<!-- OSSAlt AI-readable guide source -->
<!-- Canonical: https://ossalt.com/guides/pangolin-self-hosted-tunnel-platform-2026 -->
<!-- Raw Markdown: https://ossalt.com/guides/pangolin-self-hosted-tunnel-platform-2026/raw.md -->
<!-- Source path: content/guides/pangolin-self-hosted-tunnel-platform-2026.mdx -->

---
og_image: "/images/guides/pangolin-self-hosted-tunnel-platform-2026.webp"
title: "Pangolin: Self-Hosted Cloudflare Tunnel + Access Alternative 2026"
description: "Pangolin bundles WireGuard, Traefik, and identity-aware access into one self-hosted stack. When to choose it over Cloudflare Tunnels or frp."
date: "2026-04-26"
author: "OSSAlt Team"
tags: ["pangolin", "cloudflare-tunnels", "self-hosting", "networking", "wireguard", "zero-trust", "reverse-proxy"]
featured_tool: "pangolin"
---

## TL;DR

**Pangolin** is the open source bundle that finally treats "expose a private service to the internet" the way Cloudflare Tunnels + Cloudflare Access treat it — with identity-aware proxy, per-resource access policies, and a clean dashboard — but on a VPS you control. Under the hood it's WireGuard for the tunnel, Traefik for routing, and a custom identity layer for SSO and one-time access codes. If you've outgrown raw `frp`/`rathole` configs but don't want to send traffic through Cloudflare, Pangolin is the most polished 2026 option.

## Key Takeaways

- **Pangolin = WireGuard tunnel + Traefik reverse proxy + identity-aware access**, all in one Docker Compose stack
- **AGPL-3.0 licensed**, ~10K+ GitHub stars in early 2026, weekly releases by Fossorial
- **Two pieces**: a "Newt" client on the private network and a "Pangolin" server on a public VPS
- **Per-resource auth**: TOTP, email PIN, SSO (OIDC), or fully public — chosen per service
- **Comparison summary**: Pangolin replaces Cloudflare Tunnel **and** Cloudflare Access; frp/rathole replace only the tunnel; Tailscale Funnel is simpler but Tailscale-account-bound
- **Resource budget**: a $5–7/month 1 vCPU / 1 GB VPS comfortably runs the public side
- **Best fit**: home labs and SMBs that want the Cloudflare experience without Cloudflare

---

## Why Pangolin Exists

Self-hosters have had tunnel software for years — `ngrok`, `frp`, `rathole`, `Chisel`, `inlets`, plus the WireGuard DIY route. They all solve the "punch through CGNAT or a closed firewall" half of the problem. None of them, on their own, solve the second half: **who is allowed to reach the exposed service, and how do they prove it?** Cloudflare bundled both with Tunnels + Access, and for a long time that was the easiest path.

Pangolin's contribution is bundling the same two layers in a single self-hosted package. The result feels familiar to anyone who has used Cloudflare Access — you publish a "resource" (your Plex, your internal Grafana, your dev environment), choose an authentication method, and Pangolin's reverse proxy enforces it on every request.

## Architecture in 60 Seconds

- **Pangolin server** runs on a small public VPS. It hosts Traefik, the admin UI, the identity database, and a WireGuard endpoint.
- **Newt client** runs inside your private network as a Docker container. It dials out and establishes a WireGuard tunnel to Pangolin.
- **Resources** are HTTP(S) services on the private side. You register them in the Pangolin UI, attach an auth policy, and Traefik routes the matching hostname over the tunnel.
- **Users** authenticate through Pangolin's own identity layer (local users, magic links, TOTP) or a connected OIDC provider.

Because the inbound socket lives on the VPS and the tunnel is outbound from your LAN, you do not need a public IP, port forwarding, or even a static residential address.

---

## Pangolin vs the Field

| Capability | Pangolin | Cloudflare Tunnel + Access | frp / rathole | Tailscale Funnel |
|------------|----------|---------------------------|---------------|------------------|
| Self-hosted | ✅ | ❌ (SaaS) | ✅ | ⚠️ (control plane is SaaS; Headscale optional) |
| Identity-aware proxy | ✅ (built in) | ✅ (Access) | ❌ | ⚠️ (per-tailnet ACLs only) |
| Per-resource auth method | ✅ | ✅ | ❌ | ❌ |
| Public sharing of one service | ✅ | ✅ | ✅ | ✅ |
| OIDC / SSO | ✅ | ✅ | ❌ | Workspace SSO only |
| Web admin UI | ✅ | ✅ | ❌ (config files) | ✅ (limited) |
| Works behind CGNAT | ✅ | ✅ | ✅ | ✅ |
| TLS termination | ✅ (Let's Encrypt via Traefik) | ✅ | Manual | ✅ |
| Cost | VPS only (~$5–7/mo) | Free tier + paid Access seats | VPS only | Free–$6/user/mo |
| Best for | Home lab + SMB self-hosters | Teams already on Cloudflare | Pure tunneling needs | Tailscale-first orgs |

Two takeaways:

1. **Pangolin and Cloudflare overlap the most.** They are the only options that include identity-aware access *and* the tunnel *and* a UI in one package.
2. **frp/rathole are not direct competitors** — they're the lower-level building block. Pangolin ships its own WireGuard layer instead of building on frp.

