←back to thread

Show HN: Pangolin – Open source alternative to Cloudflare Tunnels

(github.com)
478 points miloschwartz | 9 comments | 10 Jul 25 21:50 UTC | HN request time: 0.919s | source | bottom

Pangolin is an open source self-hosted tunneled reverse proxy management server with identity and access control, designed to securely expose private resources through encrypted WireGuard tunnels running in user space.

We made Pangolin so you retain full control over your infrastructure while providing a user-friendly and feature-rich solution for managing proxies, authentication, and access, all with a clean and simple dashboard web UI.

GitHub: https://github.com/fosrl/pangolin

Deployment takes about 5 minutes on a VPS: https://docs.fossorial.io/Getting%20Started/quick-install

Demo by Lawrence Systems (YouTube): https://youtu.be/g5qOpxhhS7M?si=M1XTWLGLUZW0WzTv&t=723

Some use cases:

  - Grant users access to your apps from anywhere using just a web-browser

  - Proxy behind CGNAT

  - One application load balancer across multiple clouds and on-premises

  - Easily expose services on IoT and edge devices for field monitoring

  - Bring localhost online for easy access
A few key features:

  - No port forwarding and hide your public IP for self-hosting

  - Create proxies to multiple different private networks

  - OAuth2/OIDC identity providers

  - Role-based access control

  - Raw TCP and UDP support

  - Resource-specific pin codes, passwords, email OTP

  - Self-destructing shareable links

  - API for automation

  - WAF with CrowdSec and Geoblocking
1. djlameche ◴[11 Jul 25 07:24 UTC] No.44529267[source]
Sorry if this is a noobish question, but would this allow me to access services on a VPS, that I do not want publicly accessible on the internet?

In other words: Let's say I have a VPS with eg. Keycloak running on it. I want to be able to access it for management purposes but don't want it exposed to other people on the internet. Would Pangolin be a way for me to do this?

replies(5): >>44529454 #>>44529537 #>>44529585 #>>44529862 #>>44534385 #
2. TheTxT ◴[11 Jul 25 07:55 UTC] No.44529454[source]
Did you already consider using ssh port forwarding? That way you can temporarily forward the local port that keycloak is running on to your machine
replies(1): >>44529606 #
3. zakki ◴[11 Jul 25 08:11 UTC] No.44529537[source]
I guess you have to use firewall as well. So basically you block any access from internet except VPN service. And you can have rule which IP allowed to access your VPN service.
4. jychang ◴[11 Jul 25 08:20 UTC] No.44529585[source]
You want Tailscale for that.
5. djlameche ◴[11 Jul 25 08:23 UTC] No.44529606[source]
I did not consider it yet, I will look into it. I am thinking about hosting a pepper variety databse that I am developing, but I have 0 experience with hosting software, so I am a bit wary about what I will be exposing...
6. dizhn ◴[11 Jul 25 08:57 UTC] No.44529862[source]
Don't you use Keycloak for SSO? The ports needed for that needs to be accessible so services can talk to it. If there's a dedicated port for management you can still use it with software like pangolin. Run the management service on only a local port and access using this software or wireguad.

I use authentik and as far as I know the management is on the same web port so I have to allow some paths to be accessible to the world.

replies(1): >>44529948 #
7. djlameche ◴[11 Jul 25 09:09 UTC] No.44529948[source]
I'm not using anything YET. I am thinking about hosting a pepper variety database I am developing on a VPS for public use. I want to use Keycloak for authentication and also some other services alongside (eg. a headless CMS for writing some of the content).

The thing is, I don't have any prior experience with hosting at all. So I am wondering if I can reduce attack surface by making "management" services (Keycloak admin console, the headless CMS admin interface etc.) accessible only to me...

replies(1): >>44530297 #
8. dizhn ◴[11 Jul 25 09:53 UTC] No.44530297{3}[source]
> So I am wondering if I can reduce attack surface by making "management" services (Keycloak admin console, the headless CMS admin interface etc.) accessible only to me...

The answer to this is YES. Of course there are a variety of ways to implement. In your case I would start simple with something like wireguard. Keycloak won't be easy to install and configure as a beginner. If your needs are simple, check out https://github.com/lldap/lldap for authentication (and user management).

9. fossorialowen ◴[11 Jul 25 16:52 UTC] No.44534385[source]
Good advice in this thread. If its just you then ssh tunnels or tailscale or netbird or pure wireguard are all fine. You could use Pangolin for this and put auth in front of the web page of Keycloak using a local Pangolin site and that would be fine too. It depends on how important the security is to you and who else might want access.