Pangolin uses Traefik under the hood to do the actual HTTP proxying. A plugin, Badger, provides a way to authenticate every request with Pangolin. A second service, Gerbil, provides a WireGuard management server that Pangolin can use to create peers for connectivity. And finally, there is Newt, a CLI tool and Docker container that connects back to Gerbil with WireGuard fully in user space and proxies your local resources. This means that you do not need to run a privileged process or container in order to expose your services!

Thanks for building this. I’ll be trying it out when I get home tonight.

I love working with CF Tunnels but I got frustrated with their lackluster web admin ux that I recently decided to have Claude whip up a quick terminal interface for it

so, kind of an uneducated question (from someone who isn't heavily involved in actual infrastructure)... I haven't used CF tunnels, and the extent of my proxying private services has pretty much been either reverse proxy tunnels over SSH, or Tailscale. Where pretty much any service I want to test privately is located on some particular device, like, a single EC2 instance, or my laptop that's at home while I'm out on my phone. Could you explain in layman's terms what this solves that e.g. tailscale doesn't?

Can Pangolin also provide public access (currently I'm using Caddy as a reverse proxy)?

But pangolin seems to be similar to that setup with a good UI, and more control. Definitely trying it out.

Quick question: Can it handle multiple domain names? I point multiple domain to the vps hosting my npm it proxy's them from there. Does Pangolin, also support multiple domains pointing to it?

In other words: Let's say I have a VPS with eg. Keycloak running on it. I want to be able to access it for management purposes but don't want it exposed to other people on the internet. Would Pangolin be a way for me to do this?

can you give more details, would this be adapted to IoT devices running on MCUs like ESP32 etc?

Btw I like your short and clear CLA! Did you check the wording of the cla with a lawyer? In my project I wanted to replace the perpetual license granted by contributors by 'a license granted as long as the software is also proposed under the agpl', but that might make it too complicated to still keep it succinct and legally clear.

Could you make a Dokploy template to let people deploy it easily?

https://github.com/netbirdio/netbird

That being said, I believe Pangolin is one of the better and polished ones.

I have set up something similar just recently with an OPNSense box running DNS, the WireGuard instance and getting a wildcard Let's Encrypt cert that it pushes to my Synology reverse proxy (Nginx). So from my clients I can enable the WG tunnel only on my internal IP range, setting the internal DNS, so I don't have to have my public cert pointing to my IP. It works once setup for my home net. But for multi-site, Pangolin looks very polished and probably easier to set up.

Is Newt a custom implementation of a WireGuard server? Has it been security audited in some way?

I've been wanting to add some authentication lately so that I can manage access to the homelab resources. I currently prohibit all traffic and only allow the Wireguard subnet, but this means any clients have to be provisioned in Wireguard, which is a nuisance to setup manually. It does seem to work well enough though.

Pangolin seems like it would be a one-stop replacement and simplify the setup, especially once I look at adding user management to the mix.

So, if you built something that is resilient enough to handle change in IP addresses, you've beaten CF tunnels.

https://github.com/fatedier/frp

While CF tunnels were nice and solved my ISP imposed issue with exposing ports via their crappy fiber gateway for couple of years. But I wanted more control. Specifically control over what I can expose without worrying about violating cloudflare’s TOS and ambiguity around media streaming. (Jellyfin/Emby).