←back to thread

Show HN: Pangolin – Open source alternative to Cloudflare Tunnels

(github.com)
478 points miloschwartz | 3 comments | 10 Jul 25 21:50 UTC | HN request time: 0.001s | source

Pangolin is an open source self-hosted tunneled reverse proxy management server with identity and access control, designed to securely expose private resources through encrypted WireGuard tunnels running in user space.

We made Pangolin so you retain full control over your infrastructure while providing a user-friendly and feature-rich solution for managing proxies, authentication, and access, all with a clean and simple dashboard web UI.

GitHub: https://github.com/fosrl/pangolin

Deployment takes about 5 minutes on a VPS: https://docs.fossorial.io/Getting%20Started/quick-install

Demo by Lawrence Systems (YouTube): https://youtu.be/g5qOpxhhS7M?si=M1XTWLGLUZW0WzTv&t=723

Some use cases:

  - Grant users access to your apps from anywhere using just a web-browser

  - Proxy behind CGNAT

  - One application load balancer across multiple clouds and on-premises

  - Easily expose services on IoT and edge devices for field monitoring

  - Bring localhost online for easy access
A few key features:

  - No port forwarding and hide your public IP for self-hosting

  - Create proxies to multiple different private networks

  - OAuth2/OIDC identity providers

  - Role-based access control

  - Raw TCP and UDP support

  - Resource-specific pin codes, passwords, email OTP

  - Self-destructing shareable links

  - API for automation

  - WAF with CrowdSec and Geoblocking
Show context
aborsy ◴[11 Jul 25 05:09 UTC] No.44528588[source]
If you use this, it makes sense to run it at home. If you run it on a VPS, traffic is decrypted on VPS, the same privacy issue with Cloudflare tunnels. You have to trust the VPS provider.
replies(2): >>44528617 #>>44529734 #
1. fossorialowen ◴[11 Jul 25 05:15 UTC] No.44528617[source]
This is true! But you have a little more control over who you might choose to trust. For example - you might trust AWS not to snoop in your VM more than you might trust CF to not collect valuable usage data about you when they decrypt your traffic.
replies(1): >>44529829 #
2. scottgg ◴[11 Jul 25 08:53 UTC] No.44529829[source]
Agreed - there’s a big difference between “I actively asked CF to terminate my TLS” and “I suspect my provider is scraping unencrypted data out of my running VM”
replies(1): >>44531622 #
3. aborsy ◴[11 Jul 25 12:59 UTC] No.44531622[source]
I doubt there is less monitoring at a VPS than CF. Many VPS companies are less known and smaller, and may not have professional audit and access processes in place.