Pangolin: Your Own Self-Hosted Cloudflare Tunnel Alternative

Pangolin: Your Own Self-Hosted Cloudflare Tunnel Alternative

Show Video

This is Pangolin. No, wait, that's *a* Pangolin. *This* is Pangolin. This is my instance of Pangolin. In fact, and in this video, I want to explain why I'm excited about this project. Now, if you've been watching this channel for a while, you'll know that I use Cloudflare tunnels because it gives me remote access to my self-hosted resources without needing to port forward anything.

And Pangolin does that as well. But what's great about Pangolin is it's also self hosted. Now, if that's not a reason to be excited about a project, I don't know what is, if I'm being completely honest. That said though, there are a couple of things that you need to keep in mind before we jump into this video.

First, this is still technically in beta. I've chatted with the developers via email. Great group of people to chat with. Very, very knowledgeable and very friendly from my experience. So they are still technically in beta, but they are working on getting out of beta in the next couple of weeks at the time of recording this video. The other thing that you'll want to keep in mind is that you will need a domain name and you will also need access to another Docker server outside your home.

That could be a friend or a family member's house that you can trust. Or like I'm going to do here, I'm going to use a rented VPS from Rachner. Now, of course you could use any rented VPS out in the wild if you wanted to, if you've got a preference, but for the sake of this video, I'm going to use Rachnerd. If you'd like to also use Rachner, there will be some affiliate links down there to check them out on a great deal for a yearly cost of less than 15 bucks. So definitely check out the video description for more information and links to everything we talk about in this video.

Now, just so we can kind of set some expectations for the rest of this video, as far as the content here in, I'm going to try to keep this kind of high level for a couple of reasons. This video could get very technical and I don't want to do that and put people off. Also, again, this isn't beta and things may change and I don't want to commit to something and have it kind of bite me later.

So if you'd like more information about Pangolin and how it works and all of the stuff associated with that, again, links in the video description, we can take a look at their overview page and they kind of talk about what Pangolin is. There's some component overviews. So we're going to use Pangolin.

We're going to use Gerbil. We're going to use Traffic, which if you've seen some of my other content, you'll know I'm not a fan of, but it works really, really well here. And you never actually have to directly interact with traffic, which I appreciate. We've also got a traffic plugin called Badger and Newt.

Newt is the one thing we will be interacting with after we get Pangolin set up. Newt is kind of the tunnel agent that you install locally on whichever Docker server you want to on your local network to access basically anything on your network. It's actually pretty cool, but we're going to get to that later. If you scroll down a little farther, there is a system diagram where they kind of give a general layout of how this works.

When we did the live stream of this, I was not sure what to expect going in. Um, and when it worked, it blew my mind. Let's do this. Let's pop this open.

That's amazing. So, uh, David@dbtech.tube. Copy that. Portis.dbtech.tube is available. That is so cool. That's really, really cool.

I don't have port forwarding enabled on my platform. So with that said, let's jump back over to my Pangolin instance here. We are on the resources page and resources are basically, uh, the, the, the, the applications that are running on your network that you want to access remotely. Just as simple as that. I conflated that when I did the live stream a while back.

Now, in order to add a resource, you first need a site and that's why the navigation is in the order that it's in. Uh, so we're gonna, we're gonna try to take a step back now and take a look at sites. So sites are basically how you're going to create your tunnel.

And the reality is you only need one site per subnet, I guess is probably the best way to say that. So you could just have one site that takes care of your entire home lab, unless you've got different subnets for your home lab, and then you would need multiple sites for each again, subnet that you've got set up for your home lab. That's all going to depend on how you've got things set up, but, um, I'm only going to use one site for my entire home lab because that's all I need.

And we'll take a look at adding sites and resources here in just a moment. I do want to take a look at some of the other pages on this, um, just so we can kind of get an idea of what we're dealing with later on. So, uh, that was sites just in a very brief nutshell.

