Pangolin
Identity-aware VPN and proxy for remote access
Quick Take: Pangolin
Pangolin is the best self-hosted reverse proxy for developers and homelab operators who want authenticated remote access to local services without trusting third-party infrastructure. The combination of WireGuard tunneling, identity-aware access control, and custom domain support covers the full workflow. The setup is more involved than ngrok or Cloudflare Tunnel—you need a VPS, Docker, and DNS configuration—but the payoff is complete control over your traffic and authentication. For anyone running services at home or in a small office who wants secure remote access on their own terms, Pangolin is worth the setup investment.
Best For
- •Homelab Operators Exposing Services Securely
- •Developers Who Want Self-Hosted Alternatives to ngrok
- •Small Teams Needing Authenticated Access to Internal Tools
What is Pangolin?
Pangolin is an open-source, self-hosted reverse proxy with identity-aware access control and WireGuard tunneling. It lets you expose services running on your home network, VPS, or office server to the internet with custom domains, HTTPS, and authentication—without opening ports on your router or configuring complex VPN setups. The simplest way to understand Pangolin: you run a web service on your laptop (a development server, a home automation dashboard, a Plex instance). You want to access it from anywhere with a URL like myapp.example.com. Pangolin creates a WireGuard tunnel from your machine to a Pangolin server (which you host on a VPS), and the Pangolin server proxies incoming requests through the tunnel to your local service. The result: your service is accessible via a public URL with HTTPS, but no ports are opened on your home network. What makes Pangolin different from ngrok, Cloudflare Tunnel, or Tailscale Funnel is the combination of self-hosting, identity-aware access, and zero-trust architecture. Pangolin is entirely self-hosted—you run both the server and the client. Your traffic doesn't pass through anyone else's infrastructure. The identity-aware proxy means you can require authentication before anyone reaches your service—SSO integration, email-based access lists, or OAuth2 providers. Zero-trust means no access is granted by default; every request is authenticated and authorized. Pangolin is designed for developers and homelab enthusiasts who want to expose services securely without trusting a third-party proxy service. The trade-off: you maintain the infrastructure yourself. You need a VPS with a public IP (DigitalOcean, Hetzner, Linode—$5/month), a domain name, and comfort with terminal-based setup. The benefit: complete control over your traffic, authentication, and infrastructure. The project provides a web dashboard for managing tunnels, domains, and access rules. You add a service, configure its domain, set access policies (public, authenticated users only, specific email addresses), and Pangolin handles TLS certificates (via Let's Encrypt), DNS, and WireGuard tunneling automatically.
Install with Homebrew
brew install --cask pangolinDeep Dive: Self-Hosted Tunneling in the Zero-Trust Era
Why self-hosted reverse proxies are gaining popularity and where Pangolin fits in.
History & Background
The need to expose local services started with developers sharing localhost during development (ngrok, 2013). It expanded to homelab operators wanting remote access without VPNs, and now extends to small teams who need zero-trust access to internal tools. Traditional approaches (port forwarding, VPNs) have downsides: port forwarding exposes your network, VPNs require client software on every device. Reverse proxy tunnels (ngrok, Cloudflare Tunnel, Pangolin) solve this by proxying through a server—but managed services mean trusting third-party infrastructure. Pangolin's self-hosted approach appeals to users who want the convenience of tunneling without the trust dependency.
How It Works
Pangolin consists of a server component (runs on a VPS) and a client component (runs on your local machine). The server is a reverse proxy built on top of Caddy or similar, with WireGuard for tunneling and an authentication middleware for identity-aware access. The client creates a WireGuard tunnel to the server and registers local services. Incoming HTTPS requests hit the server, pass through authentication, and are forwarded through the WireGuard tunnel to the client's local port. TLS termination happens at the server using automatically provisioned Let's Encrypt certificates.
Ecosystem & Integrations
The tunneling ecosystem includes managed services (ngrok, Cloudflare Tunnel, Tailscale Funnel, Loophole, Expose) and self-hosted solutions (Pangolin, FRP, rathole, bore, Traefik with tunneling). Pangolin differentiates through its identity-aware proxy—most self-hosted tunnels provide basic proxying without authentication. The combination of WireGuard, identity-aware access, and a web dashboard positions Pangolin as a 'Cloudflare Zero Trust but self-hosted' solution.
