Pangolin VPS Docker Hosting

Pangolin is an open-source, identity-based remote access platform built on WireGuard. It combines a tunneled reverse proxy with VPN-style access, so you can publish private services to the public web without opening any inbound port on the local network. The project is dual-licensed under AGPL-3 for the Community Edition and a commercial license that is free for personal use and small businesses earning under $100,000 a year. Fossorial, the company behind it, raised a seed round in 2025 and ships frequent updates to the platform.

Yes, Pangolin is the most-cited self-hosted alternative to Cloudflare Tunnel and Cloudflare Access. The architectural difference is that the public-IP VPS you run is the only ingress, so traffic never passes through a third-party edge network. Operators choose Pangolin when they want sovereignty over their data path, when they want to expose media servers that the Cloudflare Tunnel terms of service forbid, or when they prefer self-hosted single sign-on baked directly into the same control plane as the reverse proxy itself.

Newt is the userspace WireGuard tunnel client that runs on your home or office network. It dials outbound to the Pangolin VPS over WireGuard, which is how CGNAT, double-NAT, and restrictive corporate firewalls become non-issues for inbound access. You install Newt on a Linux machine or in a Docker container inside the private network, paste the NEWT_ID and NEWT_SECRET values from the Pangolin dashboard, and within a few seconds the site flips from offline to online in the main control panel.

One virtual CPU and 512 megabytes to one gigabyte of RAM is enough for personal and homelab use. The official documentation recommends one to two gigabytes of RAM, one to two virtual CPUs, and 20 to 25 gigabytes of storage for stronger performance. On a two virtual CPU, four gigabyte ARM VPS, the Pangolin and Gerbil containers idle at around 80 megabytes of memory together. A small VPS plan covers homelab access for most operators today.

Yes. The Newt client dials the WireGuard tunnel outbound to the public VPS, which is how the architecture sidesteps CGNAT, double-NAT, and restrictive home networks without any router reconfiguration. This is one of the main reasons new operators adopt the platform over solutions that require port forwarding or special carrier cooperation. The home or office network does not need a public IP, does not need open inbound ports, and does not need help from the internet provider to make the access path function reliably.

Yes, the self-hosted Community Edition is free and open source under the AGPL-3 license. The Enterprise Edition is also free for personal use and for businesses earning under $100,000 a year. Pangolin Cloud, the managed service, includes a free tier with 25 gigabytes of bandwidth, one site, one domain, and three users, with paid plans starting at four dollars per user per month. Most homelab and small-team setups run inside the free terms without restriction.

A Pangolin server on a public-IP VPS terminates HTTPS and runs a WireGuard server called Gerbil. A lightweight client called Newt runs on your home or office network and dials outbound over WireGuard to the VPS, so no inbound port ever needs to open on the local side. Traefik then routes incoming requests through the tunnel to your private services. The result is identity-gated access on a public domain, with all the network state held on hardware you control daily.

On the VPS, Pangolin needs TCP 80 and 443 for HTTP and HTTPS, UDP 51820 for the primary WireGuard tunnel, and UDP 21820 for the Gerbil management interface. If you enable HTTP/3, UDP port 443 is also exposed. On the home or office side, no inbound ports are needed at all, since Newt makes the connection outbound. Cloud security groups and host firewalls both need to allow these UDP ports, which is a common cause of failed first-time installs.

Yes, you need a domain you control so Pangolin can issue Let's Encrypt SSL certificates through Traefik and route per-service subdomains cleanly. A wildcard DNS record pointed at the VPS is the typical setup, since it lets you publish many resources under a single base domain without editing DNS for each one. Cloudflare and most other registrars work as DNS hosts. The DNS challenge flow is also supported when the standard HTTP challenge gets blocked by a firewall in front of port 80.

Yes, Pangolin supports HTTP, HTTPS, and raw TCP and UDP resources through the tunnel. That means you can tunnel SSH, RDP, databases, game servers, and self-hosted media servers without restriction. This is a notable capability gap over the Cloudflare Tunnel free tier, which restricts non-HTTP traffic and explicitly forbids streaming video. Operators publishing Plex or Jellyfin libraries through their own infrastructure are usually the loudest voices on this point in homelab forums and community Discord channels.