Introducing Pangolin Tunnels: A Game-Changer in Open Source Networking

In the world of networking and cybersecurity, the quest for secure, user-friendly, and open-source solutions is always on. Enter Pangolin Tunnels, a breakthrough in how we think about exposing private resources to the internet securely. Here’s an in-depth look at what Pangolin offers, why it’s revolutionary, and how you can leverage it for your projects or home lab.

What is Pangolin?

flowchart TD
    %% Client Zone
    subgraph "Client Zone"
        direction TB
        Browser["User Browser"]:::external
        Frontend["Next.js Frontend"]:::ui
    end

    %% Server Zone
    subgraph "Server Zone"
        direction TB

        subgraph "Edge Proxy & Infra"
            direction TB
            Traefik["Traefik Reverse Proxy"]:::infra
            CrowdSecExt["CrowdSec (External)"]:::external
            LetsEncrypt["Let's Encrypt"]:::external
        end

        subgraph "Hybrid Server"
            direction TB
            NextServer["NextServer (UI/API)"]:::ui
            APIProxy["Integration API Server"]:::api
        end

        subgraph "API Layer"
            direction TB
            ApiServer["apiServer.ts"]:::api
            InternalServer["internalServer.ts"]:::api
            HybridServer["hybridServer.ts"]:::api
            IntegrationApi["integrationApiServer.ts"]:::api
            Routers["Backend Routers"]:::api
            Middlewares["Middlewares"]:::security
            Lib["Business Logic / Libraries"]:::api
        end

        subgraph "Data Layer"
            direction TB
            PGConfig["drizzle.pg.config.ts"]:::db
            SQLiteConfig["drizzle.sqlite.config.ts"]:::db
            PGFolder["server/db/pg"]:::db
            SQLiteFolder["server/db/sqlite"]:::db
            Database["Database (Postgres/SQLite)"]:::db
        end

        subgraph "Security & Identity"
            direction TB
            Auth["Authentication & Access Management"]:::security
            OIDC["OIDC Integration"]:::security
            Email["Email Templates & SMTP"]:::security
        end

        subgraph "Tunnel Management"
            direction TB
            NewtRouter["Newt Router"]:::infra
            ExitNodesLib["Exit Nodes Logic"]:::infra
        end

        subgraph "Installer & Tooling"
            direction TB
            Installer["Go Install Orchestrator"]:::infra
            CLI["CLI Wrapper"]:::infra
            DSL["DSL Scripting (Bruno)"]:::infra
            Orchestration["Docker & Compose Orchestration"]:::infra
        end

        subgraph "Frontend Utilities"
            direction TB
            Contexts["Front-end Contexts"]:::ui
            Providers["Front-end Providers"]:::ui
            Hooks["Front-end Hooks"]:::ui
            ApiLib["Front-end API Lib"]:::ui
        end

        EnvConfig["Env & Logging Config"]:::infra
        Localization["Localization Assets"]:::ui
    end

    %% External Identity and SMTP
    IdP["External IdP/OIDC Providers"]:::external
    SMTP["Email SMTP Service"]:::external

    %% Connections
    Browser -->|"HTTPS"| Traefik
    Traefik -->|"routes UI/API"| NextServer
    NextServer -->|HTTP| ApiServer
    ApiServer -->|requests| Middlewares
    Middlewares -->|calls| Routers
    Routers -->|uses| Lib
    Lib -->|queries| Database
    APIProxy -->|websocket| NewtRouter
    NewtRouter -->|manages tunnel| ExitNodesLib
    Traefik -->|"ACME"| LetsEncrypt
    Traefik -->|"plugin"| CrowdSecExt
    Installer -->|orchestrates| Traefik
    Installer -->|orchestrates| ApiServer
    Installer -->|orchestrates| NewtRouter
    Installer -->|orchestrates| CrowdSecExt
    Installer -->|orchestrates| Database
    Auth -->|redirect| IdP
    Auth -->|email codes| SMTP
    Email -->|send| SMTP

