←back to thread

Show HN: Pangolin – Open source alternative to Cloudflare Tunnels

(github.com)
478 points miloschwartz | 3 comments | 10 Jul 25 21:50 UTC | HN request time: 0.792s | source

Pangolin is an open source self-hosted tunneled reverse proxy management server with identity and access control, designed to securely expose private resources through encrypted WireGuard tunnels running in user space.

We made Pangolin so you retain full control over your infrastructure while providing a user-friendly and feature-rich solution for managing proxies, authentication, and access, all with a clean and simple dashboard web UI.

GitHub: https://github.com/fosrl/pangolin

Deployment takes about 5 minutes on a VPS: https://docs.fossorial.io/Getting%20Started/quick-install

Demo by Lawrence Systems (YouTube): https://youtu.be/g5qOpxhhS7M?si=M1XTWLGLUZW0WzTv&t=723

Some use cases:

  - Grant users access to your apps from anywhere using just a web-browser

  - Proxy behind CGNAT

  - One application load balancer across multiple clouds and on-premises

  - Easily expose services on IoT and edge devices for field monitoring

  - Bring localhost online for easy access
A few key features:

  - No port forwarding and hide your public IP for self-hosting

  - Create proxies to multiple different private networks

  - OAuth2/OIDC identity providers

  - Role-based access control

  - Raw TCP and UDP support

  - Resource-specific pin codes, passwords, email OTP

  - Self-destructing shareable links

  - API for automation

  - WAF with CrowdSec and Geoblocking
1. snickmy ◴[11 Jul 25 11:09 UTC] No.44530798[source]
genuine, security newbie, question. What's the worst case scenario that can happen on using this type of solution from a security standpoint? I do get it the authentication would be compromised. Probably some internal ports would be exposed publicly too.. what else?
replies(1): >>44534845 #
2. fossorialowen ◴[11 Jul 25 17:27 UTC] No.44534845[source]
Good question. I think absolute worse case scenario the tunnel and VPS is compromised and someone is able to gain access to the private network. We advise people in the docs to always consider this a possibility and secure Newt and what is has access to. A slightly worse case is there is a bypass in the forward auth and someone can get access to the webpage of a private service without passing the user/pass auth etc.

We are always looking for security experts to review the code and to pen test the application. Please hammer it and let us know at security@fossorial.io if there are any issues!

replies(1): >>44539147 #
3. pakue ◴[12 Jul 25 03:53 UTC] No.44539147[source]
I’m running pangolin for a couple months now and instead of newt I use my router WireGuard Client in a VLAN. Any „wanted“ traffic is then routed via DNAT/firewall to my home server.