Pangolin: Secure Self-Hosted Tunneling for Home Services

Article Contents

Introduction

Pangolin is an open-source, self-hosted tunneling solution that lets you securely expose services running on your home or local network to the internet. Unlike third-party tunnel providers (e.g., Ngrok) or commercial VPNs, Pangolin gives you full control—no usage limits, no hidden costs, and complete privacy. Whether you’re a freelancer, blogger, or non-technical VPS user, Pangolin simplifies remote access without relying on cloud providers.

Use Case Examples

Freelancer accessing a NAS or self-hosted blog:
- Edit or upload files to your personal cloud storage from a coffee shop.
- Post updates to your WordPress blog hosted on a home server, securely.
Blogger managing local web apps:
- Tweak a local copy of your site’s staging environment from any device.
- Review analytics dashboards (e.g., Matomo) before publishing content.
Family accessing home surveillance:
- View live camera feeds over an encrypted tunnel on your smartphone.
- Manage motion-detection alerts from anywhere without exposing ports.

Feature Comparison

Feature	Pangolin	Ngrok	Tailscale	Zerotier
Privacy	Fully self-hosted, no logs	Logs on provider servers	Uses provider network	Uses provider network
Cost	Free (host your own VPS)	Free tier limited; paid	Free for basic; paid	Free for basic; paid
Open-Source	Yes	No	Partially (Tailscale CLI)	Partially (ZeroTier One)
Self-Hosting	✔️	❌	❌	❌
Ease of Use	Beginner-friendly installer	Very easy GUI/CLI	CLI-based	CLI-based
Speed	WireGuard-backed tunnel	Proprietary TCP/UDP mix	WireGuard	Proprietary protocol

How Pangolin Works (Simplified)

Public Server: You install the Pangolin server on a VPS with a static public IP.
Ingress Client (Newt): Inside your home network, you run a small client (called Newt) that establishes a WireGuard tunnel to the public server.
Reverse Proxy: Pangolin’s server terminates HTTPS, then forwards encrypted tunnel traffic into your LAN over WireGuard.
Subdomain Routing: Wildcard DNS (e.g., *.yourdomain.com) directs traffic to Pangolin, which routes each subdomain (e.g., jf.yourdomain.com) to the matching local service.

This design means your home router’s ports stay closed, all traffic is end-to-end encrypted, and you avoid ISP restrictions on inbound connections.

Step-by-Step Guide to Self-Hosting Pangolin

1. Prepare Your VPS

Choose a provider (DigitalOcean, Linode, RackNerd, etc.)
Deploy Ubuntu 24.04 (or Debian 12) on a small droplet (1 CPU, 1 GB RAM).
Update packages: bashCopyEditsudo apt update && sudo apt upgrade -y
Add a non-root sudo user: bashCopyEditadduser pangouser usermod -aG sudo pangouser

2. Configure DNS

Create two A records for your domain (replace yourdomain.com):

A   @      →  your.VPS.IP
A   *      →  your.VPS.IP

Add a specific subdomain for the dashboard (e.g., proxy.yourdomain.com → your.VPS.IP).

3. Install Pangolin Server

Run the official quick-install script (requires Docker):

curl -fsSL https://github.com/fossorial-io/pangolin/releases/latest/download/install.sh | sudo bash

When prompted, provide:

Base domain: yourdomain.com
Dashboard subdomain: proxy
Email for Let’s Encrypt
Admin user email/password
Enable Docker install (yes)

After a minute, the dashboard is live at https://proxy.yourdomain.com. Log in with your admin credentials.

4. Set Up an Ingress Point (Newt)

On a machine inside your LAN (can be a tiny VM or container)

Install dependencies & Newt client:

sudo apt update && sudo apt install -y curl wget ssh nano
wget https://github.com/fossorial-io/newt/releases/latest/download/newt-linux-amd64
chmod +x newt-linux-amd64 && mv newt-linux-amd64 newt

Create a systemd service: nano /etc/systemd/system/newt.service

[Unit]
Description=Newt VPN Client
After=network.target

[Service]
ExecStart=/usr/local/bin/newt --id YOUR_ID --secret YOUR_SECRET --endpoint https://proxy.yourdomain.com
Restart=always
User=root

[Install]
WantedBy=multi-user.target

Enable and start:

sudo mv newt /usr/local/bin/
sudo mv newt.service /etc/systemd/system/
sudo systemctl enable --now newt.service

5. Expose Local Services

In the Pangolin dashboard, go to Sites → Add Site → choose Newt Tunnel.
Name your site (e.g., home-ingress), select Linux/amd64, paste the copied newt credentials, and click Create Site.
In Resources → Add Resource, choose your site, pick HTTP Resource, and set a subdomain (e.g., jf).
Enter the local IP (e.g., 192.168.1.10) and port (e.g., 8096 for Jellyfin), then Add Target → Save.

Access your service at https://jf.yourdomain.com.

SSL Configuration

Pangolin auto-requests Let’s Encrypt certificates for each subdomain. Ensure ports 80/443 are open on your VPS and DNS has propagated.

Port-Forwarding Tips

No port-forwarding at home is needed—Newt initiates outbound WireGuard connections, bypassing NAT restrictions.

Security and Privacy Best Practices

Use strong, unique admin passwords and enable email verification.
Disable public sign-ups to prevent unauthorized users.
Set up access rules by IP range or time windows for sensitive resources.
Regularly update both your VPS and ingress node.
Monitor logs for unusual activity; consider lightweight intrusion detection (e.g., CrowdSec).

Common Issues and Fixes

DNS not propagated: Wait up to 5 minutes or flush local DNS cache.
Newt service failed: Check journalctl -u newt.service for errors in ID/secret or endpoint URL.
SSL errors: Confirm ports 80/443 to VPS are open and DNS A records point correctly.
Double authentication prompts: In Resource settings, disable Pangolin SSO if the service has its own login.

Conclusion

Pangolin offers a privacy-focused, open-source, and cost-effective way to tunnel into your home services. With a simple installer and intuitive dashboard, you can secure and manage multiple resources—no third-party limitations, no extra fees, and complete control over your data. Whether you’re a beginner or seasoned freelancer, Pangolin is the perfect self-hosted alternative to AnyDesk, Ngrok, and other cloud tunnels. Try it today and reclaim your network’s privacy and accessibility.