Pangolin solves a problem that anyone who has self-hosted applications understands intimately: securely exposing services on private networks without the complexity of managing separate VPN and reverse proxy configurations. Built by brothers Owen and Milo Schwartz from their experience as founding engineers at a smart mobility startup, Pangolin merges these capabilities into one coherent platform with identity-aware access controls.
The architecture centers on lightweight software connectors called sites that establish secure WireGuard tunnels from remote networks back to a central Pangolin hub. These tunnels work through restrictive firewalls and NAT configurations without requiring public IP addresses or open ports on the remote network. Once connected, administrators define specific resources that users can access rather than granting blanket network access — true zero-trust networking rather than the traditional VPN approach of exposing entire subnets.
Browser-based reverse proxy access is the first mode of operation. Web applications are exposed through identity-aware tunneled proxies with automatic SSL certificate management, load balancing, and health checking. Users access applications through any web browser with authentication — no client software required. This makes it practical for providing external contractors, remote workers, or cross-team collaborators with access to specific internal tools.
Client-based private resource access extends coverage to any TCP/UDP service. Through native Pangolin clients on Windows, macOS, and Linux, users can reach SSH servers, databases, RDP sessions, and entire network ranges. DNS-over-tunnel support routes all resolution through the secure tunnel, preventing DNS leakage to local networks. DNS aliases provide friendly names for resources across all connected sites.
The SSO/OIDC integration enables enterprise authentication flows, connecting Pangolin to existing identity providers. Granular access controls let administrators define permissions per user, per resource, with policies that determine who can access what from where. The clean dashboard UI centralizes management for users, sites, resources, and access policies without requiring command-line expertise.
Deployment flexibility is a standout feature. DigitalOcean Marketplace offers one-click installation on a Droplet. Docker Compose handles standard self-hosted deployment. Three operational modes accommodate different organizational needs: fully self-hosted under AGPL-3.0, hybrid with cloud-managed failover coordination, or fully managed cloud service.
The enterprise edition adds high availability, advanced analytics, and priority support under a commercial license that is free for businesses earning under $100K USD annually. This graduated pricing model is developer-friendly — hobbyists and small teams run the full platform for free, while growing businesses transition naturally to paid tiers.
Community reception has been overwhelmingly positive. XDA Developers called it a revelation in self-hosting simplicity. Lawrence Systems described it as a self-hosted Cloudflare Tunnels on your terms. The selfh.st community noted that Pangolin left janky WireGuard configurations and Cloudflare tunnels in its dust. This consistent praise from experienced self-hosting communities validates the developer experience claims.