Pangolin

Pangolin is a self‑hosted, tunnel‑enabled reverse proxy that consolidates routing, access control, and service discovery into a single platform. At its core, it opens encrypted WireGuard tunnels from remote nodes to a central control plane and forwards inbound HTTP(S) traffic through those tunnels, eliminating the need for port forwarding or VPNs. The system automatically negotiates TLS certificates (via Let’s Encrypt) and enforces fine‑grained identity‑based policies, making it ideal for exposing internal services to the public internet with minimal configuration.

Key Features

• Identity‑Aware Routing – Every request is authenticated against a central user store, allowing per‑user or per‑group access rules.
• Zero‑Configuration Tunnels – Remote nodes automatically establish WireGuard connections to the control plane; no manual firewall changes required.
• Unified Dashboard – A web UI aggregates metrics, logs, and configuration for all connected sites, streamlining operational visibility.
• Dynamic TLS Management – Let’s Encrypt integration handles certificate issuance and renewal automatically for every exposed domain.
• API & Webhooks – A RESTful API exposes CRUD operations on sites, tunnels, and policies; webhooks notify external services of status changes.

Technical Stack

The Go runtime ensures low memory footprint and fast startup, while the WireGuard integration is performed through the wireguard-go library, allowing both native and user‑space tunneling. The React frontend communicates with the backend via a secure WebSocket channel for live event streaming.

Deployment & Infrastructure

Pangolin is designed to run on any Linux host with Docker or directly via binary. The community edition is AGPL‑3 licensed, whereas the enterprise edition offers a commercial license with additional features such as SSO integration and advanced logging. For production, the recommended approach is to deploy a control plane instance behind an HTTPS load balancer (e.g., Nginx or HAProxy) and run one or more remote nodes in each network segment. The system automatically scales: adding a new node simply registers itself, and the control plane redistributes routing rules accordingly. High availability can be achieved by running multiple control planes in a PostgreSQL‑replicated cluster and using a shared WireGuard key store.

Integration & Extensibility

Developers can extend Pangolin in several ways:

• Plugin Hooks – The API supports custom middleware for authentication or request transformation.
• Webhooks & SDKs – Trigger CI/CD pipelines or external monitoring when tunnels go up/down.
• Custom DNS Providers – Integrate with Route53, Cloudflare, or any ACME‑compatible provider for automated DNS challenge resolution.
• SAML/OIDC Providers – Plug in corporate identity providers for single sign‑on.

The open API also allows automated site provisioning via scripts or Terraform modules, making it a natural fit for GitOps workflows.

Developer Experience

Pangolin ships with comprehensive documentation on its website, a live API reference, and example Terraform modules. The community is active on Discord and Slack, providing quick support for API quirks or deployment issues. Configuration is declarative: a single YAML file per site defines hostnames, upstream services, and access policies. The system’s logging is structured (JSON) and can be shipped to ELK or Loki stacks for deep inspection.

Use Cases

• Remote Development Environments – Expose local IDEs or dashboards without opening ports on a corporate network.
• Multi‑Tenant SaaS – Host dozens of internal services behind a single reverse proxy, each with its own auth rules.
• Edge Computing – Deploy nodes on IoT devices or edge servers; Pangolin routes traffic back to a central control plane securely.
• Hybrid Cloud – Connect on‑premise services with cloud workloads, all accessible through a unified domain space.

Advantages Over Alternatives

Developers choose Pangolin when they need a robust, programmable entry point that can expose services across isolated networks without the operational overhead of VPNs or complex firewall rules. Its lightweight Go implementation, combined with a modern React UI and extensive API surface, makes it straightforward to integrate into existing DevOps pipelines while maintaining strict security controls.