Uh, we took a look at resources at the beginning. We've also got users and roles. I kind of feel like that is fairly self-explanatory. Uh, we've got shareable links. Uh, this is actually pretty cool because when we've actually got resources set up that have, um, authentication or sign on features associated with them, you can create shareable links that will bypass all of that.

If you just wanted to give somebody quick access to something without setting up passwords and emails and that sort of thing, create a shareable link, send that to them, they can access it. And then you can kill that link when you need to, or based on a certain amount of time. Very, very clever. I love what they've done with that. We've also got general.

Um, and here again, it's just organizational settings. Um, and, and you can create multiple organizations by coming up to the top right hand side. Um, and you can obviously toggle between them as well, or from this page on the general tab, uh, we can delete an organization if we need to do that. So you can have, uh, organizations and then go back to users and roles and have roles and users and kind of put people where they need to be in different organizations as necessary. They put a lot of thought into this project and I really, really dig it. Um, let's come back over here to resources very quickly here.

Right? So I've got two resources available. I've got one for Hortus Fox. I swear one of these days, I'm going to make a video on that because I think it's a very cool project. Uh, and I've also got an Excalidraw, uh, resource set up on this.

And of course those are both Docker containers that are on my home lab behind me. So if I click on plants on dvtech.tube, there it is. We can say I've got two tabs that open now, just that quickly and easily. Now, if we come back to my resources page and we'll click on this xcal.dvtech.tube, it says authentication required. Well, why, why, why is that? Well, because I told it to have authentication being required. If we come back to settings, I can click edit and we can take a look at the settings for this resource.

This is for our excalidraw resource. And if we come over to the authentication page here, uh, we can, uh, have all kinds of different ways to access our different resources. We can use the platform SSO or single sign on. We can enable that and we can say, Hey, is it, do we want a certain role to have access to this? Or do we want just certain users to have access to this? You can, you can do either, or you can do both, whatever the case is. You can enable and disable that just by simply toggling that and clicking save.

If we scroll down a little bit further, we've got authentication methods. Now you can use this instead of, or in conjunction with, um, the, this platform SSO setting above. So we can have a password protection.

We can add a passcode there and we can just say, I like password and click enable. So now we've got password protection enabled. That's one password, kind of a global password to access that resource, which I think is kind of neat. We can also do a pin code if we wanted to do that. And we can say, let's be super secure and do that and enable pen code protection. And you know what, while we're at it, let's just go ahead and enable that.

And let's just select, um, let's select me. Um, this is gonna, and then we'll click save like, so, so now in theory, we have, uh, let me make sure that that is all correct. Now this was enabled before. That's why we saw this, right? So now we've got the platform SSO, the single sign-on enabled for that one user. We've got a, a global password that anybody could use. We've got a global pin that anybody could use, and we've got single sign-on like a one-time password that will get emailed to us if we enter that, uh, that email address.

So that's a lot. That's like four different ways to sign into a single application or resource. So let's come back to our resources page. Let's grab that URL and open that. Hey, look, there we go. Just that quickly, right? So we've got a pin that we could use or that global password that we could use.

We could sign in with an account that we've got built in Pangolin, or we can just get an email. So if we go this route, right? If I enter my email address and click go, I'll get an email and that email is going to look like this. Here's your one-time password for this was, uh, an instance that I had of something else earlier. But it's just like, Hey, you, uh, email address.

You've requested a one-time password to access this resource on this server. Here is that password. We can copy this and then go back over to here and enter that password. And it would let us log in, but for the sake of simplicity, we're going to do this. Right. And log in.

And now we're logged in and ready to go. It's just that easy to set up any kind of different options for signing in to an application. Now, the thing to keep in mind with this is this is just giving you access to the resource. This isn't going to work like Ophelia where you can pass a credentials through for the time being. So this just gives you the chance to log in, to get to the resource.

So if that resource has a login, like we saw with, uh, say, oops, where did it go? Uh, so I say a Hortus, right? If we go to Hortus, um, or this plants, I've got three instances open now. Now we've got a username and password, right? But, uh, let's just do this as a, as a kind of a proof of concept kind of thing. Right. Let's go to, let's go to authentication. Let's just say we add, uh, no, let's, let's do a pin protection on this again.

