Just getting started with self hosting. I was wondering if anyone had experience with Cloudflare Tunnels for exposing their services to the internet. I like the simplicity and security it offers but don’t love the idea of using Cloudflare. Like, I’m self hosting for a reason lol. Any tips would be greatly appreciated!
For context, I’m running all of my services in a very small k8s cluster and my priorities are mostly security then maintainability. Thanks yall!
I’ve been trying to figure out what purpose Pangolin serves in this. Do they offer a paid service that has the internet-accessible entry/exit point that I’m not seeing?
Self-hosters aren’t lacking in tools to connect between a home server and some internet exposed server so they can tunnel from that public internet server back to their home server, they’re lacking in affordable options for the internet accessible server itself. Cloudflare Tunnel, Tailscale Funnel, and similar can easily be trivially replaced by a simple Wireguard connection from your home server to a public VPS with a couple trivial routing rules. But you have to have an affordable VPS with reasonable bandwidth and high reliability. Pangolin appears to just be Tailscale-ike permission-based routing software, but without the actual connections tools or hosting. That’s already available for free with Headscale, but Headscale also includes the connections part too. Am I missing something that would make Pangolin even equivalent, let alone better than, the free Headscale project?
Headscale is essentially a self-hosted, open-source alternative to Tailscale’s control server, enabling creation of a private WireGuard-based mesh VPN network. It lets you use Tailscale clients while running your own control server, focusing on secure device-to-device connections without exposing open ports. It requires a server with a public IP for the control server but does not natively manage reverse proxy or authentication for web services.
Pangolin is a more complete self-hosted solution built on WireGuard and Traefik, combining VPN tunneling with a modular reverse proxy and authentication management. It provides centralized management with role-based access control, 2-factor authentication, automated SSL via Let’s Encrypt, and can expose multiple private networks or services through secure tunnels without needing to open firewall ports. It includes a web UI and plugins for security features like WAF, API, and OAuth2/OIDC identity providers.