Pangolin VPN: Secure Your Internal Services with Zero Open Ports

Good morning and welcome, everyone! I'm Dimitri Bellini, and you're here again with me on Quadrata, my channel dedicated to the world of open source and IT. This week, we're diving into something new and exciting: a truly noteworthy tool that can help you in very specific situations.

We're going to talk about Pangolin VPN, and its promise is right in the name: "Zero Open Ports." While the concept of a secure tunnel isn't new, Pangolin offers a unique, simplified approach. It's an open-source, self-hosted solution that lets you create a reverse tunnel to your internal servers, all managed through a centralized, user-friendly platform. Let's explore what makes it so special.

What is Pangolin VPN?

At its core, Pangolin is an open-source solution that allows you to install a complete secure access platform on your own machines. It’s built on top of WireGuard, but it’s not a classic VPN. Instead of manually configuring clients and punching holes in your firewalls, Pangolin centralizes everything. It acts as a secure gateway, protecting your internal web services and applications from direct exposure to the internet.

You essentially need two things to start:



  1. A machine with a public IP address (like a cheap VPS) to act as the central concentrator.

  2. A domain name to point to that machine.

From there, Pangolin handles the rest, creating a secure, elegant bridge to your private network without you having to mess with complex NAT or firewall rules.

Key Features That Make Pangolin Stand Out

Pangolin simplifies secure access by bundling several powerful features into one platform. Here are the most important ones:



How It Works: The Architecture

Pangolin is a suite of open-source tools working in harmony. The entire platform is packaged with Docker, making deployment a breeze. Here are the core components:


The workflow is simple: a user accesses a specific URL in their browser. The request hits your public Pangolin server, which uses Traefik to handle it. Pangolin checks the user's authentication and permissions. If authorized, it routes the request through the secure WireGuard tunnel established by the Newt client to the correct service on your private network.

Getting Started: A Quick Installation Guide

Installing Pangolin is surprisingly straightforward. Here’s what you’ll need first.

Prerequisites

Installation Steps

The installation is handled by a simple script. Just run these commands on your public server:

curl -fsSL https://digpangolin.com/get-installer.sh | bash

sudo bash ./install.sh

The script will ask you a few questions:



  1. Your main domain: (e.g., quadrata.dev)

  2. The subdomain for the Pangolin service: It will suggest one (e.g., pg.quadrata.dev).

  3. Your email for Let's Encrypt.

  4. Whether to use Gerbil to manage connections (say yes).

  5. A few other simple questions about email notifications and IPv6.

Once you answer, it will pull the necessary Docker containers and set everything up. At the end of the process, it will give you a registration token. Use this token to create your first admin user and password.

Configuring Your First Services

Once you're logged into the Pangolin dashboard, the process is logical.

1. Create a "Site"

A "Site" in Pangolin represents your internal network. You'll give it a name, and Pangolin will provide you with the command to deploy the Newt client agent inside that network. You can easily copy the docker run or Docker Compose configuration and deploy it on a machine within your LAN (I used my container management tool, Comodo, for this). Once the agent is running, it will connect to your Pangolin server, and the site will show as active.

2. Create a "Resource"

Next, you define the services you want to expose. Click on "Add Resource" and select "HTTPS Resource."


3. Assign Permissions

After creating the resource, you must define who can access it. In the resource's "Authentication" tab, you can assign it to specific roles (like "Member") or individual users. You can also enforce SSO for that specific application. Save your changes, and you're done!

Now, when an authorized user navigates to ollama.pg.quadrata.dev, they will be prompted to log in via Pangolin and will then be seamlessly redirected to your internal Ollama service. It's that simple!

What About a Full VPN?

Pangolin has recently introduced a beta feature for a more traditional VPN experience. You can create a "Client" in the dashboard, which is similar to creating a "Site." This provides a configuration to run the Newt client directly on your laptop. Once connected, your machine becomes part of the secure network, allowing you to access any resource (not just web services) based on the permissions you define. You can even create "Client Resources" to open specific TCP/UDP ports for SSH, RDP, or other protocols, giving you fine-grained control.

Conclusion

Pangolin VPN is a fantastic and incredibly interesting product. It's not trying to be a replacement for every VPN use case, but it excels at simplifying secure access to self-hosted web services. The combination of zero-exposure security, centralized SSO authentication, and role-based access control makes it a powerful tool for small businesses, homelab enthusiasts, and anyone looking to share internal applications without the headache of complex network configurations.

It's a project that simplifies life in many circumstances, and I highly recommend giving it a try. The fact that it's open source and self-hostable gives you the ultimate control and privacy.

Have you tried Pangolin or a similar tool? Let me know your thoughts and experiences in the comments below! I'd love to hear your opinion.



For more content on open-source and IT, make sure to subscribe to my channel!

➡️ YouTube Channel: Quadrata

➡️ Join the conversation on Telegram: Zabbix Italia Community

Thanks for reading, and see you next week. A greeting from Dimitri!