[HN Gopher] Show HN: Pangolin - Open source alternative to Cloud...
___________________________________________________________________
Show HN: Pangolin - Open source alternative to Cloudflare Tunnels
Pangolin is an open source self-hosted tunneled reverse proxy
management server with identity and access control, designed to
securely expose private resources through encrypted WireGuard
tunnels running in user space. We made Pangolin so you retain full
control over your infrastructure while providing a user-friendly
and feature-rich solution for managing proxies, authentication, and
access, all with a clean and simple dashboard web UI. GitHub:
https://github.com/fosrl/pangolin Deployment takes about 5 minutes
on a VPS: https://docs.fossorial.io/Getting%20Started/quick-install
Demo by Lawrence Systems (YouTube):
https://youtu.be/g5qOpxhhS7M?si=M1XTWLGLUZW0WzTv&t=723 Some use
cases: - Grant users access to your apps from
anywhere using just a web-browser - Proxy behind CGNAT
- One application load balancer across multiple clouds and on-
premises - Easily expose services on IoT and edge
devices for field monitoring - Bring localhost online
for easy access A few key features: - No port
forwarding and hide your public IP for self-hosting -
Create proxies to multiple different private networks -
OAuth2/OIDC identity providers - Role-based access
control - Raw TCP and UDP support - Resource-
specific pin codes, passwords, email OTP - Self-
destructing shareable links - API for automation
- WAF with CrowdSec and Geoblocking
Author : miloschwartz
Score : 439 points
Date : 2025-07-10 21:50 UTC (1 days ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| fossorialowen wrote:
| Hello Eveyone, this is the other maintainer here. Just wanted to
| add some more detail about the other components of this system:
|
| Pangolin uses Traefik under the hood to do the actual HTTP
| proxying. A plugin, Badger, provides a way to authenticate every
| request with Pangolin. A second service, Gerbil, provides a
| WireGuard management server that Pangolin can use to create peers
| for connectivity. And finally, there is Newt, a CLI tool and
| Docker container that connects back to Gerbil with WireGuard
| fully in user space and proxies your local resources. This means
| that you do not need to run a privileged process or container in
| order to expose your services!
| PeterStuer wrote:
| Been using this for a few months for serving from home with a
| tiny VPS at Hetzner tunneling the traffic to Newt behind my
| home firewall.
|
| My experience went very smooth and stable. The one issue I
| thought I had turned out to be not related to Pangolin at all.
|
| https://github.com/orgs/fosrl/discussions/950
| v5v3 wrote:
| What's Newt?
| PeterStuer wrote:
| Newt ( https://github.com/fosrl/newt ) is a custom
| userspace Wireguard client that you run on the 'edge
| server' side (typically behind your home firewall) that is
| part of the Pangolin system. It reaches out to your
| Pangolin server (typically hosted on a small VPS with a
| static IP) and will take care of negotiating the Wireguard
| tunnel and managing dispatch to the different services you
| exposed and mapped on your LAN. Easiest way to understand
| the full stack is to have a look at
| https://docs.fossorial.io/Getting%20Started/overview wich
| includes a nice System Overview Diagram.
| oulipo wrote:
| Would be nice if there were a mini-tutorial in the doc for each
| of the use-cases you mention here, so we could quickly test it
| and see if it helps
| fossorialowen wrote:
| Coming soon! We are going to do a docs revamp!
| hardwaresofton wrote:
| > Pangolin uses Traefik under the hood to do the actual HTTP
| proxying.
|
| Traefik is awesome, and one of the biggest reasons is it's
| extensibility and robustness.
|
| It absolutely does not get enough attention!
| jtbaker wrote:
| I'm using it as my ingress controller on my K3S homelab and
| it has definitely been a nice DX so far.
|
| The one thing I haven't been able to figure out how to do
| with it is do compression (gzip/br/zstd) there, so I'm
| handling it in the application layer, which feels suboptimal.
|
| Any tips? Seems like a table stakes sort of feature in the
| space that shouldn't be too hard to implement.
| hardwaresofton wrote:
| Did the compress middleware not work for you?
