Pangolin: Secure Self-Hosted Tunneling for Home Services

Introduction

Pangolin is an open-source, self-hosted tunneling solution that lets you securely expose services running on your home or local network to the internet. Unlike third-party tunnel providers (e.g., Ngrok) or commercial VPNs, Pangolin gives you full control—no usage limits, no hidden costs, and complete privacy. Whether you’re a freelancer, blogger, or non-technical VPS user, Pangolin simplifies remote access without relying on cloud providers.

Use Case Examples

• Freelancer accessing a NAS or self-hosted blog:
  • Edit or upload files to your personal cloud storage from a coffee shop.
  • Post updates to your WordPress blog hosted on a home server, securely.
• Blogger managing local web apps:
  • Tweak a local copy of your site’s staging environment from any device.
  • Review analytics dashboards (e.g., Matomo) before publishing content.
• Family accessing home surveillance:
  • View live camera feeds over an encrypted tunnel on your smartphone.
  • Manage motion-detection alerts from anywhere without exposing ports.

Feature Comparison

Feature	Pangolin	Ngrok	Tailscale	Zerotier
Privacy	Fully self-hosted, no logs	Logs on provider servers	Uses provider network	Uses provider network
Cost	Free (host your own VPS)	Free tier limited; paid	Free for basic; paid	Free for basic; paid
Open-Source	Yes	No	Partially (Tailscale CLI)	Partially (ZeroTier One)
Self-Hosting	✔️	❌	❌	❌
Ease of Use	Beginner-friendly installer	Very easy GUI/CLI	CLI-based	CLI-based
Speed	WireGuard-backed tunnel	Proprietary TCP/UDP mix	WireGuard	Proprietary protocol

How Pangolin Works (Simplified)

1. Public Server: You install the Pangolin server on a VPS with a static public IP.
2. Ingress Client (Newt): Inside your home network, you run a small client (called Newt) that establishes a WireGuard tunnel to the public server.
3. Reverse Proxy: Pangolin’s server terminates HTTPS, then forwards encrypted tunnel traffic into your LAN over WireGuard.
4. Subdomain Routing: Wildcard DNS (e.g., *.yourdomain.com) directs traffic to Pangolin, which routes each subdomain (e.g., jf.yourdomain.com) to the matching local service.

This design means your home router’s ports stay closed, all traffic is end-to-end encrypted, and you avoid ISP restrictions on inbound connections.

Step-by-Step Guide to Self-Hosting Pangolin

1. Prepare Your VPS

• Choose a provider (DigitalOcean, Linode, RackNerd, etc.)
• Deploy Ubuntu 24.04 (or Debian 12) on a small droplet (1 CPU, 1 GB RAM).
• Update packages: bashCopyEditsudo apt update && sudo apt upgrade -y
• Add a non-root sudo user: bashCopyEditadduser pangouser usermod -aG sudo pangouser

2. Configure DNS

• Create two A records for your domain (replace yourdomain.com):

A   @      →  your.VPS.IP
A   *      →  your.VPS.IP

• Add a specific subdomain for the dashboard (e.g., proxy.yourdomain.com → your.VPS.IP).

3. Install Pangolin Server

Run the official quick-install script (requires Docker):

curl -fsSL https://github.com/fossorial-io/pangolin/releases/latest/download/install.sh | sudo bash

When prompted, provide:

• Base domain: yourdomain.com
• Dashboard subdomain: proxy
• Email for Let’s Encrypt
• Admin user email/password
• Enable Docker install (yes)

After a minute, the dashboard is live at https://proxy.yourdomain.com. Log in with your admin credentials.

4. Set Up an Ingress Point (Newt)

On a machine inside your LAN (can be a tiny VM or container)

• Install dependencies & Newt client:

sudo apt update && sudo apt install -y curl wget ssh nano
wget https://github.com/fossorial-io/newt/releases/latest/download/newt-linux-amd64
chmod +x newt-linux-amd64 && mv newt-linux-amd64 newt

• Create a systemd service: nano /etc/systemd/system/newt.service

[Unit]
Description=Newt VPN Client
After=network.target

[Service]
ExecStart=/usr/local/bin/newt --id YOUR_ID --secret YOUR_SECRET --endpoint https://proxy.yourdomain.com
Restart=always
User=root

[Install]
WantedBy=multi-user.target

• Enable and start:

sudo mv newt /usr/local/bin/
sudo mv newt.service /etc/systemd/system/
sudo systemctl enable --now newt.service

5. Expose Local Services

1. In the Pangolin dashboard, go to Sites → Add Site → choose Newt Tunnel.
2. Name your site (e.g., home-ingress), select Linux/amd64, paste the copied newt credentials, and click Create Site.
3. In Resources → Add Resource, choose your site, pick HTTP Resource, and set a subdomain (e.g., jf).
4. Enter the local IP (e.g., 192.168.1.10) and port (e.g., 8096 for Jellyfin), then Add Target → Save.

Access your service at https://jf.yourdomain.com.

SSL Configuration

Pangolin auto-requests Let’s Encrypt certificates for each subdomain. Ensure ports 80/443 are open on your VPS and DNS has propagated.

Port-Forwarding Tips

No port-forwarding at home is needed—Newt initiates outbound WireGuard connections, bypassing NAT restrictions.

Security and Privacy Best Practices

• Use strong, unique admin passwords and enable email verification.
• Disable public sign-ups to prevent unauthorized users.
• Set up access rules by IP range or time windows for sensitive resources.
• Regularly update both your VPS and ingress node.
• Monitor logs for unusual activity; consider lightweight intrusion detection (e.g., CrowdSec).

Common Issues and Fixes

• DNS not propagated: Wait up to 5 minutes or flush local DNS cache.
• Newt service failed: Check journalctl -u newt.service for errors in ID/secret or endpoint URL.
• SSL errors: Confirm ports 80/443 to VPS are open and DNS A records point correctly.
• Double authentication prompts: In Resource settings, disable Pangolin SSO if the service has its own login.

Conclusion

Pangolin offers a privacy-focused, open-source, and cost-effective way to tunnel into your home services. With a simple installer and intuitive dashboard, you can secure and manage multiple resources—no third-party limitations, no extra fees, and complete control over your data. Whether you’re a beginner or seasoned freelancer, Pangolin is the perfect self-hosted alternative to AnyDesk, Ngrok, and other cloud tunnels. Try it today and reclaim your network’s privacy and accessibility.