Part 1 of 4

Pangolin Setup: VPS-to-Home Tunnels

Install Pangolin on a cheap VPS, deploy the Newt client at home, and establish your first encrypted WireGuard tunnel — no port forwarding required.

30–45 min

Beginner–Intermediate

Just need a quick setup?

Our standalone Pangolin deployment guide covers the basics in a streamlined walkthrough.

Quick Start

Prerequisites

VPS with public IP, domain name, home server with Docker

Time to Complete

~30–45 minutes

What You'll Build

Encrypted WireGuard tunnel from VPS to home network

Pangolin has exploded from zero to nearly 19,000 GitHub stars in under a year, and for good reason. It solves a problem every home-labber knows: securely exposing services running on your home network to the outside world without punching holes in your router's firewall.

Traditional approaches force you to juggle port forwarding, dynamic DNS, a separate reverse proxy like Nginx or Caddy, and yet another authentication layer such as Authelia. Pangolin replaces all of that with a single, self-hosted platform built on WireGuard. Install it on a cheap VPS, deploy the lightweight Newt client at home, and Pangolin handles encrypted tunnels, SSL certificates, traffic routing, and identity-aware access control from one dashboard.

Why Pangolin Over Traditional Approaches

Pangolin is a three-component system developed by Fossorial (a Y Combinator 2025 company). Each component is named after a fossorial (burrowing) animal:

Component	Role	Technology
Pangolin	Central management server with dashboard, identity and access control, resource configuration	Node.js / PocketBase
Gerbil	WireGuard interface management server that handles tunnel creation and peer management	Go
Traefik	Integrated reverse proxy and load balancer for routing, SSL certificates, and traffic management	Go

The traffic flow is straightforward: a user's browser connects to your VPS over HTTPS, Traefik terminates SSL and routes the request through the WireGuard tunnel managed by Gerbil, and the Newt client on your home network forwards it to the target service. Your home IP is never exposed, and no inbound ports need to be opened on your router.

Key Advantage

Pangolin works behind CGNAT, DS-Lite, and restrictive ISP firewalls because all tunnel traffic is outbound from your home network. If you can reach the internet, you can use Pangolin.

Prerequisites

• A VPS with a public IP address. RamNode's KVM Standard plan at $5/month (1 vCPU, 1 GB RAM, 12 GB SSD) is more than sufficient. Pangolin's three containers typically consume around 650 MB of RAM combined.
• A domain name you control with access to DNS management. A wildcard A record (*.tunnel.yourdomain.com) simplifies adding services later, but a single subdomain works to start.
• Ubuntu 24.04 LTS on the VPS (Debian 12, Fedora, RHEL, and Amazon Linux are also supported).
• SSH access to your VPS with root or sudo privileges.
• A home server or NAS capable of running Docker (a Raspberry Pi 4 or later works fine).
• An email address for Let's Encrypt certificate registration.

Step 1: Provision and Harden Your VPS

Spin up a new KVM Standard instance on RamNode with Ubuntu 24.04 LTS. Once the server is online, SSH in and perform initial hardening:

VPS initial hardening

ssh root@YOUR_VPS_IP

# Update packages
apt update && apt upgrade -y

# Create a non-root user
adduser deploy
usermod -aG sudo deploy

# Harden SSH
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
systemctl restart sshd

# Configure UFW firewall
ufw allow 22/tcp      # SSH
ufw allow 80/tcp      # HTTP (Let's Encrypt ACME challenge)
ufw allow 443/tcp     # HTTPS
ufw allow 51820/udp   # WireGuard tunnel
ufw enable

Important: Make sure you've copied your SSH public key to the deploy user before disabling password authentication, or you'll lock yourself out.

Step 2: Configure DNS

Point your domain to the VPS. At minimum, create these DNS records:

Type	Name	Value	Purpose
A	pangolin.yourdomain.com	YOUR_VPS_IP	Pangolin dashboard
A	*.tunnel.yourdomain.com	YOUR_VPS_IP	Wildcard for all exposed services

The wildcard record is optional but highly recommended. It means every new service you expose automatically gets a subdomain (jellyfin.tunnel.yourdomain.com, nextcloud.tunnel.yourdomain.com) without touching DNS again.

DNS Tip

If your registrar doesn't support wildcard records, you can use Cloudflare as your DNS provider (free tier) with the proxy toggle disabled. Pangolin handles its own SSL via Let's Encrypt.

Step 3: Install Pangolin

Pangolin provides an official installer script that sets up Docker, Docker Compose, Pangolin, Gerbil, and Traefik in one pass. SSH into your VPS as the deploy user and run:

Install Pangolin

curl -fsSL https://static.pangolin.net/get-installer.sh | bash
sudo ./installer

The installer walks you through an interactive configuration. Here's what each prompt expects:

• Base Domain: Enter your root domain (e.g., yourdomain.com).
• Dashboard Subdomain: The subdomain for the Pangolin admin UI (e.g., pangolin, giving you pangolin.yourdomain.com).
• Let's Encrypt Email: A valid email for certificate registration and renewal notices.
• Admin Email: The login email for the first Pangolin admin account.
• Admin Password: Choose a strong password. You'll change this or add 2FA later.
• Install CrowdSec: Select Yes — we'll configure it in depth in Part 4, but having the bouncer installed now saves time later.
• SMTP Configuration: Optional but recommended for password resets and user invitations. You can configure this later in config.yml.

