←back to thread

Show HN: Pangolin – Open source alternative to Cloudflare Tunnels

(github.com)
478 points miloschwartz | 2 comments | 10 Jul 25 21:50 UTC | HN request time: 0.441s | source

Pangolin is an open source self-hosted tunneled reverse proxy management server with identity and access control, designed to securely expose private resources through encrypted WireGuard tunnels running in user space.

We made Pangolin so you retain full control over your infrastructure while providing a user-friendly and feature-rich solution for managing proxies, authentication, and access, all with a clean and simple dashboard web UI.

GitHub: https://github.com/fosrl/pangolin

Deployment takes about 5 minutes on a VPS: https://docs.fossorial.io/Getting%20Started/quick-install

Demo by Lawrence Systems (YouTube): https://youtu.be/g5qOpxhhS7M?si=M1XTWLGLUZW0WzTv&t=723

Some use cases:

  - Grant users access to your apps from anywhere using just a web-browser

  - Proxy behind CGNAT

  - One application load balancer across multiple clouds and on-premises

  - Easily expose services on IoT and edge devices for field monitoring

  - Bring localhost online for easy access
A few key features:

  - No port forwarding and hide your public IP for self-hosting

  - Create proxies to multiple different private networks

  - OAuth2/OIDC identity providers

  - Role-based access control

  - Raw TCP and UDP support

  - Resource-specific pin codes, passwords, email OTP

  - Self-destructing shareable links

  - API for automation

  - WAF with CrowdSec and Geoblocking
Show context
noduerme ◴[11 Jul 25 02:29 UTC] No.44527896[source]
This seems really interesting for managing a lot of remote dev boxes or something like that...

so, kind of an uneducated question (from someone who isn't heavily involved in actual infrastructure)... I haven't used CF tunnels, and the extent of my proxying private services has pretty much been either reverse proxy tunnels over SSH, or Tailscale. Where pretty much any service I want to test privately is located on some particular device, like, a single EC2 instance, or my laptop that's at home while I'm out on my phone. Could you explain in layman's terms what this solves that e.g. tailscale doesn't?

replies(4): >>44527967 #>>44528323 #>>44529595 #>>44530525 #
fossorialowen ◴[11 Jul 25 02:45 UTC] No.44527967[source]
Thanks!

I think what you are using (SSH, Tailscale) is great for your use case! We see this as more of a static and permanent tunnel to a service - less ephemeral than a ssh tunnel - and more to get public users into your application. Meaning if you had a internal app for your business or some homelab application like Immich or Grafana at home/work that you want to expose to your family in their browser this could be a good tool to use. Does that make sense?

replies(3): >>44528438 #>>44529607 #>>44538561 #
1. wredcoll ◴[12 Jul 25 01:37 UTC] No.44538561[source]
If you have an internal app or homelab app or whatever, why don't you just... route to it? Configure your firewall to let traffic in and out?

I get there's a tunnel provided by this sort of software, I just don't understand how so many people actually need one.

replies(1): >>44539486 #
2. zerd ◴[12 Jul 25 05:11 UTC] No.44539486[source]
My ISP blocks port 25, 80 and 443, so need to tunnel those. Some don't want to expose their IP directly. If you have dynamic IP you don't have to update the IP in DNS (since the "application" connects to the tunnel endpoint).