Key Features
- • Encrypted WireGuard tunnels through NAT/firewalls
- • Identity-aware access control (SSO, OIDC, 2FA)
- • Automatic SSL via Let's Encrypt
- • Centralized dashboard for multiple sites
- • Built on Traefik for robust reverse proxy
- • No port forwarding required on client networks
Prerequisites
Before starting, ensure you have:
VPS Requirements
- • Ubuntu 22.04/24.04 or Debian 11/12
- • 1GB RAM minimum (2GB recommended)
- • 20GB+ SSD storage
- • Public IPv4 address
Additional Requirements
- • Domain with DNS management access
- • Email for SSL certificates
- • SSH root/sudo access
- • Basic Linux knowledge
| Port | Protocol | Purpose |
|---|---|---|
| 80 | TCP | HTTP & Let's Encrypt challenges |
| 443 | TCP | HTTPS traffic |
| 51820 | UDP | WireGuard tunnel (Gerbil) |
| 21820 | UDP | Client connections |
Configure DNS Records
Before installing Pangolin, configure your domain's DNS records:
| Type | Name | Value | Purpose |
|---|---|---|---|
| A | pangolin | Your VPS IP | Dashboard |
| A | * | Your VPS IP | Wildcard for apps |
Example Configuration:
pangolin.example.com → A → 192.0.2.100
*.example.com → A → 192.0.2.100
⚠️ Cloudflare Users: Set proxy status to "DNS only" (gray cloud) to allow Let's Encrypt to issue certificates.
Install Pangolin
Connect to your VPS and run the installation:
sudo apt update && sudo apt upgrade -ysudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 51820/udp
sudo ufw allow 21820/udp
sudo ufw reloadcurl -fsSL https://pangolin.net/get-installer.sh | bash
sudo ./installerInstallation Prompts:
- Base Domain: Your root domain (e.g., example.com)
- Dashboard Domain: Subdomain for dashboard (e.g., pangolin.example.com)
- Email Address: For Let's Encrypt SSL certificates
- Admin Email: Login credentials for the dashboard
- Admin Password: Min 8 chars with mixed case, numbers, symbols
- Tunneling (Gerbil): Select Yes to enable WireGuard
- CrowdSec: Optional intrusion detection
- SMTP Settings: Optional email functionality
✅ Installation typically takes 2-3 minutes. You'll see a success message with the dashboard URL.
Complete Initial Setup
Access and configure your Pangolin dashboard:
Dashboard URL:
https://pangolin.yourdomain.com- Open your browser and navigate to your dashboard URL
- If you see an SSL warning, wait a few minutes for Let's Encrypt
- Complete the setup wizard to create your admin account
- Create your first Organization (e.g., "Home", "Lab", company name)
💡 The dashboard provides centralized management for Sites, Resources, Users & Roles, and Analytics.
Create a Site
A Site represents a location where your services run (home server, office, cloud VM):
- Click "Sites" in the left navigation
- Click "Add Site +" button
- Enter a descriptive name (e.g., "Home Server", "Office Network")
- Select "Newt Tunnel" as the connection method
- Copy and securely save the generated credentials:
- Newt Endpoint
- Newt ID
- Newt Secret Key
- Check the confirmation box and click "Create Site"
⚠️ Note: The site will show as "Offline" until you install the Newt client on your local server.
Install the Newt Client
The Newt client runs on your local server and creates a secure WireGuard tunnel to Pangolin:
Option A: Docker Installation (Recommended)
mkdir -p ~/newt && cd ~/newtservices:
newt:
image: fosrl/newt
container_name: newt
restart: unless-stopped
environment:
- PANGOLIN_ENDPOINT=https://pangolin.example.com
- NEWT_ID=your_newt_id
- NEWT_SECRET=your_newt_secretdocker compose up -dOption B: Binary Installation
curl -fsSL https://pangolin.net/install-newt.sh | bashnewt --id YOUR_ID --secret YOUR_SECRET --endpoint https://pangolin.example.com✅ Once Newt connects, your site status will change from "Offline" to "Online" (green).
Add Resources
Resources are the individual applications you want to expose through Pangolin:
- Click "Resources" in the left navigation
- Click "Add Resource +" button
- Enter a name (e.g., "Jellyfin", "Nextcloud")
- Select the Site where this service runs
- Choose "HTTP Resource" for web applications
- Enter the subdomain (e.g., "jellyfin" creates jellyfin.example.com)
- Click "Create Resource"
Configure Target:
- Click "Edit" on your resource
- Scroll to "Target Configuration"
- IP Address: Local IP of your service (use localhost if on same machine as Newt)
- Port: The port your service listens on
- SSL: Enable if backend uses HTTPS
| Service | Subdomain | Target IP | Port |
|---|---|---|---|
| Jellyfin | jellyfin | 192.168.1.100 | 8096 |
| Nextcloud | cloud | 192.168.1.101 | 443 |
| Home Assistant | home | 192.168.1.50 | 8123 |
Configure Authentication
Pangolin provides multiple authentication methods to secure your resources:
Available Methods:
- Platform SSO (default)
- Username/Password
- Single Password
- 6-Digit PIN
- Two-Factor Authentication
- Temporary Share Links
Disable Auth (Public Resources):
- Edit the resource
- Go to "Authentication" tab
- Toggle "Use Platform SSO" off
- Click "Save Users & Roles"
Troubleshooting
Site Shows "Offline"
- Verify Newt is running:
docker ps | grep newt - Check Newt logs:
docker logs newt - Ensure UDP ports 51820 and 21820 are open on VPS
- Verify endpoint URL and credentials are correct
SSL Certificate Issues
- Ensure DNS records point to your VPS IP
- If using Cloudflare, disable proxy (use DNS only)
- Wait a few minutes for Let's Encrypt to issue certificates
- Check Traefik logs:
docker logs traefik
Cannot Access Resources
- Verify target IP and port are correct
- Ensure the service is running on the local network
- Check Newt can reach target:
ping <target-ip> - Review firewall rules on the local server
Updating Pangolin:
cd /path/to/pangolin
docker compose pull
docker compose up -d🎉 Deployment Complete!
You now have a fully functional Pangolin deployment on your RamNode VPS. Your self-hosted tunneled reverse proxy provides secure access to your applications without exposing your home network or dealing with port forwarding.