    %% Click Events
    click Frontend "https://github.com/fosrl/pangolin/tree/main/src/"
    click ApiServer "https://github.com/fosrl/pangolin/blob/main/server/apiServer.ts"
    click InternalServer "https://github.com/fosrl/pangolin/blob/main/server/internalServer.ts"
    click HybridServer "https://github.com/fosrl/pangolin/blob/main/server/hybridServer.ts"
    click IntegrationApi "https://github.com/fosrl/pangolin/blob/main/server/integrationApiServer.ts"
    click Routers "https://github.com/fosrl/pangolin/tree/main/server/routers/"
    click Middlewares "https://github.com/fosrl/pangolin/tree/main/server/middlewares/"
    click Lib "https://github.com/fosrl/pangolin/tree/main/server/lib/"
    click PGConfig "https://github.com/fosrl/pangolin/blob/main/drizzle.pg.config.ts"
    click SQLiteConfig "https://github.com/fosrl/pangolin/blob/main/drizzle.sqlite.config.ts"
    click PGFolder "https://github.com/fosrl/pangolin/tree/main/server/db/pg/"
    click SQLiteFolder "https://github.com/fosrl/pangolin/tree/main/server/db/sqlite/"
    click Database "https://github.com/fosrl/pangolin/blob/main/server/db/pg/index.ts"
    click Auth "https://github.com/fosrl/pangolin/tree/main/server/auth/"
    click OIDC "https://github.com/fosrl/pangolin/blob/main/server/lib/idp/generateRedirectUrl.ts"
    click OIDC "https://github.com/fosrl/pangolin/tree/main/server/routers/idp/"
    click Email "https://github.com/fosrl/pangolin/tree/main/server/emails/"
    click NewtRouter "https://github.com/fosrl/pangolin/tree/main/server/routers/newt/"
    click ExitNodesLib "https://github.com/fosrl/pangolin/blob/main/server/lib/exitNodes/exitNodes.ts"
    click ExitNodesLib "https://github.com/fosrl/pangolin/blob/main/server/lib/exitNodeComms.ts"
    click Traefik "https://github.com/fosrl/pangolin/blob/main/config/traefik/traefik_config.yml"
    click Traefik "https://github.com/fosrl/pangolin/blob/main/config/traefik/dynamic_config.yml"
    click Traefik "https://github.com/fosrl/pangolin/blob/main/install/config/traefik/traefik_config.yml"
    click Traefik "https://github.com/fosrl/pangolin/blob/main/install/config/traefik/dynamic_config.yml"
    click Traefik "https://github.com/fosrl/pangolin/blob/main/server/lib/traefikConfig.ts"
    click Traefik "https://github.com/fosrl/pangolin/tree/main/server/routers/traefik/"
    click CrowdSecExt "https://github.com/fosrl/pangolin/tree/main/install/config/crowdsec/"
    click CrowdSecExt "https://github.com/fosrl/pangolin/blob/main/install/config/crowdsec/docker-compose.yml"
    click CrowdSecExt "https://github.com/fosrl/pangolin/blob/main/install/config/crowdsec/profiles.yaml"
    click Installer "https://github.com/fosrl/pangolin/blob/main/install/main.go"
    click CLI "https://github.com/fosrl/pangolin/blob/main/cli/index.ts"
    click CLI "https://github.com/fosrl/pangolin/blob/main/cli/wrapper.sh"
    click DSL "https://github.com/fosrl/pangolin/tree/main/bruno/"
    click Orchestration "https://github.com/fosrl/pangolin/blob/main/docker-compose.yml"
    click EnvConfig "https://github.com/fosrl/pangolin/blob/main/config/config.example.yml"
    click Localization "https://github.com/fosrl/pangolin/tree/main/messages/"
    click Contexts "https://github.com/fosrl/pangolin/tree/main/src/contexts/"
    click Providers "https://github.com/fosrl/pangolin/tree/main/src/providers/"
    click Hooks "https://github.com/fosrl/pangolin/tree/main/src/hooks/"
    click ApiLib "https://github.com/fosrl/pangolin/tree/main/src/lib/api/"

    %% Styles
    classDef ui fill:#cce5ff,stroke:#004085,color:#004085
    classDef api fill:#b8daff,stroke:#004085,color:#004085
    classDef security fill:#d4edda,stroke:#155724,color:#155724
    classDef infra fill:#fff3cd,stroke:#856404,color:#856404
    classDef db fill:#e2e3e5,stroke:#6c757d,color:#6c757d
    classDef external fill:#f8d7da,stroke:#721c24,color:#721c24

Pangolin is an open-source, self-hosted server that manages tunneled reverse proxies. It’s designed to provide secure access to private services without needing to open ports on your router, which is particularly useful in environments where port forwarding isn’t possible or when you want to maintain a high level of security.

