Pangolin VPN: Secure Your Internal Services with Zero Open Ports

Good morning and welcome, everyone! I’m Dimitri Bellini, and you’re here again with me on Quadrata, my channel dedicated to the world of open source and IT. This week, we’re diving into something new and exciting: a truly noteworthy tool that can help you in very specific situations.

We’re going to talk about Pangolin VPN, and its promise is right in the name: “Zero Open Ports.” While the concept of a secure tunnel isn’t new, Pangolin offers a unique, simplified approach. It’s an open-source, self-hosted solution that lets you create a reverse tunnel to your internal servers, all managed through a centralized, user-friendly platform. Let’s explore what makes it so special.

What is Pangolin VPN?

At its core, Pangolin is an open-source solution that allows you to install a complete secure access platform on your own machines. It’s built on top of WireGuard, but it’s not a classic VPN. Instead of manually configuring clients and punching holes in your firewalls, Pangolin centralizes everything. It acts as a secure gateway, protecting your internal web services and applications from direct exposure to the internet.

You essentially need two things to start:

1. A machine with a public IP address (like a cheap VPS) to act as the central concentrator.
2. A domain name to point to that machine.

From there, Pangolin handles the rest, creating a secure, elegant bridge to your private network without you having to mess with complex NAT or firewall rules.

Key Features That Make Pangolin Stand Out

Pangolin simplifies secure access by bundling several powerful features into one platform. Here are the most important ones:

• Enhanced Security with Zero Exposure: This is the headline feature. You don’t expose any ports for your internal services (like Zabbix, Proxmox, or a custom web app) to the public internet. Everything is hidden behind the Pangolin platform and accessed securely over HTTPS.
• Centralized Authentication and Permissions: Pangolin provides a robust system for managing user access. You can use simple password authentication, enable two-factor authentication (2FA), or integrate with an external Identity Provider (IDP) for Single Sign-On (SSO) with services like Google, Azure, and more.
• Role-Based Access Control (RBAC): You have granular control over who can see what. Based on user roles, which can be pulled directly from your IDP, you can define policies to ensure users only have access to the specific applications they need.
• Simplified Networking: Forget about complex firewall configurations. You simply install a lightweight agent on a machine inside your network, and it establishes a secure outbound connection to your public Pangolin server. That’s it.
• Clientless Access for Users: For accessing web-based applications, your users don’t need to install any client software. All they need is a web browser. Pangolin acts as a reverse proxy, authenticates the user, and seamlessly connects them to the internal resource.
• Full Control and Privacy: Since you host it yourself, you have complete control over your data and infrastructure. No third-party dependencies or data passing through external services.

How It Works: The Architecture

Pangolin is a suite of open-source tools working in harmony. The entire platform is packaged with Docker, making deployment a breeze. Here are the core components:

• Pangolin: The central management console where you configure sites, resources, users, and policies.
• Gerbil: A WireGuard management server developed by the Pangolin team to handle the underlying secure connections.
• Traefik: A modern and powerful reverse proxy that handles incoming requests and routes them to the correct internal service.
• Newt: A user-space WireGuard client. This is the agent you install on your internal network. The beauty of Newt is that it doesn’t require root privileges or kernel modules, and it runs on Linux, Windows, macOS, and more.

The workflow is simple: a user accesses a specific URL in their browser. The request hits your public Pangolin server, which uses Traefik to handle it. Pangolin checks the user’s authentication and permissions. If authorized, it routes the request through the secure WireGuard tunnel established by the Newt client to the correct service on your private network.

Getting Started: A Quick Installation Guide

Installing Pangolin is surprisingly straightforward. Here’s what you’ll need first.

Prerequisites

• A host with Docker or Podman installed and a public IP address.
• A domain name (e.g., yourdomain.com).
• DNS records configured to point your domain and a wildcard subdomain (e.g., *.yourdomain.com) to your public host’s IP.
• An email address for Let’s Encrypt SSL certificate generation.
• The following ports open on your public host’s firewall: TCP 80, TCP 443, and the necessary UDP ports for WireGuard.

Installation Steps

The installation is handled by a simple script. Just run these commands on your public server:

curl -fsSL https://digpangolin.com/get-installer.sh | bash

sudo bash ./install.sh

The script will ask you a few questions:

1. Your main domain: (e.g., quadrata.dev)
2. The subdomain for the Pangolin service: It will suggest one (e.g., pg.quadrata.dev).
3. Your email for Let’s Encrypt.
4. Whether to use Gerbil to manage connections (say yes).
5. A few other simple questions about email notifications and IPv6.

Once you answer, it will pull the necessary Docker containers and set everything up. At the end of the process, it will give you a registration token. Use this token to create your first admin user and password.

Configuring Your First Services

Once you’re logged into the Pangolin dashboard, the process is logical.

1. Create a “Site”

A “Site” in Pangolin represents your internal network. You’ll give it a name, and Pangolin will provide you with the command to deploy the Newt client agent inside that network. You can easily copy the docker run or Docker Compose configuration and deploy it on a machine within your LAN (I used my container management tool, Comodo, for this). Once the agent is running, it will connect to your Pangolin server, and the site will show as active.

2. Create a “Resource”

Next, you define the services you want to expose. Click on “Add Resource” and select “HTTPS Resource.”

• Give it a name (e.g., “Ollama”). This will also become its subdomain (e.g., ollama.pg.quadrata.dev).
• Select the “Site” you just created.
• Enter the internal IP address and port of the service (e.g., 192.168.1.50:3000).

3. Assign Permissions

After creating the resource, you must define who can access it. In the resource’s “Authentication” tab, you can assign it to specific roles (like “Member”) or individual users. You can also enforce SSO for that specific application. Save your changes, and you’re done!

Now, when an authorized user navigates to ollama.pg.quadrata.dev, they will be prompted to log in via Pangolin and will then be seamlessly redirected to your internal Ollama service. It’s that simple!

What About a Full VPN?

Pangolin has recently introduced a beta feature for a more traditional VPN experience. You can create a “Client” in the dashboard, which is similar to creating a “Site.” This provides a configuration to run the Newt client directly on your laptop. Once connected, your machine becomes part of the secure network, allowing you to access any resource (not just web services) based on the permissions you define. You can even create “Client Resources” to open specific TCP/UDP ports for SSH, RDP, or other protocols, giving you fine-grained control.

Conclusion

Pangolin VPN is a fantastic and incredibly interesting product. It’s not trying to be a replacement for every VPN use case, but it excels at simplifying secure access to self-hosted web services. The combination of zero-exposure security, centralized SSO authentication, and role-based access control makes it a powerful tool for small businesses, homelab enthusiasts, and anyone looking to share internal applications without the headache of complex network configurations.

It’s a project that simplifies life in many circumstances, and I highly recommend giving it a try. The fact that it’s open source and self-hostable gives you the ultimate control and privacy.

Have you tried Pangolin or a similar tool? Let me know your thoughts and experiences in the comments below! I’d love to hear your opinion.

For more content on open-source and IT, make sure to subscribe to my channel!

➡️ YouTube Channel: Quadrata

➡️ Join the conversation on Telegram: Zabbix Italia Community

Thanks for reading, and see you next week. A greeting from Dimitri!