RamNode logo
    Sign UpLogin
    Pangolin on Your VPS Series
    Part 5 of 6

    Private Resource Access

    SSH, databases, RDP, and full subnet access through Pangolin's client-based private tunnels — zero-trust without a traditional VPN.

    30 minutes
    Pangolin client required

    Browser Access vs. Client Access

    HTTP/S Resources (Part 4)

    Web apps via browser. Authentication at the Pangolin gateway. No client software needed.

    Private Resources (this article)

    Non-HTTP services via Pangolin client. WireGuard connection to the target. TCP and UDP supported.

    Installing the Pangolin Client

    Available for Linux, macOS, Windows, iOS, and Android. Install via the dashboard: Clients → Add Client.

    Linux installation
    curl -fsSL https://pangolin.net/downloads/client-linux-amd64 \
  -o /usr/local/bin/pangolin-client
chmod +x /usr/local/bin/pangolin-client

    Use Case: SSH Access

    Create a private resource: Type → Private, Protocol → TCP, Target Host → 192.168.1.10, Port → 22, DNS Alias → homeserver.ssh

    Connect via Pangolin client
    ssh user@homeserver.ssh
    SSH config integration (~/.ssh/config)
    Host homeserver
  HostName homeserver.ssh
  User vanessa
  IdentityFile ~/.ssh/id_ed25519
  Port 22

    Then just ssh homeserver. No public ports, no jump hosts.

    Use Case: Database Access

    Databases stay on private networks. Authorized users connect through Pangolin's encrypted tunnel.

    PostgreSQL

    Private resource: TCP, Target 192.168.1.20:5432, DNS Alias postgres.home

    Connect
    psql -h postgres.home -U myuser -d mydatabase
# Or connection string:
# postgresql://myuser:mypassword@postgres.home:5432/mydatabase

    MySQL / MariaDB

    Same pattern with port 3306.

    Redis & MongoDB

    redis-cli -h redis.home -p 6379
# MongoDB:
# mongodb://mongodb.home:27017/mydb

    Access control applies at the tunnel layer — if a user isn't granted access, they can't even reach the port.

    Use Case: Remote Desktop (RDP)

    Private resource: TCP, Target 192.168.1.30:3389, DNS Alias windows-desktop.home

    Linux (FreeRDP)
    xfreerdp /v:windows-desktop.home /u:Administrator /p:yourpassword

    Works with Windows built-in RDP, Microsoft Remote Desktop on macOS, Remmina on Linux.

    Entire Network Range Access

    Expose an entire subnet: Private Resource, TCP+UDP, Target 192.168.1.0/24. Connected users can reach any device on that subnet.

    ⚠️ Use judiciously — network range access is broader than resource-specific access. Per-service resources with specific ports are the more secure default.

    TCP Pass-Through

    For services like Gitea SSH that need a TCP port on your VPS's public IP:

    Gitea SSH pass-through
    # TCP Resource: Public Port 2222 → Target localhost:22 on Gitea site

# app.ini
[server]
SSH_DOMAIN = git.yourdomain.com
SSH_PORT = 2222
    Open port on VPS
    ufw allow 2222/tcp

    Organizing Access at Scale

    Create roles with named resource permissions:

    RoleResources
    AdminAll resources, full access
    FamilyJellyfin, Home Assistant, Nextcloud
    DeveloperGitea, Grafana, Portainer, PostgreSQL, Redis
    Remote SupportSSH to specific servers only
    Part 4: Web AppsPart 6: Production Hardening