source self-hosted tunneled reverse proxy management server with identity and access control, designed to securely expose private resources through encrypted WireGuard tunnels running in user space.

We made Pangolin so you retain full control over your infrastructure while providing a user-friendly and feature-rich solution for managing proxies, authentication, and access, all with a clean and simple dashboard web UI.

GitHub: https://github.com/fosrl/pangolin

Deployment takes about 5 minutes on a VPS: https://docs.fossorial.io/Getting%20Started/quick-install

Demo by Lawrence Systems (YouTube): https://youtu.be/g5qOpxhhS7M?si=M1XTWLGLUZW0WzTv&t=723

Some use cases:

  - Grant users access to your apps from anywhere using just a web-browser

  - Proxy behind CGNAT

  - One application load balancer across multiple clouds and on-premises

  - Easily expose services on IoT and edge devices for field monitoring

  - Bring localhost online for easy access
A few key features:

  - No port forwarding and hide your public IP for self-hosting

  - Create proxies to multiple different private networks

  - OAuth2/OIDC identity providers

  - Role-based access control

  - Raw TCP and UDP support

  - Resource-specific pin codes, passwords, email OTP

  - Self-destructing shareable links

  - API for automation

  - WAF with CrowdSec and Geoblocking
Show context
noduerme ◴[11 Jul 25 02:29 UTC] No.44527896[source]
This seems really interesting for managing a lot of remote dev boxes or something like that...

so, kind of an uneducated question (from someone who isn't heavily involved in actual infrastructure)... I haven't used CF tunnels, and the extent of my proxying private services has pretty much been either reverse proxy tunnels over SSH, or Tailscale. Where pretty much any service I want to test privately is located on some particular device, like, a single EC2 instance, or my laptop that's at home while I'm out on my phone. Could you explain in layman's terms what this solves that e.g. tailscale doesn't?

replies(4): >>44527967 #>>44528323 #>>44529595 #>>44530525 #
fossorialowen ◴[11 Jul 25 02:45 UTC] No.44527967[source]
Thanks!

I think what you are using (SSH, Tailscale) is great for your use case! We see this as more of a static and permanent tunnel to a service - less ephemeral than a ssh tunnel - and more to get public users into your application. Meaning if you had a internal app for your business or some homelab application like Immich or Grafana at home/work that you want to expose to your family in their browser this could be a good tool to use. Does that make sense?

replies(3): >>44528438 #>>44529607 #>>44538561 #
1. barbazoo ◴[11 Jul 25 04:37 UTC] No.44528438[source]
I’m using an nginxproxymanager as reverse proxy and ssl terminus for exactly that, Immich, home assistant, etc. What would I gain from your solution?
replies(1): >>44528482 #
2. fossorialowen ◴[11 Jul 25 04:46 UTC] No.44528482[source]
I think if that works for you then stick with it! Pangolin would mostly do the same thing. I think if you wanted more auth control like users and pin codes and OIDC and roles you might not get that with NPM out of the box but could add on.

Pangolin has a tunnel component to it so if you were challenged on the ISP front you can put this on the VPS and it just makes configuring the connection back to the network easier so you don't need to set up WG back etc... It wraps it all up nicely in a UI and simple install script. It can also all be automated with the API if you are into that kind of thing.