Future Development
The project is actively developing features including multi-server support (geographic distribution), API-first management (Terraform provider, CLI automation), metrics and logging integrations (Prometheus, Loki), and mobile-friendly access flows. As zero-trust security models gain adoption in small organizations, tools like Pangolin that make zero-trust accessible without enterprise budgets are likely to grow.
Key Features
WireGuard Tunneling
Pangolin uses WireGuard for the tunnel connection between your local machine and the Pangolin server. WireGuard is the fastest, most modern VPN protocol—lower latency and higher throughput than OpenVPN or SSH tunneling. The tunnel is encrypted, authenticated, and efficient. Your local service connects to the Pangolin server through WireGuard, and the server proxies HTTP/HTTPS requests to your service through the tunnel. No ports need to be opened on your local network.
Identity-Aware Proxy
Every request to your exposed service passes through Pangolin's authentication layer. Configure access policies per service: public (no auth), authenticated (require login via OAuth2, SAML, or email verification), or restricted (specific email addresses or groups). Supported identity providers include Google, GitHub, Microsoft, and generic OIDC providers. This turns Pangolin into a zero-trust access gateway—no one reaches your service without proving their identity.
Custom Domains & TLS
Map any custom domain to your exposed service. Point your domain's DNS to the Pangolin server, and Pangolin automatically provisions and renews TLS certificates via Let's Encrypt. Your service is accessible at https://myapp.example.com with a valid certificate. Multiple services can use subdomains of the same domain (app1.example.com, app2.example.com), each with their own access policies.
Web Dashboard
A browser-based management interface for configuring tunnels, services, domains, and access policies. Add a new service, set its domain, configure authentication requirements, and monitor active connections. The dashboard shows tunnel status (connected/disconnected), request counts, and access logs. For homelab operators managing multiple services, the dashboard provides a single control plane.
Multi-Service Support
Expose multiple services through a single Pangolin installation. A home server running Plex, Home Assistant, a wiki, and a development environment can expose each service on its own subdomain with different access policies—Plex is public, Home Assistant requires authentication, the wiki allows team access, and the dev server is restricted to the developer's email only.
Self-Hosted & Open Source
Pangolin is entirely self-hosted. You run the server on your VPS and the client on your local machine. Your traffic passes through your infrastructure only—no third-party proxy service involved. The source code is open (available on GitHub), auditable, and modifiable. For privacy-conscious users and organizations with data sovereignty requirements, self-hosting eliminates trust in third-party services.
Who Should Use Pangolin?
1Homelab Operator
A homelab enthusiast runs Plex, Home Assistant, Nextcloud, and Grafana on a home server. They want remote access without opening ports on their router (ISP uses CGNAT anyway). They set up a Pangolin server on a $5/month VPS, create WireGuard tunnels to their home server, and expose each service on a subdomain. Plex is public (share with friends), Home Assistant requires Google OAuth login, Nextcloud allows family members only, and Grafana is restricted to their own email.
2Developer Sharing Local Work
A developer working on a web app needs to share their localhost with a client for review. Instead of deploying to a staging server, they create a Pangolin tunnel: myapp.projectname.dev points to localhost:3000. They set access to 'anyone with this link' or restrict to the client's email. The client reviews the live development server over HTTPS. When the review is done, the developer removes the tunnel.
3Small Team with Internal Tools
A startup team of 8 people uses internal tools (admin dashboard, internal wiki, monitoring) running on a single server. They expose all tools through Pangolin with GitHub OAuth—only team members with GitHub accounts in the organization can access internal services. New team members are added by joining the GitHub org. Departed team members lose access automatically. No VPN client installation needed on team devices.
How to Install Pangolin on Mac (Client)
Pangolin has two components: the server (on your VPS) and the client (on your Mac). The Mac client creates the WireGuard tunnel.
Set Up the Pangolin Server
On your VPS (Ubuntu, Debian, or similar), install Pangolin server using Docker: `docker compose up -d` with the provided docker-compose.yml. Configure your domain's DNS to point to the VPS's public IP. The server handles reverse proxying, TLS, and authentication.
Install the Client on Mac
Run `brew install pangolin` or download the client from the project's website. The client creates and manages WireGuard tunnels to your Pangolin server.
Connect to Your Server
Run `pangolin connect <server-url>` and authenticate. The client establishes a WireGuard tunnel to your Pangolin server. Services defined in the server's dashboard are now accessible via your custom domains.
Add Services
In the Pangolin web dashboard, add your local services: specify the local port (e.g., localhost:3000), assign a domain (app.example.com), and set access policies. Pangolin routes incoming requests through the WireGuard tunnel to your local port.
