Pangolin
An open-source, identity-based zero-trust remote access platform built on WireGuard — a self-hostable alternative to Cloudflare Tunnel and Twingate with SSO, OIDC, and tunneled reverse proxying.
Pangolin is a zero-trust network access (ZTNA) platform built on WireGuard, letting you expose internal services and SSH access to the internet without opening inbound ports, while enforcing identity-based access control via SSO and OIDC. It’s positioned as a self-hostable alternative to services like Cloudflare Tunnel and Twingate for teams that want the same tunneled reverse-proxy model without depending on a third party’s network.
Built with a Next.js frontend and Node.js/TypeScript server, Pangolin includes its own licensing module, drizzle-based database layer supporting both Postgres and SQLite, and client apps for Mac, Windows, Linux, iOS, and Android in addition to the server components.
The project uses a three-tier model: a fully managed Pangolin Cloud, a free AGPL-3-licensed self-hosted Community Edition, and a self-hosted Enterprise Edition under the Fossorial Commercial License — which is itself free for personal/hobbyist use and for businesses under $100K USD gross annual revenue, only requiring payment above that threshold.
What You Get
- WireGuard-based tunneling to expose internal services without opening inbound ports
- Identity-based access control with SSO and OIDC integration
- A free, AGPL-3-licensed self-hosted Community Edition alongside a Cloud and Enterprise option
- Native client apps for Mac, Windows, Linux, iOS, and Android
Common Use Cases
- Exposing internal services or SSH access securely without opening inbound firewall ports on your network
- Replacing Cloudflare Tunnel or Twingate with a self-hosted zero-trust access layer you control end to end
- Enforcing SSO/OIDC-based access policies for remote employees or contractors reaching internal infrastructure
- Running a self-hosted alternative to commercial ZTNA tools for compliance or cost reasons
Under The Hood
Architecture
Pangolin separates a Next.js-based src/frontend from a Node.js/TypeScript server handling the API (apiServer.ts), internal networking (internalServer.ts), auth, and its own license module — the presence of a dedicated license module in the server codebase reflects the project’s dual open-source/commercial licensing model being enforced at the application layer rather than just documented in a LICENSE file. Database access goes through Drizzle ORM with configs for both Postgres and SQLite, letting self-hosters choose their backend.
Tech Stack TypeScript across frontend (Next.js) and backend (Node.js), WireGuard as the underlying tunneling protocol, Drizzle ORM for database access (Postgres or SQLite), and Docker Compose for deployment (with example compose files for different database backends and mail testing via Mailpit). Native clients exist for desktop and mobile platforms alongside the server.
Code Quality
A license_header_checker.py script enforces consistent license headers across files given the dual AGPL/commercial licensing model, and the project shows very active, consistently maintained commit history — signals of an actively developed, process-conscious codebase.
What Makes It Unique Pangolin’s specific bet is combining WireGuard’s tunneling with identity-based (SSO/OIDC) access control in a fully self-hostable package, then funding development through a commercial license that’s free below a revenue threshold rather than gating core self-hosting behind a paywall from the start.
Self-Hosting
Licensing Model Dual-licensed: files are either under AGPL-3 (the default and most common) or the Fossorial Commercial License, with AGPL-3 files also available commercially if a separate agreement is signed.
Self-Hosting Restrictions The free Community Edition (AGPL-3) covers self-hosting with no revenue-based restriction. The Enterprise Edition (Fossorial Commercial License) is free for personal/hobbyist use and for businesses under $100K USD gross annual revenue — payment is only required above that threshold.
Cloud vs Self-Hosted Pangolin Cloud offers a fully managed service requiring no self-hosted infrastructure, positioned as the easiest way to start; self-hosting (Community or Enterprise Edition) gives full control over the deployment.
License Key Required Only for Enterprise Edition self-hosting above the revenue threshold; Community Edition and Pangolin Cloud do not require one for typical use.
Related Apps
RustDesk
Networking
Open-source, self-hosted remote desktop built in Rust — your data, your infrastructure, no third-party cloud.
RustDesk
AGPL 3.0frp
Networking
A fast reverse proxy that exposes local servers behind NAT or firewalls to the public internet with multi-protocol support.
frp
Apache 2.0LocalSend
Networking
An open-source, cross-platform AirDrop alternative that sends files and messages device-to-device over your local network with no internet, no account, and no cloud server involved.