←back to thread

Show HN: Pangolin – Open source alternative to Cloudflare Tunnels

(github.com)
478 points miloschwartz | 1 comments | 10 Jul 25 21:50 UTC | HN request time: 0.701s | source

Pangolin is an open source self-hosted tunneled reverse proxy management server with identity and access control, designed to securely expose private resources through encrypted WireGuard tunnels running in user space.

We made Pangolin so you retain full control over your infrastructure while providing a user-friendly and feature-rich solution for managing proxies, authentication, and access, all with a clean and simple dashboard web UI.

GitHub: https://github.com/fosrl/pangolin

Deployment takes about 5 minutes on a VPS: https://docs.fossorial.io/Getting%20Started/quick-install

Demo by Lawrence Systems (YouTube): https://youtu.be/g5qOpxhhS7M?si=M1XTWLGLUZW0WzTv&t=723

Some use cases:

  - Grant users access to your apps from anywhere using just a web-browser

  - Proxy behind CGNAT

  - One application load balancer across multiple clouds and on-premises

  - Easily expose services on IoT and edge devices for field monitoring

  - Bring localhost online for easy access
A few key features:

  - No port forwarding and hide your public IP for self-hosting

  - Create proxies to multiple different private networks

  - OAuth2/OIDC identity providers

  - Role-based access control

  - Raw TCP and UDP support

  - Resource-specific pin codes, passwords, email OTP

  - Self-destructing shareable links

  - API for automation

  - WAF with CrowdSec and Geoblocking
Show context
fossorialowen ◴[10 Jul 25 21:53 UTC] No.44526044[source]
Hello Eveyone, this is the other maintainer here. Just wanted to add some more detail about the other components of this system:

Pangolin uses Traefik under the hood to do the actual HTTP proxying. A plugin, Badger, provides a way to authenticate every request with Pangolin. A second service, Gerbil, provides a WireGuard management server that Pangolin can use to create peers for connectivity. And finally, there is Newt, a CLI tool and Docker container that connects back to Gerbil with WireGuard fully in user space and proxies your local resources. This means that you do not need to run a privileged process or container in order to expose your services!

replies(4): >>44528933 #>>44529332 #>>44531036 #>>44535120 #
hardwaresofton ◴[11 Jul 25 11:45 UTC] No.44531036[source]
> Pangolin uses Traefik under the hood to do the actual HTTP proxying.

Traefik is awesome, and one of the biggest reasons is it's extensibility and robustness.

It absolutely does not get enough attention!

replies(1): >>44531252 #
jtbaker ◴[11 Jul 25 12:13 UTC] No.44531252[source]
I’m using it as my ingress controller on my K3S homelab and it has definitely been a nice DX so far.

The one thing I haven’t been able to figure out how to do with it is do compression (gzip/br/zstd) there, so I’m handling it in the application layer, which feels suboptimal.

Any tips? Seems like a table stakes sort of feature in the space that shouldn’t be too hard to implement.

replies(1): >>44531323 #
1. hardwaresofton ◴[11 Jul 25 12:23 UTC] No.44531323[source]
Did the compress middleware not work for you?

https://doc.traefik.io/traefik/middlewares/http/compress/

Are you trying to compress the request that has already come in to your cluster? I'm not sure there's a ton of value to be extracted there, since the requests have already made their way across the internet uncompressed to your ingress point.

If there's a "long way" to go after hitting your ingress controller then maybe there's something to be gained...