One, two, three, four, five, six, right? Enter pin code. Cool. No back to resources.

I'm going to open this in a new incognito window. So I can either log in as my main user, uh, which would be the, the Pangolin user where we can do this right. And we can click log in and there we go. So that was just kind of the first level of protection for our application, right? That was the Pangolin authentication side of things. Once we passed that little interaction there, now we can log into the application if we have an account there.

So I just wanted to be clear that the Pangolin authentication doesn't, at least at this point, pass through to the actual, uh, resource that we're trying to access. Um, I know other things like I think authentic do things like that, but that's not currently how the authentication on Pangolin works. I just wanted to clarify that in case there was any confusion. So that's kind of the high level overview for, uh, how this. Generically works, right? So let's take a quick minute here.

Let's install a site. Let's add a resource and let's kind of go through that process. So you can see how this works for the sake of being a Cloudflare tunnels replacement. There's other stuff you can do with this, but we're only going to focus on this one feature for right now. So we're going to go back to sites like we've done here.

So we're going to click add site. We're going to call this tutorial like so, and our method will be new. Now, um, there are some other options in here like local and WireGuard, but again, this is going to be a Cloudflare tunnels replacement, so we're going to go with the new method. Next, we've got some configuration information, which I'm going to copy.

There is an ID, there is a secret and there is an end point and our end point is whatever URL or dashboard is on. So I'm going to copy that and paste it over here in a separate window. Just so I've got it for later.

Also, because it encourages you to copy this information because you're only going to see it once. So what we're going to do is click on create site and there it is. There's our tutorial. It is currently offline because we haven't installed the agent on our local node over here in my server rack. That's what we're going to do next. But before we do that, we can see that it is either online or offline.

The site name is just a random string of words. We can actually see data in and data out for each of our different sites. And we can see what kind of connection type it happens to be. So what we want to do is jump over here to this Portainer instance, where I've got a TNG instance set up.

I'm going to add a stack. Then what I want to do is come back over to the overview. Again, over here under the docs for the application and click install under Newt. Now there are different ways that you can install this if you wanted to. I'm going to keep it simple and use Docker.

I'm just going to grab this Docker Compose right here. I come back over here and I'm going to paste that in and I need to give this a name and call it Newt. So under our services for the Docker container for Newt, we've got Newt.

The image is FOSRL slash Newt, the container name Newt. Uh, the restart policy is unless stopped, which is great. We've lost some environment variables, and this is the information we were given on that previous screen when we created the site on our Pangolin instance.

So what I'm going to do is replace these three entries with what I was given when we created that site. And it doesn't matter if you see any of this information because each time you create a new site, you get new credentials. And once this tutorial is over, all that's going to go away and it won't matter. So once we've got all of this filled out the way we need to have it filled out, we can scroll down and click on deploy the stack. This should go pretty quickly, all things considered. And there we go.

So now I can click Newt. We can see that it's running. All of this looks good and we'll click on logs. So it's done all of the stuff it needs to do in the background.

And it says that it's starting the ping check. That's good. That tells us that we're good to go.

So we can go back to our Pangolin instance. We can see the tutorial is currently offline. And if I refresh now it's online, which means that the Docker container that I installed on the server behind me is now connected to the Pangolin instance on my NerdRack VPS just that quick and easy. So with that said, what we can do now is come back over to resources. We can add a new resource. I'm going to call this, um, Tianjie Tut.

I'm going to call it Tianjie. And then I'm going to select a tutorial because I already had the mine, uh, site set up, but we just created tutorial. So that's what we're going to connect with. I'm going to click on create resource. And then on this page, uh, it's going to take us to where we're going to fill out some more information.

If you're familiar with Cloudflare tunnels, this is going to be very, very familiar. So we're going to scroll down. We're going to see SSL configuration. Do we want to enable SSL? Probably. Yeah.

