ScriptsApr 19, 2026·3 min read

Pangolin — Identity-Aware Reverse Proxy with Built-In Tunneling

Pangolin is a self-hosted reverse proxy and tunnel server that adds identity-aware access control to any service you expose, using WireGuard under the hood.

SC
Script Depot · Community
Quick Use

Use it first, then decide how deep to go

This block should tell both the user and the agent what to copy, install, and apply first.

git clone https://github.com/fosrl/pangolin.git
cd pangolin
docker compose up -d

Introduction

Pangolin combines a tunneled reverse proxy with identity-aware access control so you can expose internal services without opening firewall ports. It handles authentication, authorization, and encrypted transport in a single self-hosted binary.

What Pangolin Does

  • Tunnels traffic from your private network to the public internet over WireGuard
  • Enforces per-service access policies based on user identity and groups
  • Provides OIDC and SSO integration for centralized login
  • Generates TLS certificates automatically via ACME
  • Offers a web dashboard for managing sites, users, and tunnel configurations

Architecture Overview

Pangolin runs as a control server that orchestrates WireGuard tunnels between edge nodes (called Newt agents) and the central proxy. Incoming requests hit the proxy, which checks the identity session against configured policies before forwarding traffic through the encrypted tunnel to the origin service.

Self-Hosting & Configuration

  • Deploy with Docker Compose using the provided template
  • Configure OIDC provider settings for SSO in the environment file
  • Set WireGuard keys and endpoint addresses for tunnel nodes
  • Define access policies per site through the web dashboard
  • Supports custom domains with automatic TLS provisioning

Key Features

  • Zero-trust access model with per-resource identity checks
  • No need to open inbound ports on your private network
  • Built on WireGuard for high-performance encrypted tunnels
  • Web UI for managing sites, users, and access rules
  • Single binary deployment with minimal dependencies

Comparison with Similar Tools

  • Cloudflare Tunnel — managed service with vendor lock-in; Pangolin is fully self-hosted
  • Tailscale Funnel — simpler but lacks per-resource identity policies
  • Nginx Proxy Manager — no built-in tunneling or identity-aware access control
  • Authentik + Traefik — similar outcome but requires assembling multiple components
  • Rathole — fast tunneling but no identity layer or web management UI

FAQ

Q: Does Pangolin replace my existing reverse proxy? A: Yes, it acts as both the reverse proxy and the tunnel endpoint, so you do not need a separate Nginx or Traefik instance.

Q: Can I use Pangolin without the tunneling feature? A: Yes, you can run it as a standard identity-aware reverse proxy for services already reachable on the same network.

Q: What authentication providers does it support? A: Any OIDC-compliant provider including Keycloak, Authentik, Google Workspace, and Azure AD.

Q: Is WireGuard required on client devices? A: No, WireGuard runs between the Pangolin server and the Newt agent on your private network. End users access services through a normal browser.

Sources

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

DocuSeal — Open Source Document Signing Platform

DocuSeal is a self-hosted alternative to DocuSign that lets you create, fill, and sign documents digitally with a clean web interface.

Script Depot

Nitter — Privacy-Focused Alternative Frontend for Twitter/X

Nitter is a free and open-source alternative frontend for Twitter (X) that provides a fast, private browsing experience with no JavaScript, ads, or tracking.

Script Depot

Automatisch — Open Source Zapier Alternative for Workflow Automation

Automatisch is a self-hosted workflow automation platform that connects apps and services through a visual flow builder without writing code.

Script Depot
Home🔍Search👤Me