|
| https://doc.traefik.io/traefik/middlewares/http/compress/
|
| Are you trying to compress the request that has already
| come in to your cluster? I'm not sure there's a _ton_ of
| value to be extracted there, since the requests have
| already made their way across the internet uncompressed to
| your ingress point.
|
| If there's a "long way" to go after hitting your ingress
| controller then maybe there's something to be gained...
| 1vuio0pswjnm7 wrote:
| The official traefik v3.4.4 amd64 binary from Github is only
| 207MB.
|
| https://github.com/traefik/traefik/releases/expanded_assets/...
| FuriouslyAdrift wrote:
| An entire docker image for HAProxy is only 41 MB... deb is
| 1.6 MB
| sgarland wrote:
| Welcome to modern development, where no one gives a shit
| about binary size. It's awful.
| 1vuio0pswjnm7 wrote:
| I compile static-pie HAproxy binaries using different TLS
| libraries. Size varies a little based on the versions and
| compile-time options for those libraries
|
| For example, max sizes for the largest and smallest TLS
| libraries I have tried
|
| OpenSSL 9.0MB
|
| WolfSSL 4.6MB
|
| OpenSSL bloat is unfortunate
|
| Does Traefik allow any TLS libraries other than OpenSSL
| tday1 wrote:
| This is exactly what I have been looking for!
|
| Thanks for building this. I'll be trying it out when I get home
| tonight.
| jz10 wrote:
| I wish I'd found this project sooner. UI looks quite sleek!
|
| I love working with CF Tunnels but I got frustrated with their
| lackluster web admin ux that I recently decided to have Claude
| whip up a quick terminal interface for it
| hammyhavoc wrote:
| What do you find lacking in the web interface?
| jz10 wrote:
| Sounds a bit nitpicky now that I put it into words but most
| of my usage is just on the public hostnames panel which is
| about 3-4 levels deep from the dashboard. There is also a UI
| disconnect between this and the DNS records screen
|
| I do this flow a number of times and the TUI I made solved
| this specific problem for me
| https://github.com/justingosan/tunnelman?tab=readme-ov-
| file#...
| jallmann wrote:
| Yes, this exactly - I wouldn't call it nitpicky, it is
| really buried in there. I understand Cloudflare has a ton
| of other products and features, but the discoverability for
| CF Tunnels really could be better.
|
| Just checked and it's:
|
| Dashboard home > Zero Trust > Networks > Tunnels > [tunnel]
| > Public Hostname
|
| And if it ends up provisioning a new DNS record, I always
| have to remember to go back to the domain's DNS screen and
| label it with the tunnel.
|
| In general I use a tiny silver of Cloudflare's
| capabilities; it would be nice if the primary dashboard
| could bubble up the parts that I do use.
| mekster wrote:
| You found it early enough. I guess it's not even 1 year old.
| noduerme wrote:
| This seems really interesting for managing a lot of remote dev
| boxes or something like that...
|
| so, kind of an uneducated question (from someone who isn't
| heavily involved in actual infrastructure)... I haven't used CF
| tunnels, and the extent of my proxying private services has
| pretty much been either reverse proxy tunnels over SSH, or
| Tailscale. Where pretty much any service I want to test privately
| is located on some particular device, like, a single EC2
| instance, or my laptop that's at home while I'm out on my phone.
| Could you explain in layman's terms what this solves that e.g.
| tailscale doesn't?
| fossorialowen wrote:
| Thanks!
|
| I think what you are using (SSH, Tailscale) is great for your
| use case! We see this as more of a static and permanent tunnel
| to a service - less ephemeral than a ssh tunnel - and more to
| get public users into your application. Meaning if you had a
| internal app for your business or some homelab application like
| Immich or Grafana at home/work that you want to expose to your
| family in their browser this could be a good tool to use. Does
| that make sense?
| barbazoo wrote:
| I'm using an nginxproxymanager as reverse proxy and ssl
| terminus for exactly that, Immich, home assistant, etc. What
| would I gain from your solution?
