You've got a Proxmox box in the basement, a staging app on a private subnet, and a contractor who needs SSH access tomorrow. Opening port 22 to the internet is a non-starter. Tailscale works until your client won't install another agent on their locked-down laptop. Cloudflare Tunnel gets HTTP to the browser but won't help with Postgres on port 5432.
Pangolin sits in that gap. ~21k GitHub stars, WireGuard under the hood, and an identity layer on top — browser-based reverse proxy for web apps, client-based access for SSH, RDP, and databases, plus site connectors that punch through NAT without you forwarding ports on a home router. One platform instead of VPN plus nginx plus a tunnel broker.
What it actually does
Pangolin is remote access infrastructure, not a generic VPN you hand out and hope people don't scan your whole LAN.
Site connectors. Drop a connector binary or container on a remote network — homelab, client office, cloud VPC. It dials out to your Pangolin server through restrictive firewalls. No public IP on the remote side, no inbound port forwards. NAT traversal handles the ugly parts.
Browser reverse proxy. Publish internal web apps behind authentication. Users hit a URL in Chrome or Safari; Pangolin handles TLS, routing, health checks, and access control. No VPN client required for HTTP workloads — useful for contractors and clients on managed machines.
Client private resources. Install the Pangolin client on Mac, Windows, Linux, iOS, or Android for non-HTTP stuff — SSH, RDP, database ports, whole subnet routes. DNS aliases give friendly names instead of remembering which site connector reaches which VLAN.
Zero-trust RBAC. Built-in users or your own IdP (OIDC). Grant access to specific apps and routes, not "here's the whole 10.0.0.0/8 network, good luck." Closer to how you actually want contractors onboarded — staging dashboard yes, production database no.
Pangolin vs your existing VPN post
We already covered setup-ipsec-vpn — a one-script IPsec/IKEv2 server for "encrypt my laptop traffic through a Canadian VPS." That's the right tool when you want a traditional VPN exit node and native OS support without extra apps.
Pangolin is different:
- Per-resource access instead of full-tunnel network exposure
- Browser apps without installing a client
- Site connectors for reaching private networks behind NAT — IPsec VPN doesn't wire your basement lab into a central dashboard
- WireGuard instead of IKEv2 — faster handshakes, modern crypto, but you need Pangolin's client for the fancy bits
They're complementary. Some teams run IPsec for road-warrior laptop egress and Pangolin for zero-trust access to internal services. Many homelabbers only need one.
Why self-host?
Your identity store, your rules. User accounts, access policies, and audit trails live on infrastructure you operate — not a SaaS control plane whose data residency page you skimmed once.
Canadian exit for Canadian clients. Host the Pangolin server on a Montreal or Toronto VPS and remote access terminates in Canada. Relevant when clients ask where admin sessions and HTTP logs land — PIPEDA conversations get simpler than "it's all in a US cloud region."
No per-seat remote-access tax. Pangolin Cloud exists for teams that want zero ops. Self-hosted Community Edition (AGPL-3) shifts cost to a VPS and your time — sensible when you're connecting a dozen sites and don't want another subscription line item.
Outbound-only site connectors. Client networks that block inbound connections still work because connectors initiate the tunnel. You don't beg the client's IT department to forward port 443.
What running it takes
Official path is a Docker-based installer on a Linux VPS with a public IP and a domain pointed at it:
curl -fsSL https://static.pangolin.net/get-installer.sh | bash
sudo ./installerOpen firewall ports 80 and 443 (TCP), 51820 and 21820 (UDP for WireGuard clients). Ubuntu 20.04+ or Debian 11+ recommended. The installer pulls Pangolin, Gerbil (tunneling), and Traefik containers — plan 2–3 minutes for first image pull.
You'll configure a base domain, dashboard hostname (default pangolin.example.com), and Let's Encrypt email. Tunneling via Gerbil is optional — without it, Pangolin still works as a standard reverse proxy, but you lose the NAT-punching site connector magic.
After install, grab the setup token from container logs, hit /auth/initial-setup, create your admin account and first organization. Then add sites, resources, and users.
License note: Community Edition is AGPL-3. Enterprise Edition uses the Fossorial Commercial License — free for personal/hobby use and businesses under $100K gross annual revenue. Read the license before redistributing or embedding in a product.
Who it's for (and who should skip it)
Good fit: agencies managing client staging environments, homelabbers with services behind CGNAT, small teams replacing "VPN to the whole office" with per-app access, anyone tired of juggling Cloudflare Tunnel for HTTP and a separate WireGuard mesh for SSH.
Maybe skip it: you only need encrypted Wi-Fi egress on your phone — IPsec on a VPS is simpler. You have one public web app and Traefik already — Pangolin's identity layer might be overkill. You won't run Docker or maintain TLS on a domain — use Pangolin Cloud or a lighter tunnel tool.
Hosting it in Canada
Pangolin wants a stable VPS with UDP open and a real domain. We run self-hosted instances on Canadian Docker hosting — public IP, firewall rules for WireGuard, persistent volumes for config, and the dashboard on your subdomain with Let's Encrypt.
Tell us how many sites and users you're connecting — we'll size the box and help you avoid the "works in the lab, UDP blocked at the client firewall" surprise.
