How I Teamed Up with a Pangolin to Close the Holes in My Firewall

Introduction

If you’re self-hosting services at home, you’ve probably faced this dilemma: how do you access your services from outside without turning your network into Swiss cheese?

The traditional answer involves a reverse proxy like Nginx or Caddy, forwarding ports through your router, and wrestling with DynDNS because your ISP changes your IP every few days. It works, but every open port is another potential attack vector.

I recently discovered Pangolin, an open-source solution that flips this model on its head. Instead of exposing ports at home, it uses outbound-only connections through a cheap VPS. The result? Zero open ports on my home network, yet all my services are accessible from anywhere.

Unlike mesh VPN solutions like Tailscale or ZeroTier, visitors don’t need to install any client software or join your network. They just visit a URL in their browser - Pangolin handles authentication and proxies traffic through the secure tunnel. Perfect for sharing services with friends or family who aren’t tech-savvy.

Let me show you how I made the switch.

The Traditional Approach: Reverse Proxy with Open Ports

Here’s what my setup looked like before Pangolin:

graph TD
    subgraph Internet
        User[User]
    end
    
    subgraph Router[Home Router]
        FW[Firewall - Ports 80/443 Open]
    end
    
    subgraph HomeLab[Home Network]
        RP[Reverse Proxy]
        HA[Home Assistant]
        Prox[Proxmox]
        Plex[Plex]
    end
    
    User -->|HTTPS :443| FW
    FW -->|Forward| RP
    RP --> HA
    RP --> Prox
    RP --> Plex
    
    style FW fill:#ff6b6b,stroke:#c0392b,color:#fff
    style RP fill:#3498db,stroke:#2980b9,color:#fff
  

This is a step up from opening individual ports per service. At least you have a single entry point with HTTPS and automatic certificates. But you still need to:

• Open ports 80/443 on your router
• Expose your home IP to the internet
• Deal with DynDNS if your ISP gives you a dynamic IP
• Manage certificate renewals (though this is mostly automated now)

Why This Is Still Problematic

• Attack surface: Your home IP is directly exposed to the internet
• Port scanners: Bots constantly scan for open ports 80/443
• Single point of failure: If your home connection goes down, everything is unreachable
• No centralized auth: Each service still handles its own authentication

I ran an Nmap scan against my home IP with this setup. The results showed ports 80 and 443 open and responding - an invitation for attackers to probe further.

What About Cloudflare Tunnels?

Before diving into Pangolin, it’s worth mentioning Cloudflare Tunnels - probably the most popular solution for exposing services without open ports.

Cloudflare Tunnels work similarly to Pangolin: you run a lightweight daemon (cloudflared) on your home network that creates an outbound connection to Cloudflare’s edge. No ports to open, automatic HTTPS, and it’s completely free for personal use.

So why didn’t I go with Cloudflare? A few reasons:

• Terms of Service dependency: You’re agreeing to a large corporation’s policies, which can change. Cloudflare has suspended accounts in the past, and while unlikely for a personal homelab, it’s a dependency I’d rather avoid.
• Bandwidth considerations: While there’s no hard limit published, Cloudflare’s ToS prohibits using tunnels primarily for serving video or large files. If you’re running Plex or Jellyfin, you might hit a grey area.
• The DIY spirit: For me, self-hosting is about maintaining control over my infrastructure. Routing all my traffic through Cloudflare feels like trading one dependency for another. I wanted something I could run entirely on my own hardware.

If you’re looking for the easiest solution and don’t mind these trade-offs, Cloudflare Tunnels is an excellent choice. But if you prefer keeping full control over your stack, keep reading.

What is Pangolin?

Pangolin is an open-source secure tunneling platform that lets you expose internal services to the internet without opening any ports on your home network.

It consists of four main components:

The magic is in the architecture: Newt initiates an outbound connection from your home network to your VPS. Since it’s outbound, your firewall doesn’t need any open ports. The VPS becomes your single, fortified entry point.

