←back to thread

Show HN: Pangolin – Open source alternative to Cloudflare Tunnels

(github.com)
478 points miloschwartz | 3 comments | 10 Jul 25 21:50 UTC | HN request time: 0.433s | source

Pangolin is an open source self-hosted tunneled reverse proxy management server with identity and access control, designed to securely expose private resources through encrypted WireGuard tunnels running in user space.

We made Pangolin so you retain full control over your infrastructure while providing a user-friendly and feature-rich solution for managing proxies, authentication, and access, all with a clean and simple dashboard web UI.

GitHub: https://github.com/fosrl/pangolin

Deployment takes about 5 minutes on a VPS: https://docs.fossorial.io/Getting%20Started/quick-install

Demo by Lawrence Systems (YouTube): https://youtu.be/g5qOpxhhS7M?si=M1XTWLGLUZW0WzTv&t=723

Some use cases:

  - Grant users access to your apps from anywhere using just a web-browser

  - Proxy behind CGNAT

  - One application load balancer across multiple clouds and on-premises

  - Easily expose services on IoT and edge devices for field monitoring

  - Bring localhost online for easy access
A few key features:

  - No port forwarding and hide your public IP for self-hosting

  - Create proxies to multiple different private networks

  - OAuth2/OIDC identity providers

  - Role-based access control

  - Raw TCP and UDP support

  - Resource-specific pin codes, passwords, email OTP

  - Self-destructing shareable links

  - API for automation

  - WAF with CrowdSec and Geoblocking
1. meteyor ◴[11 Jul 25 12:51 UTC] No.44531555[source]
Let’s say my server is running on a VPN and gets new IP once in a while. Would Pangolin be an option to publicly expose my services? Because I have this challenge now where I am currently ”forced” to expose my public IP to share some services. I use firewall rules to allow incoming traffic to my server and Traefik to route the user to the right service. I just don’t like the feeling of being exposed publicly like this.
replies(2): >>44531676 #>>44534302 #
2. c0wb0yc0d3r ◴[11 Jul 25 13:04 UTC] No.44531676[source]
You need a publicly routable address in the mix. You would need a way of knowing that address.

I have that same feeling with the self hosting I do. To alleviate the small amount of stress it would bring me I rent a VPS that’s public on the internet. I configure a persistent keep alive, on the client I run locally to keep a connection to the server open, no port forwarding needed.

3. fossorialowen ◴[11 Jul 25 16:46 UTC] No.44534302[source]
Yes! Most people I think rent a VPS (some can be had for like $1 a month) and install this. Because it tunnels back to your network your network can be anywhere behind anything and it should hole punch to it. And because the public is visiting the public address of the VPS your network is hidden behind that!