| fossorialowen wrote:
| I think if that works for you then stick with it! Pangolin
| would mostly do the same thing. I think if you wanted more
| auth control like users and pin codes and OIDC and roles
| you might not get that with NPM out of the box but could
| add on.
|
| Pangolin has a tunnel component to it so if you were
| challenged on the ISP front you can put this on the VPS and
| it just makes configuring the connection back to the
| network easier so you don't need to set up WG back etc...
| It wraps it all up nicely in a UI and simple install
| script. It can also all be automated with the API if you
| are into that kind of thing.
| noduerme wrote:
| That makes a ton of sense actually! I'm excited to give it a
| try!
| mbesto wrote:
| I use CF tunnels pretty extensively with my home unraid server.
|
| The TL;DR is this - there are certain apps I host that I want
| to be public and don't want to onboard a Tailscale node (for
| example my sister uses my Plex server). So, instead of setting
| up a reverse proxy, I simply create a subdomain in DNS (via CF)
| and then route that subdomain to the CF tunnel.
|
| It's like 3 form entries to do all of this for one site/service
| and automatically creates an SSL cert for me. I love it.
| jonotime wrote:
| Out of curiosity why not give your sister restricted access
| to your tailnet instead? Then nothing is public.
| omnimus wrote:
| My guess is that teaching and convincing someone to install
| tailscale on every device they need access is a lot harder
| than sending a link.
|
| Thats why i use pangolin.
| noduerme wrote:
| Tailscale and Plex do _not_ play nicely, particularly since
| Plex implemented a bunch of shit to try to charge users for
| accessing their own files outside what _it_ considers a
| local network. Switching to Jellyfin is on my maintenance
| list. It 's very understandable that if you had given a
| family member access to your Plex server before this year
| and it "just worked" you might look now at Tailscale as a
| way to put them on your LAN and then decide that the
| complexity isn't worth it, given the hoops that Plex had
| apparently gone through to make that a non-viable option.
|
| Fuck Plex, by the way. Good on them for building up and
| turning themselves into a streaming service of sorts. Add
| value and I'll pay for it. But suddenly one day your free
| mobile viewer app updates and requires payment to stream
| your own mp4 files? Seriously, they can go to hell. No one
| streaming movie files to their family is doing so because
| they love paying middle-men, by the way. And no core
| function of Plex can't be done freely.
| subscribed wrote:
| To me, another huge no-no is the apparent lack of option
| to stop Plex from sending all the filenames to the
| mothership.
| jonotime wrote:
| Ah ok. Admittedly I dont host a media server so it sounds
| like Plex brings new challenges.
|
| I would just prefer to not have to public expose a
| service for a single user. In my case when sharing an
| image server to family it has been easy enough to walk
| them through installing tailscale on their windows
| desktop that they use. I love adding friends and fam to
| my tailnet. It then also makes it easier to log in and
| troubleshoot their issues later too.
|
| It looks like CFs solution for restricted public access
| is CF access controll, but thats still publicly exposed.
| Their non-public option is WARP, but that requires
| installation on the client machine. At that point your
| user setup is even harder then tailscale.
| hexfish wrote:
| Are you aware that serving media streams over the tunnel
| might be against the ToS? This is what kept me from using it
| tbh.
| j45 wrote:
| Tailscale (and headscale) is great for internal access to
| something that night not have public internet access. Others
| have mentioned an example of keeping a NAS off the public
| internet.
|
| Cloudflare tunnels help expose a service to the internet with a
| bit more protection.
|
| I have seen folks use both tailscale to access the backend and
| the public side is only Cloudflare tunnels.
|
| It's not unreasonable to point Cloudflare tunnels to a central
| and internal nginx proxy manager.
|
| Tailscale can route the public internet into your services too
| can do this too but the protections in Cloudflare are likely a
| little more robust.
|
| Panagolin looks interesting enough to try out, it could sit run
| behind Cloudflare tunnels while testing and then moved out.
| nodesocket wrote:
| This looks awesome. I am using Twingate (hosted and paid)
| currently in my production AWS VPC. AWS instance are in private
| subnets, no public ips attached, using a NAT instance for
| outbound internet, but very curious to try running Pangolin.