How Pangolin Works

Here’s the key insight: instead of opening ports at home, you flip the connection direction.

graph TD
    subgraph Internet
        User[User]
    end
    
    subgraph VPS[VPS with Pangolin]
        PG[Pangolin + Traefik]
        GR[Gerbil / WireGuard]
    end
    
    subgraph HomeLab[Home Network]
        Newt[Newt Client]
        HA[Home Assistant]
        Prox[Proxmox]
        Plex[Plex]
    end
    
    User -->|HTTPS :443| PG
    PG --> GR
    GR -.->|WireGuard Tunnel| Newt
    Newt --> HA
    Newt --> Prox
    Newt --> Plex
    
    style GR fill:#9b59b6,stroke:#8e44ad,color:#fff
  

The flow works like this:

1. User visits homeassistant.yourdomain.com
2. Request hits Traefik on your VPS (only port 443 is open here)
3. Pangolin authenticates the user and checks permissions
4. Traffic routes through the WireGuard tunnel to your home
5. Newt forwards the request to the appropriate internal service

Your home firewall? Completely closed. All it sees is an outbound connection from Newt.

My Setup

What You Need

• A VPS with a public IP (as cheap as 1 vCPU, 1GB RAM works fine)
• A domain with DNS access for wildcard records
• A machine at home to run the Newt client

Installation Overview

I maintain a Docker Compose stack on GitHub that bundles everything together with additional security features like CrowdSec and GeoIP blocking.

# Clone my repository
git clone https://github.com/cvx10/pangolin.git
cd pangolin

# Configure your settings
cp config/config.yml.example config/config.yml
cp .env.example .env

# Start the stack
docker compose up -d

The stack includes Pangolin, Gerbil, Traefik, and CrowdSec for protection against malicious traffic. Check the repository README for detailed configuration instructions.

On your home server, you install Newt and register it with your Pangolin instance. I run Newt in a Debian LXC container on my Proxmox cluster - lightweight, easy to manage, and always running. Here’s the systemd service configuration:

# /etc/systemd/system/newt.service
[Unit]
Description=Pangolin Newt Client
After=network.target

[Service]
ExecStart=/usr/local/bin/newt --config /etc/newt/config.yaml
Restart=always
RestartSec=10

[Install]
WantedBy=multi-user.target

Adding Services

In the Pangolin web UI, you create “resources” that map external URLs to internal services:

Pangolin handles HTTPS certificates automatically via Let’s Encrypt. No more certificate juggling.

Security Comparison

The difference in security posture is dramatic.

Before: Reverse Proxy

# Nmap scan of home IP
PORT     STATE SERVICE
80/tcp   open  http
443/tcp  open  https

Even with just two ports open, your home IP is exposed. Attackers can probe your reverse proxy looking for vulnerabilities, misconfigured services, or default credentials.

After: Pangolin

# Nmap scan of home IP
All 1000 scanned ports are in filtered states

Zero exposed ports. The only thing visible to the internet is my VPS running Pangolin, and that’s hardened with proper firewall rules, only exposing 80/443.

Additional Security Benefits

• Centralized authentication: Single sign-on for all services
• Role-based access control: Define who can access what
• Audit logs: See who accessed which service and when
• Optional 2FA: Add an extra layer of protection
• No exposed home IP: Your actual IP is hidden behind the VPS

What’s Next

There’s still more to explore with Pangolin. On my list:

• Blueprints: Declarative configuration for managing sites and resources as code. Instead of clicking through the UI, you define everything in YAML files - perfect for version control and reproducible setups.

Conclusion

Pangolin transformed how I expose my homelab services. No more reverse proxy on my home network with open ports, no more worrying about my home IP being probed by attackers.

Is it overkill for a homelab? Maybe. But the peace of mind knowing my home network has zero open ports? Priceless.

If you’re tired of maintaining a reverse proxy at home and want a more secure approach to self-hosting, give Pangolin a try. A cheap VPS and an hour of setup could save you a lot of security headaches.

Resources:

• My Pangolin Docker Compose Stack - includes CrowdSec and GeoIP
• Pangolin GitHub Repository
• Pangolin Documentation
• Choosing a VPS for Pangolin