What Pangolin Does
Pangolin solves a problem that anyone who has self-hosted applications understands intimately: securely exposing services on private networks without the complexity of managing separate VPN and reverse proxy configurations. Built by brothers Owen and Milo Schwartz from their experience as founding engineers at a smart mobility startup, Pangolin merges these capabilities into one coherent platform with identity-aware access controls.
Architecture and Browser-Based Access
The architecture centers on lightweight software connectors called sites that establish secure WireGuard tunnels from remote networks back to a central Pangolin hub. These tunnels work through restrictive firewalls and NAT configurations without requiring public IP addresses or open ports on the remote network. Once connected, administrators define specific resources that users can access rather than granting blanket network access — true zero-trust networking rather than the traditional VPN approach of exposing entire subnets.
Browser-based reverse proxy access is the first mode of operation. Web applications are exposed through identity-aware tunneled proxies with automatic SSL certificate management, load balancing, and health checking. Users access applications through any web browser with authentication — no client software required. This makes it practical for providing external contractors, remote workers, or cross-team collaborators with access to specific internal tools.
Client Access and SSO Integration
Client-based private resource access extends coverage to any TCP/UDP service. Through native Pangolin clients on Windows, macOS, and Linux, users can reach SSH servers, databases, RDP sessions, and entire network ranges. DNS-over-tunnel support routes all resolution through the secure tunnel, preventing DNS leakage to local networks. DNS aliases provide friendly names for resources across all connected sites.
The SSO/OIDC integration enables enterprise authentication flows, connecting Pangolin to existing identity providers. Granular access controls let administrators define permissions per user, per resource, with policies that determine who can access what from where. The clean dashboard UI centralizes management for users, sites, resources, and access policies without requiring command-line expertise.
Deployment Options and Enterprise Edition
Deployment flexibility is a standout feature. DigitalOcean Marketplace and Docker-style deployment paths support straightforward self-hosted setup, while the current product surface also offers cloud-managed options. Deployment mode and licensing should be reviewed against the current pricing and license pages before relying on older AGPL-only or hybrid-plan assumptions.
The enterprise edition adds high availability, advanced analytics, and priority support under a commercial license that is free for businesses earning under $100K USD annually. This graduated pricing model is developer-friendly — hobbyists and small teams run the full platform for free, while growing businesses transition naturally to paid tiers.
Community Reception and Performance
Community reception has been overwhelmingly positive. XDA Developers called it a revelation in self-hosting simplicity. Lawrence Systems described it as a self-hosted Cloudflare Tunnels on your terms. The selfh.st community noted that Pangolin left janky WireGuard configurations and Cloudflare tunnels in its dust. This consistent praise from experienced self-hosting communities validates the developer experience claims.
Performance relies on WireGuard's efficient protocol implementation, which provides ultra-low latency cryptographic connections with automatic key rotation. The resource overhead of running Pangolin itself is minimal — it deploys comfortably on DigitalOcean's $6 per month 1-vCPU droplet, making it accessible even for personal use cases.
The Bottom Line
Pangolin has earned its position as the go-to self-hosted remote access platform through genuine technical merit. The combination of zero-trust access controls, dual browser/client access modes, WireGuard performance, and a polished UI experience sets a new standard for what self-hosted infrastructure tools can deliver.