At a Glance:
Pangolin is an open-source, identity-based remote access platform that combines reverse proxy and VPN capabilities with WireGuard, NAT traversal, and role-based access control to provide browser-based web app access and client-based private resource connectivity.
Overview:
Pangolin is an open-source remote access platform that merges reverse proxy and VPN functionality into a single identity-based system. It enables organizations to provide secure browser-based access to web applications and client-based access to private resources like SSH servers, databases, and RDP — all without exposing networks directly to the internet. The platform uses WireGuard tunnels with intelligent NAT traversal to reach resources behind restrictive firewalls without requiring public IPs or open ports. Pangolin supports both fully managed cloud deployment and self-hosted options (Community and Enterprise editions), with granular role-based access controls that grant users access to specific resources rather than entire networks.
Key Decision Points:
Deployment model: Available as fully managed cloud service or self-hosted (Community Edition under AGPL-3, Enterprise Edition under Fossorial Commercial License with free tier for businesses under $100K USD annual revenue)
Access methods: Supports both browser-based reverse proxy access to web applications and client-based access to private resources via native clients
Network connectivity: Uses outbound tunnels with NAT traversal to reach resources behind restrictive firewalls without public IPs or open ports
Access control model: Implements zero-trust RBAC where users only access explicitly defined resources, not entire networks — supports both built-in users and external identity providers
Client platforms: Native clients available for Mac, Windows, Linux, iOS, and Android
Site connectors: Deployable as binaries or containers on any platform to create gateways into private networks
Core Features:
Reverse proxy with identity-aware access: Exposes web applications through tunneled reverse proxies accessible via browser with authentication
Site connectors with NAT traversal: Deployable gateways that provide access to networked resources behind firewalls using outbound tunnels
Client-based private resource access: Native client connectivity to SSH, databases, RDP, and network ranges with DNS aliases across sites
Role-based access control: Grant users access to specific applications, services, and routes rather than full network access
Built-in or external identity providers: Use Pangolin's user management or integrate existing identity providers for authentication
Automatic SSL and routing: Handles certificate management, load balancing, and health checking without direct network exposure
Use Cases:
Remote access to internal web applications: Provide browser-based access to internal tools and dashboards without installing client software on user devices
Developer access to private infrastructure: Enable authenticated access to SSH servers, databases, and RDP sessions through NAT traversal without public IPs
Multi-site network connectivity: Bridge geographically distributed networks behind restrictive firewalls using site connectors and outbound tunnels
Restricted third-party access: Grant external collaborators access to specific resources with granular RBAC rather than broad VPN access
Open-Source Alternative Value:
Pangolin's Community Edition provides a self-hosted remote access platform under AGPL-3, combining reverse proxy and VPN functionality that would otherwise require separate commercial tools. Self-hosters can deploy site connectors as containers or binaries without relying on cloud-managed services, while the zero-trust RBAC model offers more granular access control than traditional VPN solutions. The dual licensing model means the core platform is available for self-hosted evaluation and community use, with Enterprise features reserved for larger commercial deployments.
