Show HN: Pangolin – Open source alternative to Cloudflare Tunnels (opens in new tab)

This is super exciting! The “Cloudflare Tunnel” lock-in has always bugged me, so seeing an open source option is genuinely refreshing. I’m especially curious how Pangolin handles the gritty stuff—flaky networks, authentication headaches, scaling up when things get real. If anyone’s kicked the tires on this in the wild, how does it compare to the “it just works” magic of Cloudflare? Bonus points if you’ve wrangled it into playing nice with self-hosted stuff on a home connection. For context, I’ve got a Raspberry Pi running my blog and a bunch of other hobby projects from home, so real-world stories would be gold.

This seems really interesting for managing a lot of remote dev boxes or something like that...

so, kind of an uneducated question (from someone who isn't heavily involved in actual infrastructure)... I haven't used CF tunnels, and the extent of my proxying private services has pretty much been either reverse proxy tunnels over SSH, or Tailscale. Where pretty much any service I want to test privately is located on some particular device, like, a single EC2 instance, or my laptop that's at home while I'm out on my phone. Could you explain in layman's terms what this solves that e.g. tailscale doesn't?

Hello Eveyone, this is the other maintainer here. Just wanted to add some more detail about the other components of this system:

Pangolin uses Traefik under the hood to do the actual HTTP proxying. A plugin, Badger, provides a way to authenticate every request with Pangolin. A second service, Gerbil, provides a WireGuard management server that Pangolin can use to create peers for connectivity. And finally, there is Newt, a CLI tool and Docker container that connects back to Gerbil with WireGuard fully in user space and proxies your local resources. This means that you do not need to run a privileged process or container in order to expose your services!

There are dozens of open source alternatives to Cloudflare Tunnels: https://github.com/anderspitman/awesome-tunneling

That being said, I believe Pangolin is one of the better and polished ones.

Sorry if this is a noobish question, but would this allow me to access services on a VPS, that I do not want publicly accessible on the internet?

In other words: Let's say I have a VPS with eg. Keycloak running on it. I want to be able to access it for management purposes but don't want it exposed to other people on the internet. Would Pangolin be a way for me to do this?

Amazing project. I have been using tail scale connected to an nginx proxy manager hosted on a VPS, to make my application public. Wrote about it here: https://hsps.in/post/how-i-host-public-apps-using-tailscale/

But pangolin seems to be similar to that setup with a good UI, and more control. Definitely trying it out.

Quick question: Can it handle multiple domain names? I point multiple domain to the vps hosting my npm it proxy's them from there. Does Pangolin, also support multiple domains pointing to it?

Great seeing Pangolin posted on Show HN. I just got pangolin installed and configured this afternoon on a VPS. With Newt running locally on a cheap mini-pc to establish wireguard tunnel. It was a fairly easy process. Watched couple of videos on YT and then went through the well documented procedure on their site. So far everything seems to be working. I currently only have couple of apps exposed. Plus a private relay for Rustdesk. All working great. Plan on exposing/moving stuff off CF in the coming days. Once I lock down my home network and isolate stuff on separate VLANs.

While CF tunnels were nice and solved my ISP imposed issue with exposing ports via their crappy fiber gateway for couple of years. But I wanted more control. Specifically control over what I can expose without worrying about violating cloudflare’s TOS and ambiguity around media streaming. (Jellyfin/Emby).

This sounds a bit like OpenZiti & Zrok, but still sounds interesting, I'll give it a try as I do use Cloudflare tunnels a fair bit.

My homelab has a setup like this, but all done somewhat-manually. HTTPS for my Docker images running in the homelab via a certbot image. A Wireguard setup to connect the homelab to a small Hetzner VPS, and a proxy there to allow certain traffic through.

I've been wanting to add some authentication lately so that I can manage access to the homelab resources. I currently prohibit all traffic and only allow the Wireguard subnet, but this means any clients have to be provisioned in Wireguard, which is a nuisance to setup manually. It does seem to work well enough though.

Pangolin seems like it would be a one-stop replacement and simplify the setup, especially once I look at adding user management to the mix.

What is the difference between Pangolin and NetBird, which is also a self-hosted and fully open-source solution?

https://github.com/netbirdio/netbird

This project sounds really interesting as an alternative to cloudflare and for decentralizating the internet, but for some low traffic home server what would I gain with using it instead of directly exposing a single port on my home server with nginx, I have static IP from my ISP, right now it is exposed as the server IP, what would I gain if I use a cheap vps as a proxy first?

