Skip to content

pangolin

VPN & Tunnels

An open‑source, identity‑based remote access platform that combines WireGuard VPNs with reverse‑proxy capabilities to securely connect users to web apps or private resources across networks.

Track releases GitHub Website
TypeScript Latest 1.18.4 · 21d ago Security brief →

Features

  • Connect remote networks using site connectors with NAT traversal and outbound tunnels
  • Provide browser‑based reverse proxy access to web applications with built‑in authentication, routing, load balancing and automatic SSL
  • Enable client‑based private resource access (SSH, databases, RDP, etc.) via intelligent NAT traversal and DNS aliases

Recent releases

View all 15 releases →
Config change
1.18.4 Bug fix
Breaking upgrade Crypto / TLS

Email prefilling + domain selection

Open
1.18.3 New feature
⚠ Upgrade required
  • If Traefik's acme.json is not at the default mount point, update privateConfig.yml with the correct path.
  • Always back up app-data before updating to allow rollback if needed.
Notable features
  • Pagination added to user and role dropdowns for handling many entries
  • New `clear certificates` command in pangctl
  • Flattened data fields from the {{data}} object included in alert webhooks
Full changelog

What's Changed

  • Add pagination to user and role dropdown to handle many users and roles
  • Add link to http private resources on the member page
  • Add translations to the member page
  • Add clear certificates pangctl command
  • Add flattened data fields from the {{data}} object in alert webhooks
  • Add ENABLE_SQLITE_WAL_MODE env var to enable WAL mode for sqlite
  • Fix midnight time of day issue with status history display
  • Fix overlap alias addresses when creating more than one private resource in blueprints
  • Fix memory leak issue with sqlite and drizzle
  • Fix finding all json files when a directory is passed to acme_json_path
  • Fix make sure the domain is defined on a http resource when creating it
  • Fix alerting features and provisioning showing when disable_enterprise_features is set
  • Fix exclude local/private/CGNAT IPs from COUNTRY=ALL and ASN=ALL/AS0 geo-blocking rules
  • Enhance Helm install credentials and client flag handling
  • Small UI improvements
  • Small speed increases in a couple of places

New Contributors

  • @Blacks-Army made their first contribution in https://github.com/fosrl/pangolin/pull/2843
  • @Josh-Voyles made their first contribution in https://github.com/fosrl/pangolin/pull/2998

Full Changelog: https://github.com/fosrl/pangolin/compare/1.18.2...1.18.3

How to Update

For Pangolin Enterprise: the server now scrapes in the certificates from Treafik's acme.json file. On default installs, this should work out of the box importing from config/letsencrypt/acme.json which is mounted into the container. If your Traefik acme.json file is not mounted into this default location update the config in privateConfig.yml

[!IMPORTANT]
Always back up your config app-data before updating. This will allow you to easily roll back if the update breaks your configuration. You will not be able to easily downgrade otherwise.

View documentation

View release on GitHub
1.18.2 Bug fix
⚠ Upgrade required
  • If your Traefik acme.json file is not at the default location, update the path in privateConfig.yml.
  • Always back up config and app-data before updating.
Notable features
  • Customizable webhook body for alerts
  • Scrape multiple ACME JSON files via `acme_json_path` directory
  • Support scraping certificates from an HTTP endpoint using `acme_http_endpoint`
Full changelog

What's Changed

  • Fix status history and status of resources not updating in CE
  • Add support for customizing webhook body for alerts
  • Support scraping multiple acme json files if directory provided in acme_json_path
  • Support scraping in certificates from a HTTP endpoint using acme_http_endpoint
  • Various other bug fixes and improvements

Full Changelog: https://github.com/fosrl/pangolin/compare/1.18.1...1.18.2

How to Update

For Pangolin Enterprise: the server now scrapes in the certificates from Treafik's acme.json file. On default installs, this should work out of the box importing from config/letsencrypt/acme.json which is mounted into the container. If your Traefik acme.json file is not mounted into this default location update the config in privateConfig.yml

[!IMPORTANT]
Always back up your config app-data before updating. This will allow you to easily roll back if the update breaks your configuration. You will not be able to easily downgrade otherwise.

View documentation

View release on GitHub
1.18.1 New feature
Notable features
  • Certificate status display in public and private resources tables
  • Traefik acme.json certificate scraping
Full changelog

What's Changed

  • Add cert status in public resources table
  • Add cert status in private resources table
  • Fix handle backward compatible siteId in site-resource API calls
  • Fix handle sans in the acme.json
  • Fix cert status failed when no EE license is present
  • Fix migration to handle possible not null for TCP, UDP, and ICMP
  • Fix broken underlined font rendering in FireFox browsers
  • Fix migration to calculate actual resource status
  • Fix health check input to only allow Newt sites
  • Fix don't show site online status for local sites
  • Fix scrape certs from ALL resolvers
  • Other small visual fixes and improvements

Full Changelog: https://github.com/fosrl/pangolin/compare/1.18.0...1.18.1

How to Update

For Pangolin Enterprise: the server now scrapes in the certificates from Treafik's acme.json file. On default installs, this should work out of the box importing from config/letsencrypt/acme.json which is mounted into the container. If your Traefik acme.json file is not mounted into this default location update the config in privateConfig.yml

[!IMPORTANT]
Always back up your config app-data before updating. This will allow you to easily roll back if the update breaks your configuration. You will not be able to easily downgrade otherwise.

View documentation

View release on GitHub
1.18.0 New feature
Notable features
  • Automated alerting rules for site and resource status
  • Multi-site routing with HA and latency-based failover
  • HTTPS reverse proxy for private resources
Full changelog

Read the Announcement

Read the full announcement with discussion of new features: Pangolin 1.18 - HTTPS Private Resources, Multi-Site Routing, and Alerting

What's Changed

  • Add HTTPS reverse proxy support for private resources
  • Add high-availability and latency-based routing to private resources by defining more than one routing site
  • Add uptime tracking to sites and resources
  • Add arbitrary health checking (HTTP, TCP) that isn’t linked to a resource
  • Add alert rules to automate notifications (emails, webhooks, and other integrations) for site, resource, and health check status
  • Add support for wildcard resource *.my-resource.domain.com
  • Add import and share an organization-only identity provider across more than one organization
  • Add reject site to pending sites in site provisioning
  • General UI improvements
  • Various other bug fixes

New Contributors

  • @sidd190 made their first contribution in https://github.com/fosrl/pangolin/pull/2873

How to Update

[!IMPORTANT]
Always back up your config app-data before updating. This will allow you to easily roll back if the update breaks your configuration. You will not be able to easily downgrade otherwise.

View documentation

View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

About

Stars
20,961
Forks
698
Languages
TypeScript Go JavaScript
View on GitHub Homepage Documentation

Install & Platforms

Install via
binary docker
Platforms
linux macos windows arm64

Community & Support

Discord Slack

Similar tools

sshuttle
Gluetun VPN client
wg-easy
docker-wireguard
Innernet

Beta — feedback welcome: [email protected]