Categories: Linux

Pangolin: Secure Self-Hosted Tunneling for Home Services

Introduction

Pangolin is an open-source, self-hosted tunneling solution that lets you securely expose services running on your home or local network to the internet. Unlike third-party tunnel providers (e.g., Ngrok) or commercial VPNs, Pangolin gives you full control—no usage limits, no hidden costs, and complete privacy. Whether you’re a freelancer, blogger, or non-technical VPS user, Pangolin simplifies remote access without relying on cloud providers.

Use Case Examples

  • Freelancer accessing a NAS or self-hosted blog:
    • Edit or upload files to your personal cloud storage from a coffee shop.
    • Post updates to your WordPress blog hosted on a home server, securely.
  • Blogger managing local web apps:
    • Tweak a local copy of your site’s staging environment from any device.
    • Review analytics dashboards (e.g., Matomo) before publishing content.
  • Family accessing home surveillance:
    • View live camera feeds over an encrypted tunnel on your smartphone.
    • Manage motion-detection alerts from anywhere without exposing ports.

Feature Comparison

FeaturePangolinNgrokTailscaleZerotier
PrivacyFully self-hosted, no logsLogs on provider serversUses provider networkUses provider network
CostFree (host your own VPS)Free tier limited; paidFree for basic; paidFree for basic; paid
Open-SourceYesNoPartially (Tailscale CLI)Partially (ZeroTier One)
Self-Hosting✔️
Ease of UseBeginner-friendly installerVery easy GUI/CLICLI-basedCLI-based
SpeedWireGuard-backed tunnelProprietary TCP/UDP mixWireGuardProprietary protocol

How Pangolin Works (Simplified)

  1. Public Server: You install the Pangolin server on a VPS with a static public IP.
  2. Ingress Client (Newt): Inside your home network, you run a small client (called Newt) that establishes a WireGuard tunnel to the public server.
  3. Reverse Proxy: Pangolin’s server terminates HTTPS, then forwards encrypted tunnel traffic into your LAN over WireGuard.
  4. Subdomain Routing: Wildcard DNS (e.g., *.yourdomain.com) directs traffic to Pangolin, which routes each subdomain (e.g., jf.yourdomain.com) to the matching local service.

This design means your home router’s ports stay closed, all traffic is end-to-end encrypted, and you avoid ISP restrictions on inbound connections.

Step-by-Step Guide to Self-Hosting Pangolin

1. Prepare Your VPS

  • Choose a provider (DigitalOcean, Linode, RackNerd, etc.)
  • Deploy Ubuntu 24.04 (or Debian 12) on a small droplet (1 CPU, 1 GB RAM).
  • Update packages: bashCopyEditsudo apt update && sudo apt upgrade -y
  • Add a non-root sudo user: bashCopyEditadduser pangouser usermod -aG sudo pangouser

2. Configure DNS

  • Create two A records for your domain (replace yourdomain.com):
A   @      →  your.VPS.IP
A   *      →  your.VPS.IP
  • Add a specific subdomain for the dashboard (e.g., proxy.yourdomain.com → your.VPS.IP).

3. Install Pangolin Server

Run the official quick-install script (requires Docker):

curl -fsSL https://github.com/fossorial-io/pangolin/releases/latest/download/install.sh | sudo bash

When prompted, provide:

  • Base domain: yourdomain.com
  • Dashboard subdomain: proxy
  • Email for Let’s Encrypt
  • Admin user email/password
  • Enable Docker install (yes)

After a minute, the dashboard is live at https://proxy.yourdomain.com. Log in with your admin credentials.

4. Set Up an Ingress Point (Newt)

On a machine inside your LAN (can be a tiny VM or container)

  • Install dependencies & Newt client:
sudo apt update && sudo apt install -y curl wget ssh nano
wget https://github.com/fossorial-io/newt/releases/latest/download/newt-linux-amd64
chmod +x newt-linux-amd64 && mv newt-linux-amd64 newt
  • Create a systemd service: nano /etc/systemd/system/newt.service
[Unit]
Description=Newt VPN Client
After=network.target

[Service]
ExecStart=/usr/local/bin/newt --id YOUR_ID --secret YOUR_SECRET --endpoint https://proxy.yourdomain.com
Restart=always
User=root

[Install]
WantedBy=multi-user.target
  • Enable and start:
sudo mv newt /usr/local/bin/
sudo mv newt.service /etc/systemd/system/
sudo systemctl enable --now newt.service

5. Expose Local Services

  1. In the Pangolin dashboard, go to SitesAdd Site → choose Newt Tunnel.
  2. Name your site (e.g., home-ingress), select Linux/amd64, paste the copied newt credentials, and click Create Site.
  3. In ResourcesAdd Resource, choose your site, pick HTTP Resource, and set a subdomain (e.g., jf).
  4. Enter the local IP (e.g., 192.168.1.10) and port (e.g., 8096 for Jellyfin), then Add TargetSave.

Access your service at https://jf.yourdomain.com.

SSL Configuration

Pangolin auto-requests Let’s Encrypt certificates for each subdomain. Ensure ports 80/443 are open on your VPS and DNS has propagated.

Port-Forwarding Tips

No port-forwarding at home is needed—Newt initiates outbound WireGuard connections, bypassing NAT restrictions.

Security and Privacy Best Practices

  • Use strong, unique admin passwords and enable email verification.
  • Disable public sign-ups to prevent unauthorized users.
  • Set up access rules by IP range or time windows for sensitive resources.
  • Regularly update both your VPS and ingress node.
  • Monitor logs for unusual activity; consider lightweight intrusion detection (e.g., CrowdSec).

Common Issues and Fixes

  • DNS not propagated: Wait up to 5 minutes or flush local DNS cache.
  • Newt service failed: Check journalctl -u newt.service for errors in ID/secret or endpoint URL.
  • SSL errors: Confirm ports 80/443 to VPS are open and DNS A records point correctly.
  • Double authentication prompts: In Resource settings, disable Pangolin SSO if the service has its own login.

Conclusion

Pangolin offers a privacy-focused, open-source, and cost-effective way to tunnel into your home services. With a simple installer and intuitive dashboard, you can secure and manage multiple resources—no third-party limitations, no extra fees, and complete control over your data. Whether you’re a beginner or seasoned freelancer, Pangolin is the perfect self-hosted alternative to AnyDesk, Ngrok, and other cloud tunnels. Try it today and reclaim your network’s privacy and accessibility.

kash

Recent Posts

Host Your Own RustDesk Server: No More TeamViewer Fees

RustDesk – An Open Source Remote Support Alternative to AnyDesk and TeamViewer Introduction: Why RustDesk?…

5 days ago

How to install Matrix-docker-ansible | Decentralised Communication

Introduction Overview of Matrix and Its Benefits Matrix is an open-source, decentralized communication protocol designed…

4 months ago

How to Install Rallly with Docker Compose

What is Rallly? Rallly is an open-source scheduling and collaboration tool designed to make it…

7 months ago

How to Install OpenProject: A Step-by-Step Guide for Beginners

Introduction OpenProject is a project management tool designed to help teams organize, collaborate, and track…

8 months ago

Part 2: Jitsi Meet Host Authentication & JWT Token Configuration

Hey there! Welcome back to the website, and today we're diving deeper into Jitsi Meet.…

1 year ago

Self-Hosted Chat: Set Up Your Own Mattermost Server with Ease

Introduction Boost your team's collaboration and productivity with Mattermost, a secure and versatile communication platform.…

1 year ago