{"id":32114,"date":"2026-07-13T12:02:34","date_gmt":"2026-07-13T10:02:34","guid":{"rendered":"https:\/\/contabo.com\/blog\/?p=32114"},"modified":"2026-07-13T12:05:17","modified_gmt":"2026-07-13T10:05:17","slug":"what-is-pangolin","status":"publish","type":"post","link":"https:\/\/contabo.com\/blog\/what-is-pangolin\/","title":{"rendered":"What Is Pangolin? Self-Hosted Zero-Trust Remote Access Explained"},"content":{"rendered":"\n<p>Pangolin is an open-source, identity-aware remote access platform built on WireGuard. It combines a tunneled reverse proxy and zero-trust VPN into one self-hosted stack, running on a public VPS as a hub. Deploy Newt on any private network \u2014 a home lab behind NAT, an office server, a cloud VPC \u2014 and Pangolin tunnels authenticated access to both web applications and private resources like databases and SSH servers, without opening a single inbound port on the private network.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-pangolin-does\">What Pangolin Does<\/h2>\n\n\n\n<p>Most remote access setups involve stitching together at least three separate tools: a reverse proxy (Traefik, Caddy, or Nginx), a tunnel provider (Cloudflare Tunnel, ngrok), and an identity\/auth layer (Authelia, Authentik, Keycloak). Pangolin replaces that entire stack with one deployable unit.<\/p>\n\n\n\n<p>It covers two distinct access modes in a single platform:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Tunneled reverse proxy \u2014 expose web applications running on private networks to the public internet via HTTPS, with automatic Let&#8217;s Encrypt certificates and zero-trust access controls. No inbound firewall rules needed. This is what Cloudflare Tunnel does, but self-hosted.<\/li>\n\n\n\n<li>Private resource access (ZTNA) \u2014 connect directly to databases, SSH servers, RDP hosts, and entire network ranges through authenticated WireGuard tunnels. Think Tailscale&#8217;s device-access model, but with Pangolin controlling the control plane on your own VPS.<\/li>\n<\/ul>\n\n\n\n<p>The two modes are managed from a unified dashboard UI \u2014 the same identity layer, the same access control policies, the same audit logs \u2014 whether a team member is hitting a web app over HTTPS or SSH-ing into a production server.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How Pangolin Works: Architecture Overview<\/h2>\n\n\n\n<p>Pangolin deploys as four containers on your VPS hub, coordinated by Docker Compose:<\/p>\n\n\n\n<style>\n.table-responsive{overflow-x:auto;margin:1.5em 0;}\n.pangolin-table{width:100%;border-collapse:collapse;font-size:0.95em;font-family:inherit;}\n.pangolin-table th,.pangolin-table td{border:1px solid #ddd;padding:10px 14px;text-align:left;vertical-align:top;}\n.pangolin-table thead th{background-color:#003366;color:#fff;font-weight:600;}\n.pangolin-table tbody tr:nth-child(even){background-color:#f7f9fb;}\n.pangolin-table tbody td:first-child{white-space:nowrap;color:#0066CC;}\n<\/style>\n<div class=\"table-responsive\">\n<table class=\"pangolin-table\">\n  <thead>\n    <tr>\n      <th>Component<\/th>\n      <th>Where it runs<\/th>\n      <th>Role<\/th>\n      <th>Analogy<\/th>\n    <\/tr>\n  <\/thead>\n  <tbody>\n    <tr>\n      <td><strong>Pangolin<\/strong><\/td>\n      <td>Your public VPS<\/td>\n      <td>Control plane \u2014 dashboard, auth, routing config<\/td>\n      <td>The hub<\/td>\n    <\/tr>\n    <tr>\n      <td><strong>Gerbil<\/strong><\/td>\n      <td>Your public VPS (alongside Pangolin)<\/td>\n      <td>WireGuard interface manager \u2014 creates and maintains the tunnel<\/td>\n      <td>The tunnel engine<\/td>\n    <\/tr>\n    <tr>\n      <td><strong>Traefik<\/strong><\/td>\n      <td>Your public VPS (alongside Pangolin)<\/td>\n      <td>Reverse proxy \u2014 handles HTTPS, SSL certs, routes traffic to the right site<\/td>\n      <td>The traffic director<\/td>\n    <\/tr>\n    <tr>\n      <td><strong>Newt<\/strong><\/td>\n      <td>Each private network (client)<\/td>\n      <td>Lightweight WireGuard site connector \u2014 dials out to Gerbil, no inbound ports needed<\/td>\n      <td>The spoke<\/td>\n    <\/tr>\n  <\/tbody>\n<\/table>\n<\/div>\n\n\n\n<p>The traffic flow for a web request looks like this: a browser sends HTTPS to port 443 on your Pangolin VPS. Gerbil&#8217;s SNI proxy reads the hostname and routes the request to Traefik, which holds the valid Let&#8217;s Encrypt certificate and handles SSL termination. Traefik then consults Pangolin&#8217;s routing config, determines which site (private network) owns this resource, and forwards the request through the WireGuard tunnel to the Newt client running on that private network. Newt delivers it to the backend service \u2014 a Gitea instance, a Prometheus dashboard, a Nextcloud server \u2014 which never needed a public IP or open port.