After a critical outage disrupted Cloudflare Tunnels and Access, a new open-source player is gaining traction among developers and sysadmins looking for control, flexibility and security.
In June 2025, a 2.5-hour outage in Cloudflare’s Access and Tunnel services left many users — from home lab enthusiasts to DevOps teams — unable to reach critical services. For many, this was the final wake-up call. Reliance on centralized, vendor-operated infrastructure had once again proven to be a potential single point of failure.
Enter Pangolin, a self-hosted, WireGuard-based reverse proxy with built-in identity and access management. Designed for privacy-focused users and organizations that require full sovereignty over their access layer, Pangolin positions itself as a compelling alternative to Cloudflare Tunnels — minus the vendor lock-in.
🛠️ What Is Pangolin?
Pangolin is an open-source Zero Trust access solution built around encrypted WireGuard tunnels and a clean, Docker-based deployment model. It acts as a self-managed replacement for tunnel solutions like Cloudflare, offering:
- Encrypted reverse proxying (WireGuard-based)
- Full identity & access management (SSO, TOTP, OAuth2, OIDC, RBAC)
- No open firewall ports required
- Support for HTTP/HTTPS and raw TCP/UDP protocols
- Docker-first deployment with built-in multi-user organization support
- One-time link sharing with expiration, pin codes or passcodes
- API integration for automation
Whether you want to expose internal dev tools, IoT devices, or internal web dashboards — securely and without opening ports — Pangolin does the job efficiently.
🆚 Pangolin vs Cloudflare Tunnels: Key Differences
| Feature | Pangolin | Cloudflare Tunnels |
|---|---|---|
| Hosting Model | Self-hosted (on your infrastructure) | Managed by Cloudflare |
| Zero Trust Access | Yes (built-in, customizable) | Yes (via Cloudflare Access) |
| WireGuard Encryption | Yes (native) | No (Cloudflare-proprietary tunnel) |
| Port Requirements | No open ports needed | No open ports needed |
| Pricing | Free (self-hosted); optional support | Free tier; paid for advanced features |
| Open Source | Yes (MIT license) | No |
| Custom Domains | Fully customizable | Limited in free tier |
| Multi-region support | Available in enterprise version | Cloudflare network only |
| Vendor Lock-in | None | High |
| Setup Complexity | Moderate (VPS + Docker + DNS) | Easy (Cloudflare dashboard & CLI) |
Verdict: If you want simplicity and plug-and-play convenience, Cloudflare Tunnels may suffice. But if you want full control, privacy, transparency, and offline independence, Pangolin is the clear winner — especially for developers managing sensitive services or operating in regulated environments.
🔧 How It Works: A Quick Overview
Pangolin is designed to be deployed across two VPS instances: one for the Pangolin dashboard and another for the apps to be protected. However, it can also run on a single server.
Minimum requirements:
- 1 CPU, 1 GB RAM, 8 GB SSD (per node)
- Docker & WireGuard installed
- DNS entries for your domain (root, wildcard, and dashboard subdomains)
The setup process includes:
- Deploying Docker containers for Pangolin on the main server
- Creating “Sites” (equivalent to tunnel clients)
- Registering “Resources” (apps to be reverse-proxied)
- Setting access rules, user roles, and identity providers
- Automating tunnel persistence with
systemdservices
All configurations can be managed via the web-based UI, which supports multi-user organizations, RBAC, and integrations with OAuth2 or external identity providers.
🌐 Use Cases
- Home labs & hobby projects: Expose dashboards like Grafana or Home Assistant securely without opening ports.
- DevOps & internal tools: Publish staging environments, Jenkins, Prometheus, or internal APIs.
- IoT & edge devices: Securely connect to devices without relying on third-party VPNs.
- Enterprise access: Deploy multi-region HA tunnel architecture for secure, scalable access.
🏷️ Licensing & Support
Pangolin’s open-source edition (MIT licensed) includes all core features. There are no limitations or feature locks.
However, users can support the project via:
- $25 one-time supporter tier (for up to 5 users)
- $95 one-time tier (for unlimited users)
Enterprise users can contact the development team via fossoral.io for:
- Dedicated support and SLAs
- Custom branding and white-labeling
- Multi-region deployments
- Integration consultancy
This model of open monetization — where commercial support doesn’t compromise open-source values — has been praised for its transparency and sustainability.
🔐 Why It Matters
In an era of growing centralization, outages and rising security threats, self-hosted Zero Trust solutions like Pangolin offer a much-needed alternative.
While Cloudflare’s infrastructure remains powerful and reliable for most use cases, it inherently requires trust in an external actor — not ideal in regulated sectors or mission-critical deployments. Pangolin provides a rare combination: modern user experience, robust security, and full ownership.
For developers, sysadmins, or security professionals building their own access infrastructure, Pangolin isn’t just another tunnel — it’s a statement about digital sovereignty and operational autonomy.
Conclusion
Whether you’re managing a critical infrastructure setup or running a personal home lab, Pangolin deserves your attention. As a fully open-source, self-hosted, and flexible Zero Trust platform, it offers a level of control and independence that’s hard to match.
With support for modern encryption, customizable authentication, and multi-architecture compatibility — all backed by an active development team — Pangolin stands out as a serious contender in the next wave of secure, decentralized access solutions.
👉 More info: https://fossoral.io
👉 Source code: https://github.com/fossoral/pangolin
