Pangolin
Identity-aware VPN and proxy for remote access
Quick Take: Pangolin
Pangolin is an excellent choice for developers and teams who want full control over their remote access infrastructure. Its identity-aware proxy model is more sophisticated than simple VPN solutions, though it requires more setup effort.
Best For
- •Self-hosters who want full control
- •Teams needing per-service access controls
- •Developers accessing homelab services remotely
Install with Homebrew
brew install --cask pangolinWhat is Pangolin?
Pangolin is an identity-aware reverse proxy and VPN solution designed for secure remote access to self-hosted services. It provides an alternative to traditional VPN setups by combining WireGuard tunneling with identity-based access controls, allowing developers and teams to expose internal services to authorized users without opening ports on their firewall. It functions as a self-hosted alternative to services like Cloudflare Tunnel or Tailscale, with a focus on granular access policies.
Key Features
Identity-Aware Proxy
Route traffic through encrypted tunnels with per-user and per-service access policies, ensuring only authenticated users can reach specific internal resources.
WireGuard Tunneling
Uses the WireGuard protocol for fast, low-latency encrypted connections between clients and your infrastructure.
Web Dashboard
A clean web interface for managing tunnels, users, access policies, and monitoring connection status across your infrastructure.
Multi-Service Support
Expose multiple internal services (web apps, databases, SSH, etc.) through a single Pangolin installation with individual access controls.
Self-Hosted & Open Source
Run entirely on your own infrastructure with full control over your data and access policies. No third-party cloud dependency.
Who Should Use Pangolin?
1Homelab Enthusiast
A developer running Jellyfin, Nextcloud, and Home Assistant on a home server uses Pangolin to securely access all services from anywhere without exposing ports or using a traditional VPN.
2Small Team Lead
A startup CTO uses Pangolin to give team members secure access to staging environments and internal dashboards, with granular per-user permissions and audit logging.
3Remote Developer
A freelancer working with multiple clients uses Pangolin to connect to different client development environments securely, with each connection isolated and access-controlled.
Install Pangolin on Mac
Pangolin's client component is available as a Homebrew cask for macOS. The server component runs on your infrastructure.
Install Homebrew
If you don't have Homebrew, open your terminal and run: `/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"`
Install Pangolin Client
Run `brew install --cask pangolin` in your terminal.
Connect to Server
Configure the client with your Pangolin server URL and authentication credentials to establish the encrypted tunnel.
Pro Tips
- • Deploy the Pangolin server on your infrastructure first before setting up clients.
- • WireGuard kernel support provides the best performance on Linux servers.
Configuration Tips
Define Access Policies Early
Set up per-service access policies before inviting team members. This prevents accidental over-provisioning of access.
Use SSO Integration
Connect Pangolin to your identity provider (Google, GitHub, SAML) for seamless authentication without managing separate credentials.
Alternatives to Pangolin
The secure remote access space has several strong options depending on your needs.
Tailscale
Tailscale provides a simpler, cloud-coordinated mesh VPN. It's easier to set up but requires trusting Tailscale's coordination servers. Pangolin is fully self-hosted.
Cloudflare Tunnel
Cloudflare Tunnel proxies traffic through Cloudflare's network. It's free and reliable but ties you to Cloudflare's ecosystem. Pangolin keeps everything on your infrastructure.
ZeroTier
ZeroTier creates virtual networks similar to Tailscale. Pangolin differs with its identity-aware proxy model, which provides more granular per-service access control.
Pricing
Pangolin is free and open-source. You pay only for the infrastructure you run it on.
Pros
- ✓Fully self-hosted with no cloud dependency
- ✓Identity-aware access controls per service
- ✓WireGuard-based for excellent performance
- ✓Clean web dashboard for management
- ✓Open source and actively maintained
Cons
- ✗Requires server infrastructure to deploy
- ✗More complex setup than cloud-hosted alternatives
- ✗Smaller community than Tailscale or Cloudflare
Community & Support
Pangolin has an active open-source community on GitHub and Discord. Documentation is comprehensive, covering both server deployment and client configuration.
Frequently Asked Questions about Pangolin
Our Verdict
Pangolin is an excellent choice for developers and teams who want full control over their remote access infrastructure. Its identity-aware proxy model is more sophisticated than simple VPN solutions, though it requires more setup effort.
About the Author
Expert Tips for Pangolin
Deploy Pangolin behind a reverse proxy like Caddy or Nginx for automatic HTTPS certificate management.
Use Docker Compose with Pangolin for the easiest server-side deployment. The official compose file handles all dependencies.
Related Technologies & Concepts
Related Topics
Remote Access & VPN
Tools for secure remote connectivity and tunnel management.