<\/p>\n\n\n\n<p>The flow for private resource access (SSH, database, RDP) follows the same WireGuard tunnel path but routes through Pangolin&#8217;s native client rather than the browser, giving you a proper network-layer connection rather than an HTTP proxy.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Pangolin vs Cloudflare Tunnel: Key Differences<\/h2>\n\n\n\n<p>Cloudflare Tunnel is the obvious comparison \u2014 both tools expose private services to the internet without opening ports. The architectural difference is fundamental: Cloudflare Tunnel routes your traffic through Cloudflare&#8217;s global edge, where Cloudflare terminates TLS and sees your application traffic in plaintext before forwarding it. Pangolin keeps all of that on infrastructure you own.<\/p>\n\n\n\n<style>\n.table-responsive{overflow-x:auto;margin:1.5em 0;}\n.pangolin-compare-table{width:100%;border-collapse:collapse;font-size:0.95em;font-family:inherit;}\n.pangolin-compare-table th,.pangolin-compare-table td{border:1px solid #ddd;padding:10px 14px;text-align:left;vertical-align:top;}\n.pangolin-compare-table thead th{background-color:#003366;color:#fff;font-weight:600;}\n.pangolin-compare-table tbody tr:nth-child(even){background-color:#f7f9fb;}\n.pangolin-compare-table tbody td:first-child{white-space:nowrap;font-weight:600;color:#0066CC;}\n<\/style>\n<div class=\"table-responsive\">\n<table class=\"pangolin-compare-table\">\n  <thead>\n    <tr>\n      <th>Dimension<\/th>\n      <th>Pangolin (self-hosted)<\/th>\n      <th>Cloudflare Tunnel (managed)<\/th>\n    <\/tr>\n  <\/thead>\n  <tbody>\n    <tr>\n      <td><strong>Hosting<\/strong><\/td>\n      <td>Self-hosted on your VPS \u2014 you own the infrastructure<\/td>\n      <td>Managed by Cloudflare \u2014 traffic routes through Cloudflare&#8217;s edge<\/td>\n    <\/tr>\n    <tr>\n      <td><strong>TLS termination<\/strong><\/td>\n      <td>Your Traefik instance handles TLS \u2014 Pangolin never sees plaintext on a third-party server<\/td>\n      <td>Cloudflare terminates TLS \u2014 traffic is decrypted at Cloudflare&#8217;s edge<\/td>\n    <\/tr>\n    <tr>\n      <td><strong>Upload limits<\/strong><\/td>\n      <td>None (limited only by your VPS bandwidth)<\/td>\n      <td>100 MB per request on free tier<\/td>\n    <\/tr>\n    <tr>\n      <td><strong>Cost<\/strong><\/td>\n      <td>VPS cost (from ~\u20ac8.75\/mo on Contabo Cloud VPS Plus 4)<\/td>\n      <td>Free tier available; paid plans for advanced features<\/td>\n    <\/tr>\n    <tr>\n      <td><strong>Control<\/strong><\/td>\n      <td>Full \u2014 you configure routing, access rules, rate limits<\/td>\n      <td>Limited to what Cloudflare exposes in the dashboard<\/td>\n    <\/tr>\n    <tr>\n      <td><strong>Video streaming<\/strong><\/td>\n      <td>No ToS restrictions<\/td>\n      <td>Restricted under Cloudflare&#8217;s ToS on the free plan<\/td>\n    <\/tr>\n  <\/tbody>\n<\/table>\n<\/div>\n\n\n\n<p>For teams running GDPR-sensitive applications, healthcare tooling, or internal services where data must not transit a third-party network, Pangolin&#8217;s self-hosted model is not just a preference \u2014 it is a compliance requirement.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Pangolin vs Tailscale: Where Each Fits<\/h2>\n\n\n\n<p>Pangolin and Tailscale serve overlapping but distinct use cases. Tailscale is mesh-VPN-first: it creates encrypted point-to-point connections between devices using WireGuard, with no public IP required on any node. Its strength is device-to-device access \u2014 connecting a laptop directly to a home server, or giving a remote team member access to internal tooling. Tailscale&#8217;s free tier is generous and requires no infrastructure to manage.<\/p>\n\n\n\n<p>Pangolin is reverse-proxy-first: it needs a VPS with a public IP as the hub, and its primary use case is exposing web applications via HTTPS with identity-aware access controls. Where Pangolin has a clear edge over Tailscale is browser-accessible public-facing resources \u2014 you get a proper HTTPS URL, Let&#8217;s Encrypt certificate, and per-resource access policies without requiring every user to install a VPN client.