So we're just going to leave that checked on if we wanted to turn it off, we could, but we want to leave that turned on our, our method to connect for at least for Tianjie for the sake of this part of the tutorial is just going to be HTTP because Tianjie doesn't have an SSL built into it. But what we want to do is enter the IP address and the port of what we're going to be working with here. So I'm going to grab this IP address up here, and then I'm going to come back. I'm going to paste that in and we're going to come back over to here. I'm going to go back to our containers and Tianjie is on port one, two, three, five, four. So I'm going to go ahead and put that in as well.

Right there. One, two, three, five, four. And I'm going to click add target. And here we can see that it's there. We can enable or disable on the fly if we want to do that, or we can delete, but I'm going to click save target. Just that simple.

Now we'll come back to resources. And right there is Tianjie Tut, the one we just created. And I'm going to click the link. Just like that, Tianjie is now up and running just that quick and easy with an SSL on my on my domain with its own custom subdomain, just that quick and easy.

And I can't when I first saw that work, my mind was blown. I couldn't believe how well and how easily that worked. I had no idea that it was just going to work behind the scenes because of the wire guard tunnel that runs everything to connect the two instances, the pangolin and the newt together. Again, I want to keep this very high level because things may change and I just want to give an introduction to pangolin.

So I think we're just going to kind of stop with the demonstration there. But now I want to show you how easy it is to install this. So to get pangolin installed is actually pretty simple. There are a couple of different ways that we can do it.

And I'm going to leave that option up to you when you install pangolin for yourself. But to keep things simple for me for this tutorial, we're going to go the easier out, at least for right now. But before I do that, what I need to do first is change the DNS record, the A record for my domain to point to a different server just so we can have some separation of what's going on here. So this is my cloud flare tunnel or sorry, my cloud flare dashboard for DBtech.Tube. That's the domain we were using a moment ago.

We're going to keep using it, but we're going to point it to a different VPS. To do that, I'm just going to click edit next to the A record and I'm going to put in the IP address of my other rack nerd VPS. Again, links to everything in the video description if you want to check that out. All I'm going to do is click save.

Now you may see that the proxy status is DNS only. That is on purpose. If you turn DNS proxying on, things will go in a redirect loop and won't work. I reached out to the developers of pangolin about this last night and they said that this will not work with DNS proxying on. But using pangolin kind of does the same thing as cloud for tunnels as far as IP obfuscation. You just need to make sure that when you set up your VPS, you lock it down as much as you can for security purposes.

So just something to keep in mind there. Now I've entered this new IP address for my other VPS over here. We're going to do some other stuff while this propagates.

It shouldn't take too long. But just wanted to give a bit of an overview as far as what's going on there. So what we're going to do is we're going to come back to the install docs for pangolin here. In fact, getting started. Again, we've got a couple of different options on how we can do this. Right. If we click on install, it's going to give us this script that we can run and then to get the installer script and then we can run the installer in our command line.

This is the method we're going to go with for the sake of this tutorial. I know that people don't like to do this and I get that. I 100 percent get that. But if you want to do this differently, you can come over here to the manual install and it says right up here at the top.

This guide assumes that you already have a Linux server with Docker and Docker Compose installed. If you don't, please refer to this. You must also have root access to the server. So if we scroll down, it says prerequisites a Linux system with root access, which we talked about a second ago. Public IP address. We recommend Ubuntu or Debian. You must have a domain name pointed to your server's IP address with ports 80, 443 and 51820 available.

So HTTP traffic, HTTPS traffic and WireGuard traffic. You have to have those ports available on that service. You also need an email address and optionally an SMTP server.

This shows the folder structure that you will need. And it says anything marked with an asterisk will not be generated on startup of the stack or the Docker Compose that's down below. We'll take a look at that in a second. The volumes are created by the Docker Compose file and most of the files are generated by Pangolin and Dribbble services. You will need to edit the generated config dot YML file to configure to your needs. And you will need to create the traffic dot underscore config and the dynamic underscore config files manually and edit them.

