Pangolin

Pangolin is an open-source zero-trust remote access platform that provides secure, identity-centric access to applications and infrastructure without opening firewall ports or deploying traditional VPNs. Built on WireGuard®, it unifies clientless web application access and client-based private network access under a single policy model. With over 1 million deployments worldwide, Pangolin is available as a managed cloud service or fully self-hosted.

Architecture

Pangolin separates the control plane (Pangolin server) from the data plane (sites and clients). The server handles authentication, stores access policies, and coordinates authorization without sitting in the path of traffic. The data plane consists of sites — lightweight connectors deployed in your networks via the Newt agent — and clients on user devices. Sites establish secure, outbound-only tunnels, eliminating the need for public IPs or inbound firewall rules. Clients connect directly peer-to-peer to sites for authorized resources.

Resource Types

Public Resources — Clientless Application Access

Public resources provide identity-aware reverse proxy access to internal web applications. Users access a URL in their browser, authenticate via SSO or MFA, and are routed to the backend through an encrypted tunnel. No client installation is required. Features include:

• TLS termination and automatic certificate management
• Path-based routing and URL rewriting
• Health checks with per-target status monitoring
• Load balancing across multiple backends

Private Resources — Least-Privilege Infrastructure Access

Private resources provide ZTNA-style access to specific hosts, databases, SSH servers, or entire network segments (via CIDR ranges). Access is scoped to explicitly authorized resources only — never the full network. The Pangolin client (available for macOS, Windows, Linux, iOS, and Android) handles tunnel establishment and routing automatically.

Identity and Access Management

• Single Sign-On (SSO) via OAuth2/OIDC and SAML-compatible identity providers (Microsoft Entra ID, Google Workspace, Okta, and others)
• Role-Based Access Control (RBAC) with granular resource entitlements
• Multi-Factor Authentication (MFA) enforcement
• Device Approval — new devices can be quarantined until administrator approval
• Device Blocking — instant revocation of compromised or lost devices
• Temporary Share Links for time-limited, controlled access
• SSH-Specific Policy — per-role control over SSH access, sudo levels, Unix groups, and home directory provisioning

Key Capabilities

• Multi-Site Routing — high-availability and geo-distributed deployments with intelligent traffic routing
• Wildcard Resources — define broad resource patterns with granular exceptions
• Uptime Tracking & Health Checks — monitor resource availability and target health
• Alerting — configurable alert rules for operational events
• Templated Provisioning — declarative blueprints and provisioning keys for automated edge deployments
• Audit Logging — full visibility into who and which devices accessed what resources
• GitOps Support — manage access policies as code via declarative YAML blueprints

Use Cases

• Secure hybrid workforce access to internal applications and infrastructure from any location
• Replacing bastion hosts and jump boxes with role-based SSH and database access
• Providing controlled access to internal dashboards, APIs, and services without VPN complexity
• IoT and edge device connectivity across distributed environments
• Compliance and zero-trust network access (ZTNA) initiatives requiring least-privilege access and full audit trails

Deployment Options

• Pangolin Cloud — managed control plane with the same security architecture
• Self-Hosted — full control over data and infrastructure, deployable on-premises or in your own cloud