For a wider survey of the tunneling landscape, see [Open Source Alternatives to Cloudflare Tunnels](/guides/best-open-source-alternatives-cloudflare-tunnels-2026).

---

## Authentication Methods

Per-resource policies are Pangolin's most useful feature in practice. For each registered service you can choose:

- **Public** — no auth, just a clean public URL with TLS. Useful for marketing pages or webhook endpoints.
- **PIN code** — share a numeric code; Pangolin gates the request with it. Good for one-off shares.
- **Email one-time code** — magic-link style, no account required.
- **Local user** — username + password, optionally with TOTP enforced.
- **OIDC SSO** — federate to Authentik, Keycloak, Logto, Google Workspace, or anything OpenID-compatible.

You can layer these — for example, a Grafana dashboard could require both SSO *and* TOTP, while a public status page sits on the same Pangolin instance with no auth at all.

For wiring SSO into the OIDC step, [Authentik vs Keycloak vs Authelia](/guides/authentik-vs-keycloak-vs-authelia-2026) covers the trade-offs of each provider.

---

## Setup at a Glance

A typical install on a fresh Ubuntu 24.04 VPS:

```bash
mkdir pangolin && cd pangolin
curl -fsSL https://docs.fossorial.io/install.sh -o install.sh
docker compose up -d
```

The installer prompts for the public domain, an admin email, and the SMTP credentials Pangolin uses for magic links. Within ten minutes you have:

- A signed TLS cert for `*.your-domain` (DNS-01 via Let's Encrypt)
- The admin dashboard at `pangolin.your-domain`
- A WireGuard listener ready to accept the Newt client

On the LAN side, the Newt container is a single `docker run` with the join token Pangolin printed during setup. After that, exposing a service is three fields in the UI: hostname, internal target, auth policy.

---

## When Pangolin Is the Right Call

**Choose Pangolin if:**

- You want Cloudflare Tunnel + Access ergonomics without sending traffic through Cloudflare
- You run more than two or three internal services and per-resource access policies matter
- You have an OIDC IdP already (Authentik, Keycloak, Logto) and want to plug it in
- You are comfortable maintaining a small VPS and a Docker stack

**Stay with Cloudflare if:**

- You are already paying for Cloudflare and the free Access seats cover your team
- You need the WAF, bot management, and DDoS scrubbing that come with Cloudflare's edge
- You explicitly *want* to offload TLS and request inspection to a third party

**Stay with raw frp / rathole if:**

- You only need to expose one or two services and you're fine handling auth inside each app
- You have very tight resource budgets where every megabyte counts

**Use Tailscale Funnel if:**

- Your organization already lives inside a tailnet and you only need occasional public sharing

---

## Operational Notes

- **Backups.** The Pangolin SQLite database lives in a single volume. A nightly `restic` snapshot of the data directory plus the Traefik certs is enough to recover. The [restic + rclone backup guide](/guides/automated-server-backups-restic-rclone-2026) maps cleanly onto Pangolin's data dir.
- **Updates.** `docker compose pull && docker compose up -d`. Pangolin ships frequently — pin to a minor version in production and watch the changelog before upgrading majors.
- **High availability.** Pangolin is designed as a single instance. If you need HA, front it with a second VPS and DNS failover; this is rare for the home-lab and SMB use cases the tool targets.
- **Audit log.** The dashboard exposes per-resource access logs. Ship them to Loki if you want longer retention; see [Grafana + Prometheus + Loki](/guides/grafana-prometheus-loki-self-hosted-observability-stack-2026).

---

## Verdict

Pangolin is the first self-hosted option that genuinely competes with Cloudflare Tunnel + Access on ergonomics, not just on tunneling. If you're a home-lab operator tired of writing Traefik labels by hand, or an SMB that needs identity-aware exposure without a Cloudflare bill, Pangolin earns a place in the stack. It is not a Tailscale replacement and it is not a CDN — but it is the cleanest "publish a private service safely" experience the open source ecosystem has shipped to date.

---

*Related reading: [WireGuard vs OpenVPN](/guides/wireguard-vs-openvpn-self-hosted-vpn-2026) · [Traefik vs Caddy vs Nginx](/guides/traefik-vs-caddy-vs-nginx-reverse-proxy-self-hosting-2026) · [Open source alternatives to Cloudflare Tunnels](/guides/best-open-source-alternatives-cloudflare-tunnels-2026).*