Pangolin — Identity-Aware Reverse Proxy with Built-In Tunneling

Introduction

Pangolin combines a tunneled reverse proxy with identity-aware access control so you can expose internal services without opening firewall ports. It handles authentication, authorization, and encrypted transport in a single self-hosted binary.

What Pangolin Does

• Tunnels traffic from your private network to the public internet over WireGuard
• Enforces per-service access policies based on user identity and groups
• Provides OIDC and SSO integration for centralized login
• Generates TLS certificates automatically via ACME
• Offers a web dashboard for managing sites, users, and tunnel configurations

Architecture Overview

Pangolin runs as a control server that orchestrates WireGuard tunnels between edge nodes (called Newt agents) and the central proxy. Incoming requests hit the proxy, which checks the identity session against configured policies before forwarding traffic through the encrypted tunnel to the origin service.

Self-Hosting & Configuration

• Deploy with Docker Compose using the provided template
• Configure OIDC provider settings for SSO in the environment file
• Set WireGuard keys and endpoint addresses for tunnel nodes
• Define access policies per site through the web dashboard
• Supports custom domains with automatic TLS provisioning

Key Features

• Zero-trust access model with per-resource identity checks
• No need to open inbound ports on your private network
• Built on WireGuard for high-performance encrypted tunnels
• Web UI for managing sites, users, and access rules
• Single binary deployment with minimal dependencies

Comparison with Similar Tools

• Cloudflare Tunnel — managed service with vendor lock-in; Pangolin is fully self-hosted
• Tailscale Funnel — simpler but lacks per-resource identity policies
• Nginx Proxy Manager — no built-in tunneling or identity-aware access control
• Authentik + Traefik — similar outcome but requires assembling multiple components
• Rathole — fast tunneling but no identity layer or web management UI

FAQ

Q: Does Pangolin replace my existing reverse proxy? A: Yes, it acts as both the reverse proxy and the tunnel endpoint, so you do not need a separate Nginx or Traefik instance.

Q: Can I use Pangolin without the tunneling feature? A: Yes, you can run it as a standard identity-aware reverse proxy for services already reachable on the same network.

Q: What authentication providers does it support? A: Any OIDC-compliant provider including Keycloak, Authentik, Google Workspace, and Azure AD.

Q: Is WireGuard required on client devices? A: No, WireGuard runs between the Pangolin server and the Newt agent on your private network. End users access services through a normal browser.

Sources

• https://github.com/fosrl/pangolin
• https://docs.pangolin.dev