8 minutes ago
If use this, it makes sense to run it at home. If you run it on a VPS, traffic is decrypted on VPS, the same privacy issue with Cloudflare tunnels.
2 minutes ago
This is true! But you have a little more control over who you might choose to trust. For example - you might trust AWS not to snoop in your VM more than you might trust CF to not collect valuable usage data about you when they decrypt your traffic.
7 hours ago
Hello Eveyone, this is the other maintainer here. Just wanted to add some more detail about the other components of this system:
Pangolin uses Traefik under the hood to do the actual HTTP proxying. A plugin, Badger, provides a way to authenticate every request with Pangolin. A second service, Gerbil, provides a WireGuard management server that Pangolin can use to create peers for connectivity. And finally, there is Newt, a CLI tool and Docker container that connects back to Gerbil with WireGuard fully in user space and proxies your local resources. This means that you do not need to run a privileged process or container in order to expose your services!
3 hours ago
This seems really interesting for managing a lot of remote dev boxes or something like that...
so, kind of an uneducated question (from someone who isn't heavily involved in actual infrastructure)... I haven't used CF tunnels, and the extent of my proxying private services has pretty much been either reverse proxy tunnels over SSH, or Tailscale. Where pretty much any service I want to test privately is located on some particular device, like, a single EC2 instance, or my laptop that's at home while I'm out on my phone. Could you explain in layman's terms what this solves that e.g. tailscale doesn't?
3 hours ago
Thanks!
I think what you are using (SSH, Tailscale) is great for your use case! We see this as more of a static and permanent tunnel to a service - less ephemeral than a ssh tunnel - and more to get public users into your application. Meaning if you had a internal app for your business or some homelab application like Immich or Grafana at home/work that you want to expose to your family in their browser this could be a good tool to use. Does that make sense?
40 minutes ago
I’m using an nginxproxymanager as reverse proxy and ssl terminus for exactly that, Immich, home assistant, etc. What would I gain from your solution?
32 minutes ago
I think if that works for you then stick with it! Pangolin would mostly do the same thing. I think if you wanted more auth control like users and pin codes and OIDC and roles you might not get that with NPM out of the box but could add on.
Pangolin has a tunnel component to it so if you were challenged on the ISP front you can put this on the VPS and it just makes configuring the connection back to the network easier so you don't need to set up WG back etc... It wraps it all up nicely in a UI and simple install script. It can also all be automated with the API if you are into that kind of thing.
an hour ago
I use CF tunnels pretty extensively with my home unraid server.
The TL;DR is this - there are certain apps I host that I want to be public and don't want to onboard a Tailscale node (for example my sister uses my Plex server). So, instead of setting up a reverse proxy, I simply create a subdomain in DNS (via CF) and then route that subdomain to the CF tunnel.
It's like 3 form entries to do all of this for one site/service and automatically creates an SSL cert for me. I love it.
9 minutes ago
Out of curiosity why not give your sister restricted access to your tailnet instead? Then nothing is public.
2 hours ago
Everyone on /r/homelab has been talking about it over the last few months. I bought a VPS and later realized a cheap tiny PC would be better for my use case combined with Proxmox. The next step is configuring a few more services and installing Pangolin on the VPS for easy reverse proxy management. I haven’t used it yet but all in all it looks awesome and the reviews I’ve seen are overwhelmingly positive. Thank you for building it!
an hour ago
Does this work well behind Docker Swarm or is it not designed for that?
an hour ago
Yes I think so. I know it works quiet well in compose but as you scale to swarm I am not sure if there would be pains. You can just pop the connector into your compose stack and it will connect to anything in the docker network which we personally do to host some of our basic infrastructure.
2 hours ago
This looks awesome. I am using Twingate (hosted and paid) currently in my production AWS VPC. AWS instance are in private subnets, no public ips attached, using a NAT instance for outbound internet, but very curious to try running Pangolin.
Can Pangolin also provide public access (currently I'm using Caddy as a reverse proxy)?
31 minutes ago
Yes! Thats where it excels I think. If you want public authenticated access for your users and / or need that tunneling component to get into your network or a set of distributed networks then Pangolin is your animal!
3 hours ago
I wish I'd found this project sooner. UI looks quite sleek!
I love working with CF Tunnels but I got frustrated with their lackluster web admin ux that I recently decided to have Claude whip up a quick terminal interface for it
3 hours ago
What do you find lacking in the web interface?
2 hours ago
Sounds a bit nitpicky now that I put it into words but most of my usage is just on the public hostnames panel which is about 3-4 levels deep from the dashboard. There is also a UI disconnect between this and the DNS records screen
I do this flow a number of times and the TUI I made solved this specific problem for me https://github.com/justingosan/tunnelman?tab=readme-ov-file#...
an hour ago
Yes, this exactly - I wouldn't call it nitpicky, it is really buried in there. I understand Cloudflare has a ton of other products and features, but the discoverability for CF Tunnels really could be better.
Just checked and it's:
Dashboard home > Zero Trust > Networks > Tunnels > [tunnel] > Public Hostname
And if it ends up provisioning a new DNS record, I always have to remember to go back to the domain's DNS screen and label it with the tunnel.
In general I use a tiny silver of Cloudflare's capabilities; it would be nice if the primary dashboard could bubble up the parts that I do use.
2 hours ago
3 hours ago
This is exactly what I have been looking for!
Thanks for building this. I’ll be trying it out when I get home tonight.
2 hours ago