Learn how to maximize protection and reduce security & operational costs.

Download guide
host secure tunnels with crowdsec and pangolin

Web Defense with Pangolin and CrowdSec

Pangolin: A Self-Hosted Alternative to Cloudflare Tunnels

Pangolin is a self-hosted, tunneled reverse proxy that serves as a strong alternative to closed solutions like Cloudflare Tunnels and Ngrok. Pangolin empowers users with ownership of their infrastructure and network traffic, while also providing a suite of additional features like SSO, RBAC, multi-tenancy, resource passcodes, and more.

The typical Pangolin deployment involves setting up the central server on a VPS, which acts as a public-facing gateway that obscures your actual home or office IP address from the internet. Then, you attach remote sites to the Pangolin server by installing its tunnel client, Newt, on your private networks. When someone accesses your services, their requests first hit the VPS before Pangolin routes traffic through encrypted Newt tunnels back to your remote sites. This architecture allows you to bypass common ISP restrictions like CGNAT and eliminates the need to open ports on your router.

Common Use Cases

  • Secure remote access to internal applications: Enable employees or team members to access private applications securely using identity-based authentication, using just a web browser and not requiring client-side software.
  • API gateway for IoT devices: Provide secure, low-latency, and globally accessible API endpoints for IoT devices and monitor field equipment.
  • Cloud-agnostic proxy for multi-cloud and on-premises environments: Simplify access to services across multiple cloud providers and on-premises infrastructure through a unified, centralized proxy.
  • Front applications deployed on customer networks: Securely expose and manage access to applications hosted on external customer networks without requiring direct control or public IP exposure.

Why Pangolin and CrowdSec Are a Perfect Match

When you deploy Pangolin on a VPS, you’re creating a single ingress point for all your services. This deployment model means your VPS becomes a critical component of your security boundary. Therefore, the security of your VPS directly impacts the security of your entire infrastructure. This is where CrowdSec enhances the equation.

CrowdSec is an open source, collaborative intrusion prevention system that detects suspicious activity by analyzing logs in real time. When an IP is identified as malicious, it’s not just blocked locally but also shared with the broader CrowdSec network, a constantly updated, community-powered threat intelligence database

The integration of Pangolin and CrowdSec represents a philosophy that aligns with the self-hosting and open-source ethos that Pangolin champions. With CrowdSec, everyone has access to enterprise-grade threat intelligence that would otherwise be too cost-prohibitive for individual users or small organizations.

How the Integration Provides Better Web Defense

Under the hood, Pangolin uses Traefik to route packets to resources on remote sites connected to the Pangolin server. Traefik is built to be modular with its excellent plugin ecosystem. For example, Pangolin implements zero-trust access via a custom plugin called Badger, which authenticates every request.

CrowdSec also benefits from the same system by providing the CrowdSec Remediation Component, which taps into all HTTP requests to analyze the full spectrum of activity, turning that visibility into action. The remediation component is able to block attackers and share threat intelligence.

How to Get Started

Getting started with self-hosting Pangolin with CrowdSec is straightforward. You can install Pangolin with CrowdSec pre-configured in one shot using the Pangolin installer script. Refer to the Pangolin documentation for the latest installation instructions, but it’s as easy as running the script as seen below on any Linux installation:


ubuntu@ip-172-31-27-116:~/crowdsec$ sudo ./installer

Basic configuration



Enter your base domain (no subdomain e.g. example.com): example.com

Enter the domain for the Pangolin dashboard (default: pangolin.example.com):

Enter email for Let's Encrypt certificates: admin@example.com

Do you want to use Gerbil to allow tunneled connections (yes/no) (default: yes):

Email configuration



Enable email functionality (SMTP) (yes/no) (default: no):

Starting installation



Would you like to install and start the containers? (yes/no) (default: yes):

Pulling the container images...

[+] Pulling 3/3

CrowdSec install



Would you like to install CrowdSec? (yes/no) (default: no): yes

This installer constitutes a minimal viable CrowdSec deployment. CrowdSec will add extra complexity to your Pangolin installation and may not work to the best of its abilities out of the box. Users are expected to implement configuration adjustments on their own to achieve the best security posture. Consult the CrowdSec documentation for detailed configuration instructions.

Are you willing to manage CrowdSec? (yes/no) (default: no): yes

Stopping containers...

[+] Running 4/4

Traefik log volume is already configured

Added dependency of crowdsec to traefik

Starting containers...

[+] Running 10/10

 Restarting containers...

[+] Restarting 1/1

Installation complete!

To complete the initial setup, please visit: https://pangolin.example.com/auth/initial-setup

The script creates all the necessary configuration files, pulls down the containers, and starts the stack. Assuming your VPS is accessible with a public IP, you’ve set up your domain DNS records and opened needed HTTP and WireGuard ports on your VPS firewall, you can instantly begin using your Pangolin instance protected by CrowdSec.

Conclusion

Using Pangolin and CrowdSec together uniquely positions you to enhance your security posture. Pangolin serves as an ingress gateway to remote sites, while CrowdSec actively blocks threats. Together, they form a powerful self-hosted alternative to Cloudflare Tunnels and WAFs, giving you both privacy and proactive defense. By deploying CrowdSec, you’re not only securing your infrastructure, you’re also contributing to a collective defense network that strengthens protection for all participants.

For optimal results, always consult the latest documentation for both tools to ensure optimal configuration and security.

Got questions or want to contribute?

WRITTEN BY

You may also like

post-exploitation behavior detection on windows with crowdsec and sigmahq
Integrations

Improving Post-Exploitation Behavior Detection on Windows with SigmaHQ

Introducing the integration of SigmaHQ into the CrowdSec Security Engine to further improve post-exploitation behavior detection on Windows.

crowdsec and suse partnership
Announcement

CrowdSec on SUSE: Enhancing Security with Collaborative Defense

Protect SUSE Linux with CrowdSec’s community-driven Security Engine, open source, behavior-based threat detection with real-time crowdsourced intelligence.

Introducing the New CrowdSec and BunkerWeb Integration
Announcement

Introducing the New CrowdSec and BunkerWeb Integration

We are thrilled to welcome BunkerWeb into the CrowdSec Network and together strengthen collaborative open security for both our communities.