←back to thread

Show HN: Pangolin – Open source alternative to Cloudflare Tunnels

(github.com)
478 points miloschwartz | 2 comments | 10 Jul 25 21:50 UTC | HN request time: 0.471s | source

Pangolin is an open source self-hosted tunneled reverse proxy management server with identity and access control, designed to securely expose private resources through encrypted WireGuard tunnels running in user space.

We made Pangolin so you retain full control over your infrastructure while providing a user-friendly and feature-rich solution for managing proxies, authentication, and access, all with a clean and simple dashboard web UI.

GitHub: https://github.com/fosrl/pangolin

Deployment takes about 5 minutes on a VPS: https://docs.fossorial.io/Getting%20Started/quick-install

Demo by Lawrence Systems (YouTube): https://youtu.be/g5qOpxhhS7M?si=M1XTWLGLUZW0WzTv&t=723

Some use cases:

  - Grant users access to your apps from anywhere using just a web-browser

  - Proxy behind CGNAT

  - One application load balancer across multiple clouds and on-premises

  - Easily expose services on IoT and edge devices for field monitoring

  - Bring localhost online for easy access
A few key features:

  - No port forwarding and hide your public IP for self-hosting

  - Create proxies to multiple different private networks

  - OAuth2/OIDC identity providers

  - Role-based access control

  - Raw TCP and UDP support

  - Resource-specific pin codes, passwords, email OTP

  - Self-destructing shareable links

  - API for automation

  - WAF with CrowdSec and Geoblocking
Show context
djlameche ◴[11 Jul 25 07:24 UTC] No.44529267[source]
Sorry if this is a noobish question, but would this allow me to access services on a VPS, that I do not want publicly accessible on the internet?

In other words: Let's say I have a VPS with eg. Keycloak running on it. I want to be able to access it for management purposes but don't want it exposed to other people on the internet. Would Pangolin be a way for me to do this?

replies(5): >>44529454 #>>44529537 #>>44529585 #>>44529862 #>>44534385 #
dizhn ◴[11 Jul 25 08:57 UTC] No.44529862[source]
Don't you use Keycloak for SSO? The ports needed for that needs to be accessible so services can talk to it. If there's a dedicated port for management you can still use it with software like pangolin. Run the management service on only a local port and access using this software or wireguad.

I use authentik and as far as I know the management is on the same web port so I have to allow some paths to be accessible to the world.

replies(1): >>44529948 #
1. djlameche ◴[11 Jul 25 09:09 UTC] No.44529948[source]
I'm not using anything YET. I am thinking about hosting a pepper variety database I am developing on a VPS for public use. I want to use Keycloak for authentication and also some other services alongside (eg. a headless CMS for writing some of the content).

The thing is, I don't have any prior experience with hosting at all. So I am wondering if I can reduce attack surface by making "management" services (Keycloak admin console, the headless CMS admin interface etc.) accessible only to me...

replies(1): >>44530297 #
2. dizhn ◴[11 Jul 25 09:53 UTC] No.44530297[source]
> So I am wondering if I can reduce attack surface by making "management" services (Keycloak admin console, the headless CMS admin interface etc.) accessible only to me...

The answer to this is YES. Of course there are a variety of ways to implement. In your case I would start simple with something like wireguard. Keycloak won't be easy to install and configure as a beginner. If your needs are simple, check out https://github.com/lldap/lldap for authentication (and user management).