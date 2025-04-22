One of the most useful services to any home labber is a VPN, so that you can access your home network from anywhere and browse as if you're at home. That not only lets you use any self-hosted services you have on your NAS without having to open ports to the wider internet, but it also circumvents any geo-blocked services and nicely encrypts your data, so nobody can snoop in.

This works well, but there's another issue that crops up when you have a mix of servers, containerized services, and other things in your home lab. It gets downright annoying to connect to them by IP address and port, and it's much simpler to set up a reverse proxy to simplify access and management from a single IP. Inside, you translate incoming requests to the domain name of the self-hosted apps, and you can even set up nice dashboards to make things even easier.

I've used various VPNs, from self-hosted WireGuard to ZeroTier and Tailscale, alongside various combinations of reverse proxies, which work well but have the annoyance that you're managing two services at all times, and they're not all managed with easy-to-read web interfaces.

But then I found Pangolin, and everything clicked. Here was a self-hosted reverse proxy management server that deploys easily, has Traefik and WireGuard tunnel clients, and also has access control. It's essentially a Cloudflare Tunnel, but you're self-hosting it, so everything is under your control, and it's rapidly becoming my favorite reverse proxy and VPN solution.

What is Pangolin? Why would you use it?

Manage your reverse proxy with this self-hosted management server with authentication and more

Source: Fossorial

Pangolin made me very excited when I started reading the documentation, because it does so many things that you'll want as a home labber, and it does them in an effortless, stylish way. Imagine Nginx, Authelia, and Cloudflare Tunnel in one package, but able to be self-hosted on your own VPS or server, so you're always in control. It builds on WireGuard and Traefik to do so, with a custom management application and central server, several custom plugins, and a custom WireGuard client. Those components include:

Pangolin: Management server

Management server Gerbil : WireGuard interface management

: WireGuard interface management Traefik : Modular reverse proxy with extensibility

: Modular reverse proxy with extensibility Badger : Traefik plugin for authentication

: Traefik plugin for authentication Newt: Minimal user space WireGuard client

Because it uses WireGuard tunnels, you don't need to open any ports on your firewall or router. This makes it perfect for users behind restrictive CGNAT, DS-Lite, or strict ISP firewalls, as it can punch straight through the NAT and connect to your self-hosted apps without exposing them. It's deployed in minutes thanks to Docker, and once the web-based interface is up, it walks you through getting the rest of the connections set up. It's all incredibly simple, and now I don't need to worry about CLI commands or SSH'ing into my reverse proxy to get things connected.

Why is Pangolin better than the alternatives?

Simplicity and security, but that's not all

Using Pangolin has a few big benefits over traditional reverse proxies, but the biggest for me is that it doesn't need any ports opened to work. Plus, it's got centralized SSO with role-based access control and support for 2FA to make things even more secure. It automates SSL management with Let's Encrypt, is built with Zero Trust, and is self-hosted, which is a massive plus over many of the other comparable services.

It's modern, has modular plugin support for anything Traefik can use, is easy to deploy with Docker Compose, and has load balancing built in. It's security-focused, has built-in tunneling, and makes your home lab much easier to manage.