Pangolin tunnels your services to the internet so you can access anything from anywhere.
Website | Quick Install Guide | Contact Us | Slack | Discord
Start testing Pangolin at pangolin.fossorial.io
Pangolin is a self-hosted tunneled reverse proxy server with identity and access control, designed to securely expose private resources on distributed networks. Acting as a central hub, it connects isolated networks — even those behind restrictive firewalls — through encrypted tunnels, enabling easy access to remote services without opening ports.
- Expose private resources on your network without opening ports (firewall punching).
- Secure and easy to configure private connectivity via a custom user space WireGuard client, Newt.
- Built-in support for any WireGuard client.
- Automated SSL certificates (https) via LetsEncrypt.
- Support for HTTP/HTTPS and raw TCP/UDP services.
- Load balancing.
- Extend functionality with existing Traefik plugins, such as CrowdSec and Geoblock.
- Automatically install and configure Crowdsec via Pangolin's installer script.
 
- Attach as many sites to the central server as you wish.
- Centralized authentication system using platform SSO. Users will only have to manage one login.
- Define access control rules for IPs, IP ranges, and URL paths per resource.
- TOTP with backup codes for two-factor authentication.
- Create organizations, each with multiple sites, users, and roles.
- Role-based access control to manage resource access permissions.
- Additional authentication options include:
- Email whitelisting with one-time passcodes.
- Temporary, self-destructing share links.
- Resource specific pin codes.
- Resource specific passwords.
- Passkeys
 
- External identity provider (IdP) support with OAuth2/OIDC, such as Authentik, Keycloak, Okta, and others.
- Auto-provision users and roles from your IdP.
 
- Grant users access to your apps from anywhere using just a web browser. No client software required.
- Expose and test internal tools and dashboards like Grafana. Bring localhost or private IPs online for easy access.
- One application load balancer across multiple clouds and on-premises.
- Easily expose IoT devices, edge servers, or Raspberry Pi to the internet for field equipment monitoring.
Host the full application on your own server or on the cloud with a VPS. Take a look at the documentation to get started.
Many of our users have had a great experience with RackNerd. Depending on promotions, you can get a VPS with 1 vCPU, 1GB RAM, and ~20GB SSD for just around $12/year. That's a great deal!
Easy to use with simple pay as you go pricing. Check it out here.
- Everything you get with self hosted Pangolin, but fully managed for you.
Managed control plane, your infrastructure
- We manage database and control plane.
- You self-host lightweight exit-node.
- Traffic flows through your infra.
- We coordinate failover between your nodes or to Cloud when things go bad.
Try it out using Pangolin Cloud
Contact us for a full distributed and enterprise deployments on your infrastructure controlled by your team.
We want to hear your feature requests! Add them to the discussion board.
Pangolin is dual licensed under the AGPL-3 and the Fossorial Commercial license. For inquiries about commercial licensing, please contact us at [email protected].
Looking for something to contribute? Take a look at issues marked with help wanted. Also take a look through the freature requests in Discussions - any are available and some are marked as a good first issue.
Please see CONTRIBUTING in the repository for guidelines and best practices.
Please post bug reports and other functional issues in the Issues section of the repository.