Pro Tips
- • Start with a $5/month VPS (DigitalOcean, Hetzner, Linode) for the server. The VPS needs a public IPv4 address and Docker installed.
- • Use separate subdomains for each service—easier to manage access policies and TLS certificates.
- • Test with a simple HTTP server first (python3 -m http.server 8080) to verify the tunnel works before exposing real services.
Configuration Tips
Set Up OAuth for Internal Services
Connect Pangolin to your GitHub organization or Google Workspace. This way, anyone in your team can access internal services by logging in with their work account—no VPN client needed, no separate credentials. When someone leaves the team, revoking their GitHub/Google access revokes Pangolin access automatically.
Use Separate Subdomains Per Service
Instead of exposing services on ports (server.example.com:8080), use subdomains (grafana.example.com, wiki.example.com). Each subdomain gets its own TLS certificate and access policy. This is cleaner, more professional, and easier to share with others.
Alternatives to Pangolin
Tunneling and reverse proxy services range from managed to self-hosted.
ngrok
ngrok is the most popular tunneling service. Type `ngrok http 3000` and you get a public URL pointing to your local port. It's incredibly easy. The trade-off: your traffic passes through ngrok's servers, the free tier has limitations (random URLs, session limits), and paid plans start at $8/month. ngrok is better for quick, temporary tunnels. Pangolin is better for permanent, self-hosted access with authentication.
Cloudflare Tunnel
Cloudflare Tunnel (free with a Cloudflare account) creates tunnels from your local machine to Cloudflare's edge network. It's free for most use cases and benefits from Cloudflare's CDN and DDoS protection. The trade-off: your traffic passes through Cloudflare's infrastructure, you're dependent on Cloudflare's service availability, and the access control features require Cloudflare Zero Trust (which has its own complexity). Pangolin gives you full control but requires more setup.
Tailscale Funnel
Tailscale Funnel exposes local services through Tailscale's mesh VPN. It's simple if you're already using Tailscale. The limitation: Funnel URLs are on Tailscale's domain (not custom domains in all tiers), and you depend on Tailscale's infrastructure. Pangolin provides custom domains and complete self-hosting.
Pricing
Pangolin is free and open-source. The only cost is the VPS you host the server on ($5-10/month from major cloud providers). No per-tunnel fees, no bandwidth limits, no premium tier.
Pros
- ✓Completely self-hosted — your traffic never touches third-party infrastructure
- ✓Identity-aware proxy with OAuth2, SAML, and email-based access control
- ✓WireGuard tunneling is fast, modern, and efficient
- ✓Automatic TLS certificates via Let's Encrypt
- ✓Multi-service support with per-service access policies
- ✓Open-source and auditable
- ✓Web dashboard for managing tunnels and access
Cons
- ✗Requires a VPS with a public IP ($5-10/month ongoing cost)
- ✗More complex setup than ngrok or Cloudflare Tunnel
- ✗You're responsible for server maintenance and updates
- ✗Smaller community and ecosystem than established alternatives
- ✗No managed option — self-hosting is the only deployment model
- ✗Initial setup requires comfort with Docker, DNS, and terminal
Community & Support
Pangolin is an open-source project hosted on GitHub with an active community. Issues and feature requests are tracked through GitHub Issues. The project has a Discord server where users share configurations, troubleshoot setup issues, and discuss use cases. The homelab community on Reddit (r/selfhosted, r/homelab) discusses Pangolin alongside other reverse proxy and tunneling solutions. Documentation includes setup guides, configuration references, and example deployments.
Frequently Asked Questions about Pangolin
Our Verdict
Pangolin is the best self-hosted reverse proxy for developers and homelab operators who want authenticated remote access to local services without trusting third-party infrastructure. The combination of WireGuard tunneling, identity-aware access control, and custom domain support covers the full workflow. The setup is more involved than ngrok or Cloudflare Tunnel—you need a VPS, Docker, and DNS configuration—but the payoff is complete control over your traffic and authentication. For anyone running services at home or in a small office who wants secure remote access on their own terms, Pangolin is worth the setup investment.
About the Author
Related Technologies & Concepts
Related Topics
Self-Hosted Infrastructure
Tools for self-hosted services and homelab operations.
Sources & References
Fact-CheckedLast verified: Feb 23, 2026
- 1Pangolin
Accessed Feb 23, 2026
Research queries: Pangolin self-hosted reverse proxy tunnel