Pangolin is an open-source, identity-aware remote access platform built on WireGuard — combining reverse proxy, VPN, NAT traversal and zero-trust RBAC into one self-hostable app, and the best self-hosted Cloudflare Tunnel alternative in 2026.
Pangolin is an open-source, identity-aware remote access platform built on WireGuard — a single self-hostable app that combines a tunneled reverse proxy, a full VPN, intelligent NAT traversal and zero-trust RBAC in one place. We rate it 83/100 — the cleanest open-source alternative to Cloudflare Tunnels and Tailscale in 2026, provided you are comfortable running a VPS and can live with the userspace WireGuard client being a touch slower than a kernel one.
Pangolin is built by Fossorial, Inc., the team behind the fosrl GitHub org. The first public commits landed in , and the project has since grown to 20.4k+ GitHub stars, 1,000,000+ deployments worldwide and a $4.7M seed round raised in 2025 to take the team full-time. The latest release at the time of writing is v1.17.1, published on .
The pitch is simple. If you self-host anything — a home lab, a handful of internal web apps, an SSH jumpbox, a production database behind NAT — getting tunneled, authenticated access has historically meant wiring together at least three tools: a reverse proxy (Traefik, Caddy), a tunnel provider (Cloudflare Tunnel, Tailscale Funnel, ngrok), and an identity layer (Authelia, Authentik, Keycloak). Pangolin rolls all of that into one app with a clean web UI, automatic TLS, OIDC and built-in RBAC — and lets you keep the whole thing on your own infrastructure under an AGPLv3 license.
Sentiment across r/selfhosted, the GitHub issue tracker and independent blog reviews is overwhelmingly positive. Writers at noted.lol and Mikael's BrainDump highlight that Pangolin "fills a genuine gap" — previously you had to stitch Traefik, Authelia and Cloudflare Tunnel together; Pangolin folds all three jobs into one product with a coherent web UI. DB Tech and Pi My Life Up call the setup "seamless" and the dashboard "intuitive".
The honest complaints are worth knowing. Real-world reviewers on leewc.com note that the userspace WireGuard client is less performant than the kernel driver on Linux (though that is mitigable), and that the resource-creation flow initially reads like it has validation errors because of an unclear UX pattern. Multiple GitHub issues flag rough edges around firewall/DNS setup on fresh installs, and the free self-hosted tier is limited to 3 users / 1 site / 25 GB of bandwidth — enough for a homelab, tight for a small business.
Pangolin has two pricing surfaces: a Pangolin Cloud tier (fully managed) and a self-hosted tier (BYO VPS). Both start free.
| Plan | Price | Key Limits |
|---|---|---|
| Cloud — Basic | $0 forever | Up to 5 users, 5 sites, 5 domains, custom domains, peer-to-peer, no credit card |
| Cloud — Team | $4 / user / month | External IDPs, multi-role RBAC, audit logging, device posture, policy enforcement |
| Cloud — Business | $9 / user / month | Multiple orgs, IDP auto-provisioning, SSH management, device approvals, custom branding |
| Cloud — Enterprise | Custom | SCIM, SIEM streaming, premium relay nodes, priority SLA |
| Self-host — Community | $0 (AGPLv3) | Open source, community support, 3 users / 1 site / 25 GB free |
| Self-host — Starter | $449 / year ($37/mo) | Up to 25 users and sites, all Enterprise features unlocked |
| Self-host — Scale | $1,249 / year ($104/mo) | Up to 50 users, 100 sites, ticket-based support |
For a direct comparison: Tailscale's paid plan starts at $6/user/month, Cloudflare Zero Trust is $7/user/month, and Twingate is $10/user/month — all cloud-only. Pangolin's $4/user/month Cloud Team tier undercuts the category on pricing, and the AGPLv3 self-host path costs $0 forever for any homelabber who can run a VPS.
Best for: Self-hosters, homelabbers, DevOps engineers and small IT teams who want to replace a messy stack of Cloudflare Tunnel + Authelia + Traefik (or Tailscale + nginx + Keycloak) with one coherent app; MSPs who manage distributed client networks and want zero-trust RBAC they can actually self-host; and any organisation that genuinely prefers AGPLv3 on its own infrastructure over renting from Cloudflare or Tailscale.
Not ideal for: Teams that are already deep into Tailscale's ACL model or Cloudflare Zero Trust's global edge — Pangolin runs on your hub, not a 300-POP CDN, so latency for far-flung users depends on where you place your server. Regulated enterprises that need SOC 2 / ISO certifications, SCIM and signed SLAs should plan on the Enterprise tier or the Business Cloud plan rather than the free self-host.
Pros:
Cons:
Cloudflare Tunnel is the closest hosted equivalent — free and globally edge-distributed, but closed source and requires you to live inside Cloudflare's ecosystem. Tailscale is the polished mesh-VPN king with an excellent ACL model, but its free plan tops out at 3 users and the core control plane is proprietary. Self-hosted open-source peers include Headscale (a community Tailscale control plane, VPN only — no reverse proxy), NetBird (similar mesh VPN, partly open source) and traditional stacks like Traefik plus Authelia — which do the job but require glue work Pangolin eliminates.
Yes. For anyone who self-hosts and has ever duct-taped Cloudflare Tunnel + Traefik + Authelia together to expose a web app with login, Pangolin is the single biggest quality-of-life upgrade of 2026. It is not quite a complete Tailscale replacement — Tailscale's ACLs and the global edge still win for some workloads — but as a unified, AGPLv3, identity-aware remote access hub with a clean web UI, nothing else in the open-source world comes close. We rate it 83/100: a few points shy of outstanding because of the userspace-WireGuard performance gap and some UX rough edges. Start on Pangolin Cloud's free Basic plan or docker compose up the Community Edition this afternoon.
docker compose up -d on any Linux VPS, or one-click install from the DigitalOcean marketplace. The Community Edition is AGPLv3 and free, with paid self-host tiers at $449/year (Starter) and $1,249/year (Scale) unlocking Enterprise features.ServiceNow and Accenture Launch Forward Deployed Engineering Program to Scale Agentic AI in the Enterprise (May 6, 2026)
At Knowledge 2026, ServiceNow and Accenture announced a joint forward deployed engineering program that drops co-located engineer pods into customer environments to ship agentic AI workflows natively on the ServiceNow AI Platform — with access to 300+ pre-built agent skills and the AI Control Tower as the governance backbone.
May 7, 2026
ReFiBuy Raises $13.6M Seed to Help Brands Get Recommended by AI Shopping Agents (May 5, 2026)
ReFiBuy, the Raleigh-based agentic commerce platform from ChannelAdvisor founder Scot Wingo, closed an oversubscribed $13.6M seed led by NewRoad Capital Partners on May 5, 2026 — betting that the next billion-dollar e-commerce moat is being chosen by ChatGPT, Claude and Perplexity.
May 7, 2026
OpenAI Replaces ChatGPT's Default Model With GPT-5.5 Instant — 52.5% Fewer Hallucinations, 30% Shorter Answers (May 5, 2026)
OpenAI on May 5 swapped GPT-5.3 Instant for the new GPT-5.5 Instant as ChatGPT's default model, claiming 52.5% fewer hallucinated claims on high-stakes prompts and 30% more concise answers. The model also rolls into the API as chat-latest and adds personalization from Gmail and past chats for Plus and Pro web users.
May 7, 2026
Is this product worth it?
Built With
Compare with other tools
Open Comparison Tool →