<\/p>\n\n\n\n<p>As of mid-2026, Pangolin is also expanding its native client capabilities (Android, Windows, CLI), moving further into Tailscale territory for device-level VPN access. Headscale \u2014 the open-source, self-hosted Tailscale control plane \u2014 is the closer comparison for pure mesh-VPN without vendor dependency. The practical answer: use Pangolin when you need authenticated HTTPS access to web apps; Tailscale or Headscale when you need device-to-device mesh access without a public IP hub.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What You Need to Run Pangolin<\/h2>\n\n\n\n<p>Pangolin&#8217;s requirements are minimal by infrastructure standards:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A VPS with a public IP address (required for the hub role \u2014 Pangolin cannot run purely behind NAT)<\/li>\n\n\n\n<li>Docker and Docker Compose installed on the VPS<\/li>\n\n\n\n<li>A domain or subdomain you control (for HTTPS \u2014 Traefik handles Let&#8217;s Encrypt automatically)<\/li>\n\n\n\n<li>Ports 80 and 443 open on the VPS (HTTP challenge for cert issuance, HTTPS traffic)<\/li>\n\n\n\n<li>Port 51820\/UDP open (WireGuard tunnel traffic from Newt clients)<\/li>\n<\/ul>\n\n\n\n<p>The official installer script handles all container orchestration \u2014 Pangolin, Gerbil, and Traefik are configured and started with a single interactive command. Newt installs on each private network as a single binary or Docker container requiring three environment variables: the Pangolin endpoint, a site ID, and a secret token.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Why Run Pangolin on a Contabo VPS<\/h2>\n\n\n\n<p>Pangolin architecturally requires a public-IP VPS as the hub \u2014 and the hub&#8217;s main jobs are running four containers (Pangolin, Gerbil, Traefik, and the control plane API), managing WireGuard sessions, and handling HTTPS routing. That workload is well within the reach of a modest VPS.<\/p>\n\n\n\n<p>Contabo Cloud VPS Plus 4 \u2014 4 cores, 8 GB RAM, 150 GB NVMe, at \u20ac8.75\/month \u2014 covers the hub role comfortably for most homelab-to-small-business deployments. The NVMe storage matters for Traefik&#8217;s certificate state and active tunnel configuration. With Contabo&#8217;s RAM-per-Euro positioning, the Plus 4 gives you meaningful headroom to run Pangolin alongside other self-hosted services on the same VPS rather than dedicating a server purely to the tunnel hub.<\/p>\n\n\n\n<p>For larger deployments with tens of concurrent tunnel sessions, the Cloud VPS Plus 6 (12 GB RAM, \u20ac13.50\/month) adds comfortable overhead. EU VPS locations also satisfy data-residency requirements for teams routing sensitive traffic through Pangolin.<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-075829fe\"><h2 class=\"uagb-heading-text\">FAQ: Pangolin<\/h2><\/div>\n\n\n\n<div class=\"schema-faq wp-block-yoast-faq-block\"><div class=\"schema-faq-section\" id=\"faq-question-1783936744526\"><strong class=\"schema-faq-question\">What is Pangolin used for?<\/strong> <p class=\"schema-faq-answer\">Pangolin is used to expose private services \u2014 home lab dashboards, internal web applications, databases, SSH servers \u2014 to the internet or a team, securely, without opening inbound firewall ports on the private network. It replaces the combination of Cloudflare Tunnel (for web exposure) and Tailscale (for device access) with one self-hosted stack that keeps all traffic on infrastructure you control.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1783936756571\"><strong class=\"schema-faq-question\">Does Pangolin replace Cloudflare Tunnel?<\/strong> <p class=\"schema-faq-answer\">For teams that need full data sovereignty \u2014 traffic that must not transit Cloudflare&#8217;s edge \u2014 Pangolin is the direct replacement. It replicates Cloudflare Tunnel&#8217;s core function (expose private web services via HTTPS without opening ports) on self-hosted infrastructure. The trade-off: you manage the VPS hub. If you have no data-residency requirements and want zero infrastructure to manage, Cloudflare Tunnel&#8217;s free tier is still easier to operate.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1783936768841\"><strong class=\"schema-faq-question\">Does Pangolin replace Tailscale?