aicoolies logo

Pangolin Review: The Self-Hosted Zero-Trust Platform Replacing Cloudflare Tunnels

Pangolin is an open-source, identity-based remote access platform built on WireGuard that combines reverse proxy and VPN capabilities into a self-hosted or cloud-managed stack. It provides browser-based access to web applications and client-based access to private resources with zero-trust controls. Current public sources show 21K+ GitHub stars, version 1.19.2, and client/platform coverage across macOS, iOS, Windows, Linux, and Android.

Reviewed by Raşit Akyol on April 2, 2026

Share
Overall
90
Speed
92
Privacy
95
Dev Experience
88

What Pangolin Does

Pangolin solves a problem that anyone who has self-hosted applications understands intimately: securely exposing services on private networks without the complexity of managing separate VPN and reverse proxy configurations. Built by brothers Owen and Milo Schwartz from their experience as founding engineers at a smart mobility startup, Pangolin merges these capabilities into one coherent platform with identity-aware access controls.

Architecture and Browser-Based Access

The architecture centers on lightweight software connectors called sites that establish secure WireGuard tunnels from remote networks back to a central Pangolin hub. These tunnels work through restrictive firewalls and NAT configurations without requiring public IP addresses or open ports on the remote network. Once connected, administrators define specific resources that users can access rather than granting blanket network access — true zero-trust networking rather than the traditional VPN approach of exposing entire subnets.

Browser-based reverse proxy access is the first mode of operation. Web applications are exposed through identity-aware tunneled proxies with automatic SSL certificate management, load balancing, and health checking. Users access applications through any web browser with authentication — no client software required. This makes it practical for providing external contractors, remote workers, or cross-team collaborators with access to specific internal tools.

Client Access and SSO Integration

Client-based private resource access extends coverage to any TCP/UDP service. Through native Pangolin clients on Windows, macOS, and Linux, users can reach SSH servers, databases, RDP sessions, and entire network ranges. DNS-over-tunnel support routes all resolution through the secure tunnel, preventing DNS leakage to local networks. DNS aliases provide friendly names for resources across all connected sites.

The SSO/OIDC integration enables enterprise authentication flows, connecting Pangolin to existing identity providers. Granular access controls let administrators define permissions per user, per resource, with policies that determine who can access what from where. The clean dashboard UI centralizes management for users, sites, resources, and access policies without requiring command-line expertise.

Deployment Options and Enterprise Edition

Deployment flexibility is a standout feature. DigitalOcean Marketplace and Docker-style deployment paths support straightforward self-hosted setup, while the current product surface also offers cloud-managed options. Deployment mode and licensing should be reviewed against the current pricing and license pages before relying on older AGPL-only or hybrid-plan assumptions.

The enterprise edition adds high availability, advanced analytics, and priority support under a commercial license that is free for businesses earning under $100K USD annually. This graduated pricing model is developer-friendly — hobbyists and small teams run the full platform for free, while growing businesses transition naturally to paid tiers.

Community Reception and Performance

Community reception has been overwhelmingly positive. XDA Developers called it a revelation in self-hosting simplicity. Lawrence Systems described it as a self-hosted Cloudflare Tunnels on your terms. The selfh.st community noted that Pangolin left janky WireGuard configurations and Cloudflare tunnels in its dust. This consistent praise from experienced self-hosting communities validates the developer experience claims.

Performance relies on WireGuard's efficient protocol implementation, which provides ultra-low latency cryptographic connections with automatic key rotation. The resource overhead of running Pangolin itself is minimal — it deploys comfortably on DigitalOcean's $6 per month 1-vCPU droplet, making it accessible even for personal use cases.

The Bottom Line

Pangolin has earned its position as the go-to self-hosted remote access platform through genuine technical merit. The combination of zero-trust access controls, dual browser/client access modes, WireGuard performance, and a polished UI experience sets a new standard for what self-hosted infrastructure tools can deliver.

Pros

  • Combines VPN and reverse proxy into one platform with unified identity-aware access controls
  • WireGuard-based tunnels provide ultra-low latency with automatic key rotation and NAT traversal
  • Browser-based access requires no client software for web applications with automatic SSL
  • DigitalOcean one-click deployment and Docker Compose for straightforward self-hosted setup
  • Current pricing includes Basic Free, Team $4/user/mo, Business $9/user/mo, and Enterprise custom options
  • DNS-over-tunnel prevents DNS leakage and provides friendly names across all connected sites
  • SSO/OIDC integration connects to existing enterprise identity providers for centralized auth

Cons

  • Requires a public VPS as central hub unlike pure mesh VPN solutions like Tailscale or ZeroTier
  • Mobile platforms now appear in the public platform list, but teams should validate exact iOS and Android client capabilities before rollout
  • Repository license metadata is NOASSERTION and raw license text includes commercial-license language, so redistribution and enterprise terms need review
  • Advanced analytics and high availability features are reserved for the commercial enterprise tier
  • Documentation could be more extensive for complex multi-site enterprise deployment scenarios

Verdict

Pangolin is a compelling remote-access option for teams that want a WireGuard-based alternative to stitching together separate VPN and reverse-proxy tools. Its zero-trust model, browser-based access for web apps, client-based access for private resources, and current cloud/self-host pricing make it accessible for small teams while still leaving room for enterprise controls. Buyers should verify license terms and deployment mode carefully because the repository now reports NOASSERTION and its raw license text includes commercial-license language rather than a simple AGPL-only story.

View Pangolin on aicoolies

Pricing, platforms, and community stacks — explore the full tool page

Alternatives to Pangolin

Blacksmith logo

Blacksmith

Run GitHub Actions on faster bare-metal runners with lower Ubuntu per-minute pricing

Blacksmith is a drop-in replacement for GitHub-hosted runners that executes Actions on bare-metal gaming CPUs and source-shaped cache infrastructure. Migration requires a one-line YAML change. Features include colocated warm caches, persistent Docker layer caching on NVMe, CI observability with log search, and Firecracker microVM isolation. SOC 2 Type 2 certified, with Ubuntu x64 pricing at $0.004/min and 3,000 free minutes/month.

api-usage-based
Teleport Beams logo

Teleport Beams

Trusted runtime environments for AI agents in production infrastructure

Teleport Beams provides cryptographically verified, policy-gated access for AI agents to interact with production infrastructure including servers, Kubernetes clusters, and databases. Launched at KubeCon EU 2026, Beams extends Teleport's zero-trust access platform with agent-specific runtime controls, audit trails, and policy enforcement to ensure AI agents operate within defined boundaries when deployed in production environments.

open-sourceOpen Source
RustFS logo

RustFS

High-performance S3-compatible object storage built in Rust

RustFS is an open-source distributed object storage system built entirely in Rust, offering 2.3x faster performance than MinIO for small object payloads. It provides full S3 API compatibility, enabling seamless migration from MinIO, Ceph, and AWS S3 with existing SDKs and CLI tools. Released under Apache 2.0 license, it avoids MinIO's restrictive AGPL terms. Features include distributed architecture, erasure coding, WORM compliance, encryption via RustyVault, and a web management console.

open-sourceOpen Source
Lightpanda logo

Lightpanda

Zig-built headless browser engineered for AI agent workloads

Open-source headless browser written in Zig for AI agents, crawling, and automation. Lightpanda omits graphical rendering, keeps DOM and JavaScript execution, exposes CDP for Puppeteer/Playwright/chromedp, and adds Agent, PandaScript, and MCP workflows. Current public benchmarks claim about 9x faster execution and 16x less memory than Chrome.

paid