Pangolin: Self-Hosted Cloudflare Tunnel + Access Alternative 2026

TL;DR

Pangolin is the open source bundle that finally treats "expose a private service to the internet" the way Cloudflare Tunnels + Cloudflare Access treat it — with identity-aware proxy, per-resource access policies, and a clean dashboard — but on a VPS you control. Under the hood it's WireGuard for the tunnel, Traefik for routing, and a custom identity layer for SSO and one-time access codes. If you've outgrown raw frp/rathole configs but don't want to send traffic through Cloudflare, Pangolin is the most polished 2026 option.

Key Takeaways

• Pangolin = WireGuard tunnel + Traefik reverse proxy + identity-aware access, all in one Docker Compose stack
• AGPL-3.0 licensed, ~10K+ GitHub stars in early 2026, weekly releases by Fossorial
• Two pieces: a "Newt" client on the private network and a "Pangolin" server on a public VPS
• Per-resource auth: TOTP, email PIN, SSO (OIDC), or fully public — chosen per service
• Comparison summary: Pangolin replaces Cloudflare Tunnel and Cloudflare Access; frp/rathole replace only the tunnel; Tailscale Funnel is simpler but Tailscale-account-bound
• Resource budget: a $5–7/month 1 vCPU / 1 GB VPS comfortably runs the public side
• Best fit: home labs and SMBs that want the Cloudflare experience without Cloudflare

---

Why Pangolin Exists

Self-hosters have had tunnel software for years — ngrok, frp, rathole, Chisel, inlets, plus the WireGuard DIY route. They all solve the "punch through CGNAT or a closed firewall" half of the problem. None of them, on their own, solve the second half: who is allowed to reach the exposed service, and how do they prove it? Cloudflare bundled both with Tunnels + Access, and for a long time that was the easiest path.

Pangolin's contribution is bundling the same two layers in a single self-hosted package. The result feels familiar to anyone who has used Cloudflare Access — you publish a "resource" (your Plex, your internal Grafana, your dev environment), choose an authentication method, and Pangolin's reverse proxy enforces it on every request.

Architecture in 60 Seconds

• Pangolin server runs on a small public VPS. It hosts Traefik, the admin UI, the identity database, and a WireGuard endpoint.
• Newt client runs inside your private network as a Docker container. It dials out and establishes a WireGuard tunnel to Pangolin.
• Resources are HTTP(S) services on the private side. You register them in the Pangolin UI, attach an auth policy, and Traefik routes the matching hostname over the tunnel.
• Users authenticate through Pangolin's own identity layer (local users, magic links, TOTP) or a connected OIDC provider.

Because the inbound socket lives on the VPS and the tunnel is outbound from your LAN, you do not need a public IP, port forwarding, or even a static residential address.

---

Pangolin vs the Field

Capability	Pangolin	Cloudflare Tunnel + Access	frp / rathole	Tailscale Funnel
Self-hosted	✅	❌ (SaaS)	✅	⚠️ (control plane is SaaS; Headscale optional)
Identity-aware proxy	✅ (built in)	✅ (Access)	❌	⚠️ (per-tailnet ACLs only)
Per-resource auth method	✅	✅	❌	❌
Public sharing of one service	✅	✅	✅	✅
OIDC / SSO	✅	✅	❌	Workspace SSO only
Web admin UI	✅	✅	❌ (config files)	✅ (limited)
Works behind CGNAT	✅	✅	✅	✅
TLS termination	✅ (Let's Encrypt via Traefik)	✅	Manual	✅
Cost	VPS only (~$5–7/mo)	Free tier + paid Access seats	VPS only	Free–$6/user/mo
Best for	Home lab + SMB self-hosters	Teams already on Cloudflare	Pure tunneling needs	Tailscale-first orgs

Two takeaways:

1. Pangolin and Cloudflare overlap the most. They are the only options that include identity-aware access and the tunnel and a UI in one package.
2. frp/rathole are not direct competitors — they're the lower-level building block. Pangolin ships its own WireGuard layer instead of building on frp.

For a wider survey of the tunneling landscape, see Open Source Alternatives to Cloudflare Tunnels.

---

Authentication Methods

Per-resource policies are Pangolin's most useful feature in practice. For each registered service you can choose:

• Public — no auth, just a clean public URL with TLS. Useful for marketing pages or webhook endpoints.
• PIN code — share a numeric code; Pangolin gates the request with it. Good for one-off shares.
• Email one-time code — magic-link style, no account required.
• Local user — username + password, optionally with TOTP enforced.
• OIDC SSO — federate to Authentik, Keycloak, Logto, Google Workspace, or anything OpenID-compatible.

You can layer these — for example, a Grafana dashboard could require both SSO and TOTP, while a public status page sits on the same Pangolin instance with no auth at all.

For wiring SSO into the OIDC step, Authentik vs Keycloak vs Authelia covers the trade-offs of each provider.

---

Setup at a Glance

A typical install on a fresh Ubuntu 24.04 VPS:

mkdir pangolin && cd pangolin
curl -fsSL https://docs.fossorial.io/install.sh -o install.sh
docker compose up -d

The installer prompts for the public domain, an admin email, and the SMTP credentials Pangolin uses for magic links. Within ten minutes you have:

• A signed TLS cert for *.your-domain (DNS-01 via Let's Encrypt)
• The admin dashboard at pangolin.your-domain
• A WireGuard listener ready to accept the Newt client

On the LAN side, the Newt container is a single docker run with the join token Pangolin printed during setup. After that, exposing a service is three fields in the UI: hostname, internal target, auth policy.

---

When Pangolin Is the Right Call

Choose Pangolin if:

• You want Cloudflare Tunnel + Access ergonomics without sending traffic through Cloudflare
• You run more than two or three internal services and per-resource access policies matter
• You have an OIDC IdP already (Authentik, Keycloak, Logto) and want to plug it in
• You are comfortable maintaining a small VPS and a Docker stack

Stay with Cloudflare if:

• You are already paying for Cloudflare and the free Access seats cover your team
• You need the WAF, bot management, and DDoS scrubbing that come with Cloudflare's edge
• You explicitly want to offload TLS and request inspection to a third party

Stay with raw frp / rathole if:

• You only need to expose one or two services and you're fine handling auth inside each app
• You have very tight resource budgets where every megabyte counts

Use Tailscale Funnel if:

• Your organization already lives inside a tailnet and you only need occasional public sharing

---

Operational Notes

• Backups. The Pangolin SQLite database lives in a single volume. A nightly restic snapshot of the data directory plus the Traefik certs is enough to recover. The restic + rclone backup guide maps cleanly onto Pangolin's data dir.
• Updates. docker compose pull && docker compose up -d. Pangolin ships frequently — pin to a minor version in production and watch the changelog before upgrading majors.
• High availability. Pangolin is designed as a single instance. If you need HA, front it with a second VPS and DNS failover; this is rare for the home-lab and SMB use cases the tool targets.
• Audit log. The dashboard exposes per-resource access logs. Ship them to Loki if you want longer retention; see Grafana + Prometheus + Loki.

---

Verdict

Pangolin is the first self-hosted option that genuinely competes with Cloudflare Tunnel + Access on ergonomics, not just on tunneling. If you're a home-lab operator tired of writing Traefik labels by hand, or an SMB that needs identity-aware exposure without a Cloudflare bill, Pangolin earns a place in the stack. It is not a Tailscale replacement and it is not a CDN — but it is the cleanest "publish a private service safely" experience the open source ecosystem has shipped to date.

---

Related reading: WireGuard vs OpenVPN · Traefik vs Caddy vs Nginx · Open source alternatives to Cloudflare Tunnels.