<\/strong> <p class=\"schema-faq-answer\">Partially. For browser-based access to web applications with per-resource identity controls, Pangolin is the stronger tool. For pure mesh device-to-device access \u2014 connecting a laptop directly to a home server without a public-IP hub \u2014 Tailscale&#8217;s architecture is simpler and requires no VPS. As Pangolin&#8217;s native client (Android, Windows, CLI) matures, the gap narrows, but Tailscale or Headscale remain better suited for the pure mesh-VPN workload as of mid-2026.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1783936780354\"><strong class=\"schema-faq-question\">What VPS does Pangolin need?<\/strong> <p class=\"schema-faq-answer\">Any Linux VPS with a public IP, Docker, and ports 443 and 51820\/UDP open works. For a hub running a typical homelab or small-team setup, 2\u20134 GB RAM and 2 vCPUs is sufficient. Contabo Cloud VPS Plus 4 (4 cores, 8 GB RAM, \u20ac8.75\/month) gives comfortable headroom to co-host Pangolin alongside other services. Larger deployments with many concurrent tunnel sessions benefit from the Plus 6 (12 GB RAM, \u20ac13.50\/month).<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1783936798165\"><strong class=\"schema-faq-question\">Is Pangolin free?<\/strong> <p class=\"schema-faq-answer\">The Community Edition is free and open source under AGPL-3.0. It covers the full self-hosted deployment with no user or site limits beyond what your VPS can handle. An Enterprise Edition adds commercial licensing for organisations with revenue above $100k\/year. A managed Pangolin Cloud is also available for teams who want the feature set without the infrastructure overhead, with a free tier for up to 5 users and 5 sites.<\/p> <\/div> <\/div>\n","protected":false},"excerpt":{"rendered":"<p>Pangolin is an open-source, identity-aware remote access platform built on WireGuard. It combines a tunneled reverse proxy and zero-trust VPN into one self-hosted stack, running on a public VPS as a hub. Deploy Newt on any private network \u2014 a home lab behind NAT, an office server, a cloud VPC \u2014 and Pangolin tunnels authenticated [&hellip;]<\/p>\n","protected":false},"author":78,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"_uag_custom_page_level_css":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":"","_members_access_role":[],"_members_access_error":""},"categories":[4706],"tags":[],"ppma_author":[4285],"class_list":["post-32114","post","type-post","status-publish","format-standard","hentry","category-explainer"],"uagb_featured_image_src":{"full":false,"thumbnail":false,"medium":false,"medium_large":false,"large":false,"1536x1536":false,"2048x2048":false},"uagb_author_info":{"display_name":"Jie Guo","author_link":"https:\/\/contabo.com\/blog\/author\/jieguo\/"},"uagb_comment_info":0,"uagb_excerpt":"Pangolin is an open-source, identity-aware remote access platform built on WireGuard. It combines a tunneled reverse proxy and zero-trust VPN into one self-hosted stack, running on a public VPS as a hub. Deploy Newt on any private network \u2014 a home lab behind NAT, an office server, a cloud VPC \u2014 and Pangolin tunnels authenticated&hellip;","authors":[{"term_id":4285,"user_id":78,"is_guest":0,"slug":"jieguo","display_name":"Jie Guo","avatar_url":"https:\/\/secure.gravatar.com\/avatar\/4e0d981b06988d6d456834e9d55bc9e713e918fa8444325543d14f448154106b?s=96&d=mm&r=g","author_category":"","user_url":"","last_name":"Guo","first_name":"Jie","job_title":"","description":""}],"_links":{"self":[{"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/posts\/32114","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/users\/78"}],"replies":[{"embeddable":true,"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/comments?post=32114"}],"version-history":[{"count":1,"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/posts\/32114\/revisions"}],"predecessor-version":[{"id":32115,"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/posts\/32114\/revisions\/32115"}],"wp:attachment":[{"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/media?parent=32114"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/categories?post=32114"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/tags?post=32114"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/contabo.com\/blog\/wp-json\/wp\/v2\/ppma_author?post=32114"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}