Key Features:

  • WireGuard Tunneling: Pangolin uses WireGuard, a modern, fast VPN that utilizes state-of-the-art cryptography. This ensures that your data remains secure while traveling through tunnels from your private network to the public internet.

  • Identity and Access Management: Beyond just tunneling, Pangolin includes comprehensive identity and access controls, allowing for user authentication, role-based access, and features like one-time passwords or email authentication for added security.

  • User Interface: With an intuitive web dashboard, managing your tunnels, users, and resources has never been simpler. The dashboard allows you to configure everything from site connections to user permissions without delving into complex command lines.

  • SSL Automation: Pangolin automates SSL certificate management with Let’s Encrypt, ensuring your services are available via secure HTTPS connections effortlessly.

  • Support for Multiple Protocols: Whether you’re dealing with HTTP/HTTPS or raw TCP/UDP services, Pangolin can handle it, making it versatile for various applications.

Why Pangolin is a Revolution in Open Source

  • Control and Privacy: By hosting your own tunneling solution, you retain full control over your data and network security, reducing reliance on third-party services which might track or monetize your data.

  • Cost-Effective: Unlike proprietary solutions, Pangolin is free to use, modify, and distribute. This opens up high-quality networking capabilities to hobbyists, small businesses, and large enterprises looking to cut costs or avoid vendor lock-in.

  • Community Driven: Being open source, Pangolin benefits from community contributions. This means bugs are fixed, features are added, and the software evolves rapidly to meet user needs.

  • Ease of Use: Pangolin’s interface and installation process are designed with the user in mind, making complex networking tasks accessible to a broader audience, from networking novices to seasoned professionals.

How to Get Started with Pangolin

  1. Installation: Pangolin can be installed via Docker, which simplifies setup across different environments. There are detailed guides on the official documentation or community forums to help you get started.
  • Prerequisites: You’ll need a domain name and a server (like a VPS) where Pangolin can run.

  • Docker Compose: There’s an easy-to-follow Docker Compose file that sets up Pangolin alongside necessary components like Traefik and Gerbil (for WireGuard interface management).

  1. Configuration:
  • Create Organizations and Sites: Define your structure for managing different environments or projects within Pangolin.

  • Set Up Tunnels: Connect your private services to the public internet by configuring tunnels through the Pangolin dashboard.

  1. Security:
  • Implement user authentication. Decide who can access which services by defining roles and permissions.

  • Ensure all traffic is encrypted by leveraging Pangolin’s SSL automation.

  1. Testing and Usage: Once configured, test your services from the internet to ensure they’re accessible, secure, and functioning as expected.

Use Cases

  • Home Labs: Securely expose services like Plex, Jellyfin, or your own web applications to the internet without the hassle of port forwarding.

  • Business Applications: For small businesses, manage access to internal tools or applications for remote employees or clients securely.

  • Education and Learning: A fantastic tool for students or enthusiasts learning about networking, security, and how applications are deployed and accessed over the internet.

Community and Support

Pangolin has an active community on platforms like Reddit, GitHub, and Discord. Here, you can find support, share configurations, and even contribute to the project’s development. The documentation is thorough, and community members are generally eager to help newcomers get started.

Conclusion

Pangolin Tunnels represent more than just another open-source project; they symbolize a shift towards democratizing advanced networking tools. Whether you’re a developer, a sysadmin, or just someone passionate about technology, Pangolin offers you the tools to secure your network, control your data, and explore new possibilities in application deployment and access. Give it a try, contribute if you can, and join the growing community of users who are excited about what Pangolin brings to the table in the open-source ecosystem.