Pangolin for Zero Trust Remote Access

Remote access is still one of the easiest places to accumulate risk. Teams start with a VPN, add exposed admin panels, create firewall exceptions, then spend years trying to remember which path protects which service. Pangolin treats private access as an identity and routing problem, not just a network tunnel problem.

What Is Pangolin?

Pangolin is an open-source, identity-based remote access platform built on WireGuard. It combines a tunneled reverse proxy for browser-based web apps with client-based access for SSH, databases, RDP, and internal network ranges.

The useful detail for operators is the outbound connector model. Pangolin sites create gateways into private networks using outbound tunnels and NAT traversal, so resources can stay behind restrictive firewalls without public IPs or broad inbound ports.

Key Features

• Tunneled reverse proxy: Publish internal web apps through authenticated browser access with SSL certificates, routing, and health checks.
• WireGuard-based private access: Reach SSH servers, databases, and private ranges through Pangolin clients with friendly DNS aliases.
• Granular RBAC: Use built-in users or an external identity provider, then grant access to specific resources rather than entire subnets.
• Self-hosted Community Edition: Run the AGPL-3 licensed edition yourself, or use Pangolin Cloud when you want a managed control plane.
• Redundant connectors: Route traffic through multiple connectors so private access does not depend on one gateway host.

Installation

The official quick install flow expects a Linux server with root access, a public IP, dashboard DNS, a Let's Encrypt email, and firewall access for 80/tcp, 443/tcp, 51820/udp, and 21820/udp.

Download and run the installer:

curl -fsSL https://static.pangolin.net/get-installer.sh | bash
sudo ./installer

During setup, choose the edition, enter your base domain, set the dashboard domain, provide a Let's Encrypt email, and decide whether to install Gerbil for tunneled connections.

Usage Pattern

A good first production test is an internal runbook, Grafana, or admin service that should not sit directly on the internet. Put the connector near the private network, publish the web app through Pangolin, require authentication, then grant access to the operators who need it.

For non-web resources, use Pangolin clients and resource definitions instead of handing users a full VPN route. That keeps the blast radius smaller when a laptop or contractor account becomes risky.

Operational Tips

Treat Pangolin as part of your access-control plane. Back up its configuration, monitor connector health, and review grants alongside cloud IAM and Kubernetes RBAC.

Be strict with naming. Resource names, DNS aliases, and organization boundaries should show who owns a service and what environment it reaches.

Conclusion

Pangolin is worth testing if your team wants to replace scattered VPN rules, exposed admin panels, and one-off tunnels with a single identity-aware access layer. It keeps private services private while still making them reachable for the right people.

At Akmatori, we help SRE teams build intelligent automation that responds to incidents and manages infrastructure. For GPU-accelerated AI workloads, check out Gcore cloud infrastructure with global edge locations.