Pangolin: A Self-Hosted Alternative to Cloudflare Tunnels
Pangolin is a self-hosted, tunneled reverse proxy that serves as a strong alternative to closed solutions like Cloudflare Tunnels and Ngrok. Pangolin empowers users with ownership of their infrastructure and network traffic, while also providing a suite of additional features like SSO, RBAC, multi-tenancy, resource passcodes, and more.
The typical Pangolin deployment involves setting up the central server on a VPS, which acts as a public-facing gateway that obscures your actual home or office IP address from the internet. Then, you attach remote sites to the Pangolin server by installing its tunnel client, Newt, on your private networks. When someone accesses your services, their requests first hit the VPS before Pangolin routes traffic through encrypted Newt tunnels back to your remote sites. This architecture allows you to bypass common ISP restrictions like CGNAT and eliminates the need to open ports on your router.
Common Use Cases
- Secure remote access to internal applications: Enable employees or team members to access private applications securely using identity-based authentication, using just a web browser and not requiring client-side software.
- API gateway for IoT devices: Provide secure, low-latency, and globally accessible API endpoints for IoT devices and monitor field equipment.
- Cloud-agnostic proxy for multi-cloud and on-premises environments: Simplify access to services across multiple cloud providers and on-premises infrastructure through a unified, centralized proxy.
- Front applications deployed on customer networks: Securely expose and manage access to applications hosted on external customer networks without requiring direct control or public IP exposure.
Why Pangolin and CrowdSec Are a Perfect Match
When you deploy Pangolin on a VPS, you’re creating a single ingress point for all your services. This deployment model means your VPS becomes a critical component of your security boundary. Therefore, the security of your VPS directly impacts the security of your entire infrastructure. This is where CrowdSec enhances the equation.
CrowdSec is an open source, collaborative intrusion prevention system that detects suspicious activity by analyzing logs in real time. When an IP is identified as malicious, it’s not just blocked locally but also shared with the broader CrowdSec network, a constantly updated, community-powered threat intelligence database.
The integration of Pangolin and CrowdSec represents a philosophy that aligns with the self-hosting and open-source ethos that Pangolin champions. With CrowdSec, everyone has access to enterprise-grade threat intelligence that would otherwise be too cost-prohibitive for individual users or small organizations.
How the Integration Provides Better Web Defense
Under the hood, Pangolin uses Traefik to route packets to resources on remote sites connected to the Pangolin server. Traefik is built to be modular with its excellent plugin ecosystem. For example, Pangolin implements zero-trust access via a custom plugin called Badger, which authenticates every request.
CrowdSec also benefits from the same system by providing the CrowdSec Remediation Component, which taps into all HTTP requests to analyze the full spectrum of activity, turning that visibility into action. The remediation component is able to block attackers and share threat intelligence.
How to Get Started
Getting started with self-hosting Pangolin with CrowdSec is straightforward. You can install Pangolin with CrowdSec pre-configured in one shot using the Pangolin installer script. Refer to the Pangolin documentation for the latest installation instructions, but it’s as easy as running the script as seen below on any Linux installation:
ubuntu@ip-172-31-27-116:~/crowdsec$ sudo ./installer
Basic configuration
Enter your base domain (no subdomain e.g. example.com): example.com
Enter the domain for the Pangolin dashboard (default: pangolin.example.com):
Enter email for Let's Encrypt certificates: admin@example.com
Do you want to use Gerbil to allow tunneled connections (yes/no) (default: yes):
Email configuration
Enable email functionality (SMTP) (yes/no) (default: no):
Starting installation
Would you like to install and start the containers? (yes/no) (default: yes):
Pulling the container images...
[+] Pulling 3/3
CrowdSec install
Would you like to install CrowdSec? (yes/no) (default: no): yes
This installer constitutes a minimal viable CrowdSec deployment. CrowdSec will add extra complexity to your Pangolin installation and may not work to the best of its abilities out of the box. Users are expected to implement configuration adjustments on their own to achieve the best security posture. Consult the CrowdSec documentation for detailed configuration instructions.
Are you willing to manage CrowdSec? (yes/no) (default: no): yes
Stopping containers...
[+] Running 4/4
Traefik log volume is already configured
Added dependency of crowdsec to traefik
Starting containers...
[+] Running 10/10
Restarting containers...
[+] Restarting 1/1
Installation complete!
To complete the initial setup, please visit: https://pangolin.example.com/auth/initial-setup
The script creates all the necessary configuration files, pulls down the containers, and starts the stack. Assuming your VPS is accessible with a public IP, you’ve set up your domain DNS records and opened needed HTTP and WireGuard ports on your VPS firewall, you can instantly begin using your Pangolin instance protected by CrowdSec.
Conclusion
Using Pangolin and CrowdSec together uniquely positions you to enhance your security posture. Pangolin serves as an ingress gateway to remote sites, while CrowdSec actively blocks threats. Together, they form a powerful self-hosted alternative to Cloudflare Tunnels and WAFs, giving you both privacy and proactive defense. By deploying CrowdSec, you’re not only securing your infrastructure, you’re also contributing to a collective defense network that strengthens protection for all participants.
For optimal results, always consult the latest documentation for both tools to ensure optimal configuration and security.