|
| Can Pangolin also provide public access (currently I'm using
| Caddy as a reverse proxy)?
| fossorialowen wrote:
| Yes! Thats where it excels I think. If you want public
| authenticated access for your users and / or need that
| tunneling component to get into your network or a set of
| distributed networks then Pangolin is your animal!
| nicolas_ wrote:
| Everyone on /r/homelab has been talking about it over the last
| few months. I bought a VPS and later realized a cheap tiny PC
| would be better for my use case combined with Proxmox. The next
| step is configuring a few more services and installing Pangolin
| on the VPS for easy reverse proxy management. I haven't used it
| yet but all in all it looks awesome and the reviews I've seen are
| overwhelmingly positive. Thank you for building it!
| fossorialowen wrote:
| Thanks!
| heavyset_go wrote:
| Does this work well behind Docker Swarm or is it not designed for
| that?
| fossorialowen wrote:
| Yes I think so. I know it works quiet well in compose but as
| you scale to swarm I am not sure if there would be pains. You
| can just pop the connector into your compose stack and it will
| connect to anything in the docker network which we personally
| do to host some of our basic infrastructure.
| aborsy wrote:
| If you use this, it makes sense to run it at home. If you run it
| on a VPS, traffic is decrypted on VPS, the same privacy issue
| with Cloudflare tunnels. You have to trust the VPS provider.
| fossorialowen wrote:
| This is true! But you have a little more control over who you
| might choose to trust. For example - you might trust AWS not to
| snoop in your VM more than you might trust CF to not collect
| valuable usage data about you when they decrypt your traffic.
| scottgg wrote:
| Agreed - there's a big difference between "I actively asked
| CF to terminate my TLS" and "I suspect my provider is
| scraping unencrypted data out of my running VM"
| aborsy wrote:
| I doubt there is less monitoring at a VPS than CF. Many VPS
| companies are less known and smaller, and may not have
| professional audit and access processes in place.
| mekster wrote:
| What can you even do if you can't trust a VPS provider?
| aborsy wrote:
| TLS pass through. You simply route encrypted traffic to your
| home. The keys to the castle are all in home!
| PoKeRGT wrote:
| I have been using pangolin for a few months already and it's
| awesome. Installed in a small VPS (static IP) as an entry point
| for all the services I want to expose to friends and family from
| my homelab (dynamic IP), completely secure and very easy to
| manage.
| fossorialowen wrote:
| Great good to hear!
| coderhs wrote:
| Amazing project. I have been using tail scale connected to an
| nginx proxy manager hosted on a VPS, to make my application
| public. Wrote about it here: https://hsps.in/post/how-i-host-
| public-apps-using-tailscale/
|
| But pangolin seems to be similar to that setup with a good UI,
| and more control. Definitely trying it out.
|
| Quick question: Can it handle multiple domain names? I point
| multiple domain to the vps hosting my npm it proxy's them from
| there. Does Pangolin, also support multiple domains pointing to
| it?
| fossorialowen wrote:
| Yes it can! You can point them all to the VPS as you say then
| just add them to the config file domains list. You can add as
| many as you need.
| https://docs.fossorial.io/Pangolin/Configuration/config#doma...
| djlameche wrote:
| Sorry if this is a noobish question, but would this allow me to
| access services on a VPS, that I do not want publicly accessible
| on the internet?
|
| In other words: Let's say I have a VPS with eg. Keycloak running
| on it. I want to be able to access it for management purposes but
| don't want it exposed to other people on the internet. Would
| Pangolin be a way for me to do this?
| TheTxT wrote:
| Did you already consider using ssh port forwarding? That way
| you can temporarily forward the local port that keycloak is
| running on to your machine
| djlameche wrote:
| I did not consider it yet, I will look into it. I am thinking
| about hosting a pepper variety databse that I am developing,
| but I have 0 experience with hosting software, so I am a bit
| wary about what I will be exposing...
