Overview:
Pangolin is an open-source, identity-based remote access platform built on WireGuard® that combines reverse proxy and VPN capabilities into a single platform. It enables secure, browser-based access to web applications and client-based access to private resources like SSH servers, databases, and entire network ranges. The platform provides granular access controls with a zero-trust model to ensure users can only reach explicitly defined resources. It is available as a fully managed cloud service or as a self-hosted Community Edition (AGPL-3) and Enterprise Edition.
Core Features:
Browser-based reverse proxy: Expose web applications through identity and context-aware tunneled reverse proxies with authentication and granular access control, without installing a client.
Client-based private resource access: Access SSH servers, databases, RDP, and network ranges using Pangolin clients with intelligent NAT traversal.
Site connectors with NAT traversal: Connect remote networks using outbound tunnels and NAT traversal to access resources behind restrictive firewalls without public IPs or open ports.
Role-based access control (RBAC): Use built-in users or bring your own identity provider, and grant users access to specific resources rather than entire networks.
Use Cases:
Securely exposing web applications: Organizations can provide browser-based access to internal web applications for remote or external users without exposing the network directly to the internet.
Accessing private infrastructure remotely: Developers and system administrators can use Pangolin clients to reach SSH servers, databases, and RDP services behind restrictive firewalls.
Managing multi-network access with granular controls: Teams can connect multiple remote networks via site connectors and define specific user or role access to resources, supporting a zero-trust model.
Why It Matters:
Pangolin provides a single platform that integrates both reverse proxy and VPN access under identity-based controls. Its zero-trust model allows administrators to grant access to specific resources rather than full network segments, which is a departure from traditional VPN approaches. The self-hosted Community Edition under AGPL-3 allows organizations to maintain direct data and access control, and the site connectors with NAT traversal eliminate the need for public IPs or open ports on remote networks.