The installer typically takes two to three minutes. When it finishes, it will start the Docker containers automatically.

Step 4: Verify the Installation

Check that all three core containers are running:

Check containers

sudo docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}"

You should see pangolin, gerbil, and traefik all showing "Up" status. Pangolin's health check endpoint should also respond:

Health check

curl -s http://localhost:3001/api/v1/ | head -c 100

Now open your browser and navigate to https://pangolin.yourdomain.com. You'll see the Pangolin login screen secured by a valid Let's Encrypt certificate. Log in with the admin credentials you set during installation.

Step 5: Create Your First Site

In Pangolin's terminology, a "Site" represents a remote network location where you'll run the Newt tunnel client. Your home network is your first site.

In the Pangolin dashboard, click Sites in the left navigation.
Click Add Site.
Give your site a recognizable name (e.g., "Home Lab").
The connection method defaults to Newt Tunnel — leave this selected.
Pangolin will generate three values: Newt Endpoint, Newt ID, and Newt Secret Key. Copy all three and store them securely.
Confirm that you have saved the credentials and complete the site creation.

Security Note: The Newt Secret Key is shown only once during site creation. Store it in a password manager. If lost, you'll need to delete and recreate the site.

Step 6: Deploy Newt on Your Home Server

Newt is Pangolin's lightweight WireGuard client that establishes the encrypted tunnel from your home network to the VPS. You have two deployment options: Docker (recommended) or a standalone binary.

Option A: Docker Deployment (Recommended)

On your home server, create a directory and Docker Compose file:

docker-compose.yml

services:
  newt:
    image: docker.io/fosrl/newt:latest
    container_name: newt
    restart: unless-stopped
    environment:
      PANGOLIN_ENDPOINT: "https://pangolin.yourdomain.com"
      NEWT_ID: "your-newt-id"
      NEWT_SECRET: "your-newt-secret-key"
    network_mode: host

Start Newt

mkdir -p ~/pangolin-newt && cd ~/pangolin-newt
# Create docker-compose.yml with the above contents
docker compose up -d

Using network_mode: host is important because Newt needs to reach services on your local network by their LAN IP addresses.

Option B: Binary Deployment

If you prefer to avoid Docker on the home server, download the Newt binary directly:

Download and run Newt binary

wget -O newt "https://github.com/fosrl/newt/releases/latest/download/newt_linux_amd64"
chmod +x ./newt
./newt --server https://pangolin.yourdomain.com --id YOUR_NEWT_ID --token YOUR_NEWT_SECRET

For production use, create a systemd service so Newt starts automatically on boot:

/etc/systemd/system/newt.service

[Unit]
Description=Pangolin Newt Tunnel Client
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
ExecStart=/usr/local/bin/newt \
  --server       https://pangolin.yourdomain.com \
  --id YOUR_NEWT_ID \
  --token YOUR_NEWT_SECRET
Restart=always
RestartSec=10

[Install]
WantedBy=multi-user.target

Enable the service

sudo mv newt /usr/local/bin/
sudo systemctl daemon-reload
sudo systemctl enable --now newt

Step 7: Verify the Tunnel

Back in the Pangolin dashboard, navigate to the Sites page. Your "Home Lab" site should now show as online with a green indicator. The logs section will display successful connection messages:

Expected Newt output

INFO:   Websocket connected
INFO:   Received registration message
INFO:   Connecting to endpoint: pangolin.yourdomain.com
INFO:   Initial connection test successful!
INFO:   Tunnel connection to server established successfully!

You can also verify from the Newt side by checking Docker logs:

Check Newt logs

docker logs newt --tail 20

Understanding the Architecture

At this point, here's what you've built:

Layer	Component	Location
Public Entry Point	Traefik (SSL termination, routing)	RamNode VPS
Tunnel Management	Gerbil (WireGuard peer management)	RamNode VPS
Control Plane	Pangolin (dashboard, auth, config)	RamNode VPS
Tunnel Client	Newt (WireGuard client)	Home Server
Backend Services	Jellyfin, Nextcloud, Home Assistant, etc.	Home Network

All traffic between your VPS and home network is encrypted via WireGuard. No ports are opened on your home router. The only publicly exposed ports are 80, 443, and 51820 on the VPS, which you've already locked down with UFW.

Troubleshooting Common Issues

Newt shows "offline" in the dashboard

Confirm that UDP port 51820 is open on the VPS firewall. Run sudo ufw status to verify. Also check that the Newt ID and secret match what Pangolin generated.

SSL certificate errors on the dashboard

Ensure your DNS A record points to the correct VPS IP and that ports 80/443 are open. Traefik needs port 80 for the ACME HTTP-01 challenge.

Tunnel connects but services are unreachable

If Newt is running in Docker without network_mode: host, it cannot reach services on the host's LAN. Switch to host networking or use Docker's host.docker.internal.

High latency through the tunnel

Choose a VPS location geographically close to your home network. RamNode offers multiple datacenter locations to minimize round-trip time.

What's Next

In Part 2 of this series, we'll cover identity-aware access: integrating SSO and OIDC providers, configuring per-service authentication policies, and setting up role-based access control so every request through your tunnel is verified.

Don't have a VPS yet? RamNode offers KVM VPS plans starting at $4/month — the perfect entry point for your Pangolin deployment.

Series Overview Part 2: Identity-Aware Access