If you scroll down again, there's an explanation of each what each file does, why it's there. There's the Docker Compose. There's the traffic configuration. They've given you everything you need here.

So one thing I wanted to clarify real quick is that either method will get the job done. However, using the installer script will also do things like install Docker. If you haven't done that already, it will create the Docker Compose files. It will download all of the Docker images that you need.

It will then deploy all of those images and it will create the file and folder structure that you need to make this work. And it will configure all of the files as they need to be configured for your setup and kind of take all of that burden off of you and make sure that nothing gets screwed up in the process. So I just wanted to clarify why I'm going that method and why that method might actually be easier for most people. But again, you can use either method, whichever one works best for you and makes you feel more comfortable. Just wanted to clarify that they do the same thing just a little bit

differently. So we're going to go back over here to this install script with this install page and scroll down. And again, there are a couple of different commands that we see here. They're the same command or the same. They'll achieve the same thing.

One of them is a W get. The other is curl. It doesn't matter which one you run as long as you have it installed on your server. So what I'm going to do is pop this open like so. This is the server that we're going to use.

And I'm just going to run this W get command. We can see that it's going to what it downloads is going to rename it to installer. And then once it's done, it's going to change. It's going to CH mod it to be executable for that file. That's all that saying right there. We're going to hit enter just like that.

That part is done. So again, I'm going to clear this up. Clear my screen. I'm going to minimize that just so we don't have any background confusion going on here. So what I want to do now that we've downloaded the file and made it executable is do a dot slash installer and hit enter. Oh, you're right. So what we're going to do is we're going to do a sudo su like so. Then we're going to do a dot slash installer.

OK. What what is your base domain? I'm going to say DB tech dot tube and enter into the domain for the pangolin dashboard. Default is pangolin dot DB tech dot tube. I'm fine with that. I could just enter. I'm going to type it out and go and DB tech DB.

Oh, OK. So we've run into a bit of an issue here. This is this is part of that beta thing. We're going to we're actually going to exit out of that and try again because I fat fingered it. But it wouldn't let me go back. It wouldn't let me back up far enough.

Let me let me drag this over here and then we're going to make this bigger like so. All right. So we're going to run the installer with a bigger screen. We're going to enter again DB tech dot tube pangolin dot DB tech dot tube email address for SSL certificates. We're going to do this. I do want to dribble to allow tunneled connections.

Yes, we do. And then we're going to enter the username and password for our new instance. This is the the admin username. So we're going to do this. Yeah. Come and we're going to create an admin password and we're then going to confirm that password.

Now do you want to disable sign ups without an invite? Yes. For security reasons. Yes, we do. If you wanted to make this a public service you could say no you don't want to disable that. But we're going to make this a private instance. So we're going to default.

We're going to disable signing up without an invite. Do you want to disable users from creating organizations? Yes or no. I'm going to say yes. They're going to say no. There as well. And then do you want to enable email functionality? Yes or no.

So if I say yes it's going to ask me for SMTP information to connect to an SMTP server. Which is great because then I can do things like set up one time passwords for for email addresses and I can also do password recoveries. I encourage you to do that. In fact the developers encouraged me to do that in the email they sent me after they took a look through my questions when I emailed them. For the sake of this video to keep it short and simple I'm going to say no. Now would you like to install and start the containers.

This script that we're running is going to download run and configure all of the containers that we need for Pangolin to run. So I'm going to say yes I would like you to install and start the containers. OK.

And here we are just a couple of moments later and we've got traffic Pangolin and Dribbble up and running and even a healthy status over there on Pangolin. So let's jump back over to our dashboard just for the sake of making sure that everything is correct. I'm going to pop this open Pangolin.dbtech.tube.

Hey look at that. Just that quickly and easily so we're going to get logged in. So now that we're logged in it's asking us to set up a new organization. This is just part of the setup process. So I'm going to call this PangoTut.