| zakki wrote:
| I guess you have to use firewall as well. So basically you
| block any access from internet except VPN service. And you can
| have rule which IP allowed to access your VPN service.
| jychang wrote:
| You want Tailscale for that.
| dizhn wrote:
| Don't you use Keycloak for SSO? The ports needed for that needs
| to be accessible so services can talk to it. If there's a
| dedicated port for management you can still use it with
| software like pangolin. Run the management service on only a
| local port and access using this software or wireguad.
|
| I use authentik and as far as I know the management is on the
| same web port so I have to allow some paths to be accessible to
| the world.
| djlameche wrote:
| I'm not using anything YET. I am thinking about hosting a
| pepper variety database I am developing on a VPS for public
| use. I want to use Keycloak for authentication and also some
| other services alongside (eg. a headless CMS for writing some
| of the content).
|
| The thing is, I don't have any prior experience with hosting
| at all. So I am wondering if I can reduce attack surface by
| making "management" services (Keycloak admin console, the
| headless CMS admin interface etc.) accessible only to me...
| dizhn wrote:
| > So I am wondering if I can reduce attack surface by
| making "management" services (Keycloak admin console, the
| headless CMS admin interface etc.) accessible only to me...
|
| The answer to this is YES. Of course there are a variety of
| ways to implement. In your case I would start simple with
| something like wireguard. Keycloak won't be easy to install
| and configure as a beginner. If your needs are simple,
| check out https://github.com/lldap/lldap for authentication
| (and user management).
| fossorialowen wrote:
| Good advice in this thread. If its just you then ssh tunnels or
| tailscale or netbird or pure wireguard are all fine. You
| _could_ use Pangolin for this and put auth in front of the web
| page of Keycloak using a local Pangolin site and that would be
| fine too. It depends on how important the security is to you
| and who else might want access.
| oulipo wrote:
| "Easily expose services on IoT and edge devices for field
| monitoring"
|
| can you give more details, would this be adapted to IoT devices
| running on MCUs like ESP32 etc?
| fossorialowen wrote:
| It might be a bit too heavy for a MCU like ESPs. IoT we are
| thinking more like cellular modems, UPSs, cameras - devices
| that need remote access in the field at remote places that you
| typically would need a more convoluted VPN setup for.
| raphinou wrote:
| Did you get outside contributions yet? I'm asking because it is
| dual licensed agpl and commercial (just like a recent project I'm
| working on), and am wondering how contributors react to the cla.
|
| Btw I like your short and clear CLA! Did you check the wording of
| the cla with a lawyer? In my project I wanted to replace the
| perpetual license granted by contributors by 'a license granted
| as long as the software is also proposed under the agpl', but
| that might make it too complicated to still keep it succinct and
| legally clear.
| fossorialowen wrote:
| Yes we have had some PR and some active ones that we need to
| merge soon haha.
|
| We have not had any concern about the CLA that we are aware of.
| It was important that we found a way to allow businesses to pay
| for something to fund the project while keeping it free for
| individual homelabbers so this was one effort in that regard.
| oulipo wrote:
| Would Pangolin "integrate naturally" with something like Dokploy?
| Or is more meant to "replace" it?
|
| Could you make a Dokploy template to let people deploy it easily?
| fossorialowen wrote:
| From the little I understand about it I think you _may_ be able
| to deploy Pangolin on it. Would need to do some research. But
| you could also use Pangolin to provide access to a self hosted
| Dokploy application I think.
| LucidLynx wrote:
| What is the difference between Pangolin and NetBird, which is
| also a self-hosted and fully open-source solution?
|
| https://github.com/netbirdio/netbird
| resiros wrote:
| Would love to understand it better too. It looks like the use
| cases are similar but the tech is different. NetBird is an
| alternative to Tailscale that uses Wireguard under the hood
| while these seem to use Traefik under the hood.
|
| I am personally a user of NetBird and love it.
|
| The design of the UI is very similar though :)
| rb666 wrote:
| Pangolin also uses WireGuard and does not lock features
| behind a paywall.