Everyone on /r/homelab has been talking about it over the last few months. I bought a VPS and later realized a cheap tiny PC would be better for my use case combined with Proxmox. The next step is configuring a few more services and installing Pangolin on the VPS for easy reverse proxy management. I haven’t used it yet but all in all it looks awesome and the reviews I’ve seen are overwhelmingly positive. Thank you for building it!

This looks awesome. I am using Twingate (hosted and paid) currently in my production AWS VPC. AWS instance are in private subnets, no public ips attached, using a NAT instance for outbound internet, but very curious to try running Pangolin.

Can Pangolin also provide public access (currently I'm using Caddy as a reverse proxy)?

I have been using pangolin for a few months already and it's awesome. Installed in a small VPS (static IP) as an entry point for all the services I want to expose to friends and family from my homelab (dynamic IP), completely secure and very easy to manage.

This looks really nice.

I have set up something similar just recently with an OPNSense box running DNS, the WireGuard instance and getting a wildcard Let's Encrypt cert that it pushes to my Synology reverse proxy (Nginx). So from my clients I can enable the WG tunnel only on my internal IP range, setting the internal DNS, so I don't have to have my public cert pointing to my IP. It works once setup for my home net. But for multi-site, Pangolin looks very polished and probably easier to set up.

Is Newt a custom implementation of a WireGuard server? Has it been security audited in some way?

Also interested in knowing whether a professional security audit was done and if there is a public security pentesting program. This is especially important given the blast radius of an authentication service.

Did you get outside contributions yet? I'm asking because it is dual licensed agpl and commercial (just like a recent project I'm working on), and am wondering how contributors react to the cla.

Btw I like your short and clear CLA! Did you check the wording of the cla with a lawyer? In my project I wanted to replace the perpetual license granted by contributors by 'a license granted as long as the software is also proposed under the agpl', but that might make it too complicated to still keep it succinct and legally clear.

If you use this, it makes sense to run it at home. If you run it on a VPS, traffic is decrypted on VPS, the same privacy issue with Cloudflare tunnels. You have to trust the VPS provider.

Let’s say my server is running on a VPN and gets new IP once in a while. Would Pangolin be an option to publicly expose my services? Because I have this challenge now where I am currently ”forced” to expose my public IP to share some services. I use firewall rules to allow incoming traffic to my server and Traefik to route the user to the right service. I just don’t like the feeling of being exposed publicly like this.

I've been trying to get something like this working with frp and now sish but I'm not there yet. My use case is a little weird, I need to run the tunnel behind a traefik instance in k8s, with that traefik doing TLS termination, and I haven't been able to get anything working correctly yet. Maybe I'll give pangolin a try.

Hi! I'm using traefik as reverse proxy for my homelab. Would it be possible to combine Pangolin with it while preserving already defined routes and services? Or do I need to run separate instance of traefik for Pangolin behind already existing one?

Cloudflare tunnels do not work in certain countries (e.g.Russia), Pangolin does.

How does it compare to frp, one of the most popular Open Source Cloudflare Tunnel alternative?

https://github.com/fatedier/frp

Would Pangolin "integrate naturally" with something like Dokploy? Or is more meant to "replace" it?

Could you make a Dokploy template to let people deploy it easily?

"Easily expose services on IoT and edge devices for field monitoring"

can you give more details, would this be adapted to IoT devices running on MCUs like ESP32 etc?

Cloudflare tunnels is such a poorly built product. The bar for quality is very low in this category. I struggled to make it work on an dell laptop running ubuntu, over wifi. It worked when I set it up at my home and then failed when it was deployed in the field. I literally had the experience of "well, it worked at my home, let's ship it!". I couldn't recover from the errors, either.

So, if you built something that is resilient enough to handle change in IP addresses, you've beaten CF tunnels.

I still use Cloudflare Tunnel(cap) but anything new is going to OpenZiti/Zrok (grow). Openziti/Zrok are amazing.

Don't you also need a server? The point of cloudflare is that they give you use of their server, for free.

genuine, security newbie, question. What's the worst case scenario that can happen on using this type of solution from a security standpoint? I do get it the authentication would be compromised. Probably some internal ports would be exposed publicly too.. what else?

Thought this was Pangolin the laser control software, got excited there :(

Does this work well behind Docker Swarm or is it not designed for that?

Is it called Pangolin because pangolin's have scale-y tails?

How does this compare to other OSS like zrok?

How does this play on kubernetes?

This looks awesome!

I heckin love porn!

Reverse proxy in nodejs? How about no?

I wish I'd found this project sooner. UI looks quite sleek!

I love working with CF Tunnels but I got frustrated with their lackluster web admin ux that I recently decided to have Claude whip up a quick terminal interface for it

This is exactly what I have been looking for!

Thanks for building this. I’ll be trying it out when I get home tonight.