That'll be our organization name and our ID. We can manipulate however we need to there. We're going to click create. Now it wants us to create a site or if we want to we can just skip this for now. Either way is perfectly fine. But for the sake of this I'm going to click skip for now.

And here we go. We don't have any sites created. We don't have any resources created. We've just got our one user shareable links again nothing there is available and general again that's what we just created was the information for this for this organization and again we can come up here and create new organizations or whatever from right up there.

So let's create our first site. What I want to do is come over here to the sites page and click add site. I'm going to call this PangoTut and our method again will be newt.

I'm going to copy this information right here. And I'm going to say I've copied the config and click create. Now again it's showing us as being offline which is what we would expect. So now that we've got our site created we actually need to install the newt agent over on our docker server. So what I'm going to do is come over here to an existing Portainer instance.

I'm going to click add a stack and I'm going to paste in the docker compose though again was on the docks that we saw earlier. Again I'm going to call this newt tut and again I'm going to change the end point the ID and the secret here. I apologize if you can hear a new whine that between these last two cuts something kicked my my 3D printer fans kicked on for some reason and I I apologize. So there is my new end point my ID paste that in and my secret. Like so and then I'm going to scroll down and click on deploy. OK I fixed that that was annoying that that fan shouldn't be making any more noise for us.

But while I did that the newt tut docker container has come up and right here again we're seeing all of the stuff that we want to see including that new end point in there. So that's good to go. We come back to our pangolin dashboard and hit refresh. It shows that we're online. So now we can come over to our resources page and we can add a new resource. I'm going to call this Tion tut for both the name and the subdomain.

They don't have to match. I'm just doing this to to expedite this process. So for the site is going to be pango tut.

That's the only site that's available in our new instance. We're going to click create resource and then we're going to go ahead and fill out this information like we did earlier. So I'm going to grab this IP address and paste that into there. I need to grab the port. I don't remember which one two five one two three five four again.

So one two three five four and click at Target and then click save target just like that. Sorry I got a little itch here. There we go. So we come back to our resources Tion tut at Tion tut dot dbtech dot tube. Oops there we go. Sometimes it takes just a moment to to generate and install that SSL the way you can get around that as I was told by the developers is actually to install a wild card cert on your setup but that's outside the scope of this.

But again just that quickly and easily we got our Tion tut dot dbtech dot tube resource set up very very quickly and easily with an SSL with no port forwarding just a little time and a little effort. So that that is pangolin at a very very high level as it sits right now as a very solid option to potentially replace cloud floor tunnels if you want to access your stuff remotely and not port forward and also not use a third party service outside of VPS you've rented from somewhere. But that's why I'm really excited is it's so so easy to set up and use. I'm really excited about this. It would be amazing if you guys went over to their GitHub repository. They've currently got eight hundred and forty five stars on their GitHub repository and I feel like it should be a million.

So if you enjoyed this project or if you enjoy this project you're interested in this project you want to support the project. The very least you can do is go over and give this project a star. Please do that over on their get up repository. Again links to everything that I talked about in this video will be in the video description if you want to check that out. There's so much more that we could have covered in this but I just wanted to give an introduction to to this solution to this project. So if you enjoyed the video do me a favor give the video a thumbs up.

Also don't forget to subscribe if you haven't already. I'm also trying to live stream twice a week both here on YouTube and on Twitch. So be sure to check out the schedule that I'll have somewhere so you can check that out and go check out the live streams where I cover Docker containers and a much more real time sense than we're doing here in these truncated videos. So again links to everything. You know that you know the drill. So thank you guys for spending a few minutes of your day with me here today and I'll definitely talk to you in the next video.

2025-01-22 15:22

Show Video

Other news

Samsung brings purpose-driven AI to its S25 series smartphones. 2025-02-12 08:32
Arm Disappoints With Outlook, Vanguard Slashes Fees | Bloomberg Technology 2025-02-08 20:01
Primitive Technology: Flywheel blower smelt/Monsoon begins 2025-02-07 20:07