| dizhn wrote:
| for now anyway
| fossorialowen wrote:
| Pangolin is "public ingress to private networks" and not a
| mesh VPN/network builder. As you say I think NetBird is an
| alternative to Tailscale and we are an alternative to
| Cloudflare tunnels, Ngrok, or Zscaler. It is more about
| exposing things publicly with authentication in the browser
| for people to access than about building a network for
| disparate devices to communicate.
| ghoshbishakh wrote:
| It is correct that pangolin is something like pinggy.io or
| cf tunnels as you mention. But those do not give such fine
| grained access control it seems - like a firewall checking
| identity and all.
|
| But definitely it is not a vpn or mesh network it seems.
| dizhn wrote:
| I believe netbird does not have all the features in the open
| source version. The one thing that was a show stopper for me
| was the SSO tax.
| 44za12 wrote:
| This is super exciting! The "Cloudflare Tunnel" lock-in has
| always bugged me, so seeing an open source option is genuinely
| refreshing. I'm especially curious how Pangolin handles the
| gritty stuff--flaky networks, authentication headaches, scaling
| up when things get real. If anyone's kicked the tires on this in
| the wild, how does it compare to the "it just works" magic of
| Cloudflare? Bonus points if you've wrangled it into playing nice
| with self-hosted stuff on a home connection. For context, I've
| got a Raspberry Pi running my blog and a bunch of other hobby
| projects from home, so real-world stories would be gold.
| 44za12 wrote:
| More on it here, for those interested:
|
| https://aazar.me/posts/reincarnating-a-raspberry-pi
| PhilippGille wrote:
| There are dozens of open source alternatives to Cloudflare
| Tunnels: https://github.com/anderspitman/awesome-tunneling
|
| That being said, I believe Pangolin is one of the better and
| polished ones.
| mekster wrote:
| Which one is as feature packed as Pangolin with a working web
| UI?
| gsck wrote:
| Thought this was Pangolin the laser control software, got excited
| there :(
| paffdragon wrote:
| This looks really nice.
|
| I have set up something similar just recently with an OPNSense
| box running DNS, the WireGuard instance and getting a wildcard
| Let's Encrypt cert that it pushes to my Synology reverse proxy
| (Nginx). So from my clients I can enable the WG tunnel only on my
| internal IP range, setting the internal DNS, so I don't have to
| have my public cert pointing to my IP. It works once setup for my
| home net. But for multi-site, Pangolin looks very polished and
| probably easier to set up.
|
| Is Newt a custom implementation of a WireGuard server? Has it
| been security audited in some way?
| paffdragon wrote:
| EDIT: Sorry, I misread, Newt is the WireGuard client and is
| based on wireguard-go if I'm correct.
| fossorialowen wrote:
| Yep thats correct. All based on wireguard-go. It is growing
| in what it can do now but at its core its just a Wireguard
| wrapper that coordinates with Pangolin to get the tunnel up.
| It also runs in netstack user space so it does not need
| kernel permissions to open a port and it's only egress is
| proxied out with TCP/UDP reverse proxies built in to access
| what is needed on the network.
| noname120 wrote:
| Also interested in knowing whether a professional security audit
| was done and if there is a public security pentesting program.
| This is especially important given the blast radius of an
| authentication service.
| lionkor wrote:
| Im sure if there was an audit, it would say so
| fossorialowen wrote:
| We are always looking for security experts to review the code
| and to pen test the application. Please hammer it and let us
| know at privacy@fossorial.io if there are any issues!
|
| As the project grows and we have more resources to spend we
| will try to work with some professional service to take a look
| for sure.
| SaultyCracker wrote:
| Cloudflare tunnels do not work in certain countries (e.g.Russia),
| Pangolin does.
| d0100 wrote:
| How does this compare to other OSS like zrok?
| fossorialowen wrote:
| It looks like there might be some overlap. There are a bunch of
| solutions in this space! It looks like they do provide public
| access to resources which is what Pangolin does. We might have
| a bit more of authentication options but dont hold me to that.
|
| We are working on some "client" based solutions as well similar
| maybe to what Zrok is doing which we may release in Beta in the
| next couple of weeks!
