GitHub

Pangolin Project Description

What is the project about?

Pangolin is a self-hosted, tunneled reverse proxy server with integrated identity and access control. It's designed to securely expose private resources on distributed networks, acting as a central hub to connect isolated networks (even those behind firewalls) through encrypted tunnels. Think of it as a self-hosted alternative to services like Cloudflare Tunnels, with a strong focus on zero-trust principles.

What problem does it solve?

Pangolin solves the problem of securely accessing and exposing services on private networks without the need for complex network configurations like port forwarding or VPNs. It simplifies the process of making internal resources available remotely, especially in scenarios where:

  • Port forwarding is restricted: ISPs or network policies may prevent opening ports.
  • Networks are isolated: Connecting multiple, geographically separated networks can be challenging.
  • Fine-grained access control is needed: Pangolin allows for detailed control over who can access what resources.
  • Centralized management is desired: It provides a single point of control for managing access to multiple sites and services.
  • Zero-trust security is required: Pangolin helps implement a zero-trust model by verifying every access request.

What are the features of the project?

  • Reverse Proxy through WireGuard Tunnel:

    • Exposes private resources without opening ports (firewall punching).
    • Secure site-to-site connectivity using a custom WireGuard client (Newt) or any standard WireGuard client.
    • Automated SSL certificates (HTTPS) via Let's Encrypt.
    • Supports HTTP/HTTPS and raw TCP/UDP services.
    • Load balancing capabilities.

  • Identity & Access Management:

    • Centralized authentication using platform SSO (Single Sign-On).
    • Access control rules based on IP addresses, IP ranges, and URL paths.
    • Two-factor authentication (TOTP with backup codes).
    • Organization, site, user, and role management.
    • Role-Based Access Control (RBAC).
    • Additional authentication options:
      • Email whitelisting with one-time passcodes.
      • Temporary, self-destructing share links.
      • Resource-specific PIN codes and passwords.

  • Simple Dashboard UI:

    • Clean and intuitive interface for managing sites, users, and roles.
    • Site usage and connectivity monitoring.
    • Light and dark mode options.
    • Mobile-friendly design.

  • Easy Deployment:

    • Deployable on any cloud provider or on-premises.
    • Docker Compose-based setup for simplified deployment.
    • Installation script for streamlined setup.
    • Compatibility with standard WireGuard clients or the custom Newt client.

  • Modular Design:

    • Extensible with Traefik plugins (e.g., Fail2Ban, CrowdSec).
    • Supports connecting multiple sites to the central server.

What are the technologies used in the project?

  • WireGuard: The core tunneling technology for secure connections.
  • Newt: A custom user-space WireGuard client developed by the Pangolin team.
  • Let's Encrypt: For automated SSL certificate management.
  • Traefik: Used as the underlying reverse proxy, allowing for plugin integration.
  • Docker Compose: For simplified deployment and management.
  • (Implied) Some form of database: For storing user, site, and configuration data.
  • (Implied) A web framework/language: For building the dashboard and API.

What are the benefits of the project?

  • Enhanced Security: Securely exposes resources without opening ports, reducing attack surface.
  • Simplified Networking: Eliminates the need for complex network configurations.
  • Centralized Management: Provides a single point of control for access and configuration.
  • Fine-Grained Access Control: Offers granular control over who can access what resources.
  • Self-Hosted: Gives users full control over their infrastructure and data.
  • Cost-Effective: Can be deployed on inexpensive VPS hosting.
  • Extensible: Modular design allows for adding functionality through plugins.
  • Zero-Trust Ready: Facilitates the implementation of a zero-trust security model.

What are the use cases of the project?

  • Home Labs: Exposing services running on a home network without port forwarding.
  • IoT Networks: Securely connecting and managing fragmented IoT devices.
  • Small Businesses: Providing remote access to internal applications and resources.
  • Remote Development: Accessing development environments from anywhere.
  • Site-to-Site Connectivity: Connecting multiple offices or locations securely.
  • Bypassing ISP Restrictions: Accessing services even when port forwarding is blocked.
  • Any scenario requiring secure, controlled access to private network resources.
pangolin screenshot