←back to thread

Show HN: Pangolin – Open source alternative to Cloudflare Tunnels

(github.com)
478 points miloschwartz | 3 comments | 10 Jul 25 21:50 UTC | HN request time: 0.697s | source

Pangolin is an open source self-hosted tunneled reverse proxy management server with identity and access control, designed to securely expose private resources through encrypted WireGuard tunnels running in user space.

We made Pangolin so you retain full control over your infrastructure while providing a user-friendly and feature-rich solution for managing proxies, authentication, and access, all with a clean and simple dashboard web UI.

GitHub: https://github.com/fosrl/pangolin

Deployment takes about 5 minutes on a VPS: https://docs.fossorial.io/Getting%20Started/quick-install

Demo by Lawrence Systems (YouTube): https://youtu.be/g5qOpxhhS7M?si=M1XTWLGLUZW0WzTv&t=723

Some use cases:

  - Grant users access to your apps from anywhere using just a web-browser

  - Proxy behind CGNAT

  - One application load balancer across multiple clouds and on-premises

  - Easily expose services on IoT and edge devices for field monitoring

  - Bring localhost online for easy access
A few key features:

  - No port forwarding and hide your public IP for self-hosting

  - Create proxies to multiple different private networks

  - OAuth2/OIDC identity providers

  - Role-based access control

  - Raw TCP and UDP support

  - Resource-specific pin codes, passwords, email OTP

  - Self-destructing shareable links

  - API for automation

  - WAF with CrowdSec and Geoblocking
1. paffdragon ◴[11 Jul 25 10:04 UTC] No.44530384[source]
This looks really nice.

I have set up something similar just recently with an OPNSense box running DNS, the WireGuard instance and getting a wildcard Let's Encrypt cert that it pushes to my Synology reverse proxy (Nginx). So from my clients I can enable the WG tunnel only on my internal IP range, setting the internal DNS, so I don't have to have my public cert pointing to my IP. It works once setup for my home net. But for multi-site, Pangolin looks very polished and probably easier to set up.

Is Newt a custom implementation of a WireGuard server? Has it been security audited in some way?

replies(1): >>44531765 #
2. paffdragon ◴[11 Jul 25 13:14 UTC] No.44531765[source]
EDIT: Sorry, I misread, Newt is the WireGuard client and is based on wireguard-go if I'm correct.
replies(1): >>44534423 #
3. fossorialowen ◴[11 Jul 25 16:55 UTC] No.44534423[source]
Yep thats correct. All based on wireguard-go. It is growing in what it can do now but at its core its just a Wireguard wrapper that coordinates with Pangolin to get the tunnel up. It also runs in netstack user space so it does not need kernel permissions to open a port and it's only egress is proxied out with TCP/UDP reverse proxies built in to access what is needed on the network.