RamNode logo
    Sign UpLogin
    6-Part Tutorial Series

    Pangolin on Your VPS

    From architecture overview to production-hardened zero-trust access — self-hosted tunneled reverse proxy with WireGuard, identity-aware access control, and no open ports on your private network.

    Zero-trust access
    ~3 hours total
    1 KVM VPS required
    Start Part 1

    What You'll Build

    Infrastructure & Tunneling

    • • Pangolin + Gerbil + Traefik on a RamNode KVM VPS
    • • WireGuard tunnels via Newt — no open ports on private networks
    • • Multi-site management across home labs and remote servers

    Access & Production

    • • HTTPS resources for Nextcloud, Jellyfin, Gitea, and more
    • • Private access to SSH, databases, RDP, and full subnets
    • • SSO, CrowdSec, automated backups, and update workflow

    Series Roadmap

    Part 1: Introduction & Architecture

    15 min

    What Pangolin is, the full Fossorial stack (Pangolin + Gerbil + Traefik + Newt), four deployment modes, licensing, and RamNode-specific sizing recommendations including the KVM vs. OpenVZ WireGuard caveat.

    Part 2: VPS Provisioning, DNS, Firewall & Installation

    30 min

    Server hardening, Docker install, DNS configuration with A and wildcard records, Cloudflare proxy-mode notes, UFW firewall, the interactive installer walkthrough, directory structure, and auto-start verification.

    Part 3: Connecting Sites with Newt

    25 min

    Three deployment scenarios: Newt as a systemd service, Newt in Docker Compose with container-to-container routing, and Newt on a remote VPS. Multi-site management, IP conflict handling, and troubleshooting.

    Part 4: Exposing Web Applications

    30 min

    Resource creation flow with per-app configs for Nextcloud, Jellyfin, Gitea, Portainer, Grafana, and Home Assistant. Access control modes, share links, custom domains, WebSocket handling, and routing debug.

    Part 5: Private Resource Access

    30 min

    Client-based access to SSH, PostgreSQL, MySQL, Redis, MongoDB, and RDP. Entire network range access, TCP pass-through for Gitea SSH, and role-based access organization at scale.

    Part 6: Production Hardening

    40 min

    OIDC SSO for Google Workspace, Microsoft Entra, and Authentik. CrowdSec with Traefik bouncer, Fail2ban, backup scripts with Docker stop-snapshot-restart and rclone sync, restore procedure, update workflow, and Uptime Kuma monitoring.

    Prerequisites

    • • A RamNode KVM VPS — 1 GB ($6/mo) for personal use, 2 GB+ for teams (WireGuard requires KVM)
    • • A domain name with DNS control (wildcard A record support)
    • • Ubuntu 22.04 or 24.04 LTS
    • • SSH access to the VPS
    • • Basic Linux command line knowledge

    Looking for a Quick-Start Guide?

    If you want a condensed, single-page walkthrough to get Pangolin running quickly, check out our standalone deployment guide.

    Pangolin Quick-Start Guide