| snickmy wrote:
| genuine, security newbie, question. What's the worst case
| scenario that can happen on using this type of solution from a
| security standpoint? I do get it the authentication would be
| compromised. Probably some internal ports would be exposed
| publicly too.. what else?
| fossorialowen wrote:
| Good question. I think absolute worse case scenario the tunnel
| and VPS is compromised and someone is able to gain access to
| the private network. We advise people in the docs to always
| consider this a possibility and secure Newt and what is has
| access to. A slightly worse case is there is a bypass in the
| forward auth and someone can get access to the webpage of a
| private service without passing the user/pass auth etc.
|
| We are always looking for security experts to review the code
| and to pen test the application. Please hammer it and let us
| know at security@fossorial.io if there are any issues!
| nickspacek wrote:
| My homelab has a setup like this, but all done somewhat-manually.
| HTTPS for my Docker images running in the homelab via a certbot
| image. A Wireguard setup to connect the homelab to a small
| Hetzner VPS, and a proxy there to allow certain traffic through.
|
| I've been wanting to add some authentication lately so that I can
| manage access to the homelab resources. I currently prohibit all
| traffic and only allow the Wireguard subnet, but this means any
| clients have to be provisioned in Wireguard, which is a nuisance
| to setup manually. It does seem to work well enough though.
|
| Pangolin seems like it would be a one-stop replacement and
| simplify the setup, especially once I look at adding user
| management to the mix.
| pancsta wrote:
| Reverse proxy in nodejs? How about no?
| fossorialowen wrote:
| Haha valid concern. We are actually using Traefik to do the
| reverse proxying which is a pretty standard reverse proxy
| written in Go! Our tunnel client Newt is also written in Go.
| The pangolin UI and control plane is typescript though.
| meteyor wrote:
| Let's say my server is running on a VPN and gets new IP once in a
| while. Would Pangolin be an option to publicly expose my
| services? Because I have this challenge now where I am currently
| "forced" to expose my public IP to share some services. I use
| firewall rules to allow incoming traffic to my server and Traefik
| to route the user to the right service. I just don't like the
| feeling of being exposed publicly like this.
| c0wb0yc0d3r wrote:
| You need a publicly routable address in the mix. You would need
| a way of knowing that address.
|
| I have that same feeling with the self hosting I do. To
| alleviate the small amount of stress it would bring me I rent a
| VPS that's public on the internet. I configure a persistent
| keep alive, on the client I run locally to keep a connection to
| the server open, no port forwarding needed.
| fossorialowen wrote:
| Yes! Most people I think rent a VPS (some can be had for like
| $1 a month) and install this. Because it tunnels back to your
| network your network can be anywhere behind anything and it
| should hole punch to it. And because the public is visiting the
| public address of the VPS your network is hidden behind that!
| Dowwie wrote:
| Cloudflare tunnels is such a poorly built product. The bar for
| quality is very low in this category. I struggled to make it work
| on an dell laptop running ubuntu, over wifi. It worked when I set
| it up at my home and then failed when it was deployed in the
| field. I literally had the experience of "well, it worked at my
| home, let's ship it!". I couldn't recover from the errors,
| either.
|
| So, if you built something that is resilient enough to handle
| change in IP addresses, you've beaten CF tunnels.
| fossorialowen wrote:
| We are coming for them!
| lucyv wrote:
| Is it called Pangolin because pangolin's have scale-y tails?
| fossorialowen wrote:
| Yes and they are a "Fossorial" animal. A fossorial animal is
| one that is adapted to digging and which lives primarily (but
| not solely) underground. It was kind of a fun name to call out
| the tunneling. Fossorial is our company name.
| iAm25626 wrote:
| I still use Cloudflare Tunnel(cap) but anything new is going to
| OpenZiti/Zrok (grow). Openziti/Zrok are amazing.
| kbumsik wrote:
| How does it compare to frp, one of the most popular Open Source
| Cloudflare Tunnel alternative?
|
| https://github.com/fatedier/frp
___________________________________________________________________
(page generated 2025-07-11 23:00 UTC)