Pangolin

Product Introduction

1. Definition: Pangolin is an open-source, identity-based remote access platform in the VPN/proxy alternative category. Built on WireGuard, it enables granular, secure connectivity to private networks, cloud infrastructure (AWS VPC), and edge devices without traditional VPN limitations.
2. Core Value Proposition: It eliminates network complexity by granting role-based access to specific resources (applications, servers, APIs) via WireGuard tunnels, prioritizing zero-trust security, NAT traversal, and unified management.

Main Features

1. Identity-Based Access Control:

   • How it works: Integrates SSO, OIDC, PIN authentication, and temporary share links to enforce context-aware rules. Grants/denies access based on user identity, group membership, geolocation, and IP whitelisting.
   • Technologies: WireGuard encryption, OAuth 2.0, and real-time access logs for auditing (e.g., blocked unauthorized API attempts).

2. WireGuard-Optimized Performance:

   • How it works: Routes traffic through lightweight WireGuard tunnels, achieving high throughput (e.g., 244.4 Mbps↓/189.5 Mbps↑ on AWS VPC). Automated NAT traversal ensures reliable P2P connections.
   • Technologies: Kernel-level WireGuard implementation, UDP hole punching, and dynamic routing.

3. Unified Application Dashboard:

   • How it works: Centralizes management of distributed resources (e.g., Bitwarden, Grafana, microservices) across hybrid environments. Enables one-click SSL termination, status monitoring, and access policy configuration.
   • Technologies: TLS/SSL termination, REST API integrations, and live connectivity status tracking.

Problems Solved

1. Pain Point: Replaces complex VPN setups and fragmented access controls with identity-based granularity, reducing lateral movement risks and configuration overhead.
2. Target Audience:
   • DevOps engineers managing cloud (AWS VPC) and on-prem infrastructure.
   • IT administrators enforcing Zero Trust policies for remote teams.
   • Security teams requiring SSO/OIDC integration and geo-blocking.
3. Use Cases:
   • Secure developer access to Kubernetes clusters or internal tools like Grafana.
   • Temporary contractor access via share links to specific apps.
   • IoT device management (e.g., field cameras) with IP whitelisting.

Unique Advantages

1. Differentiation vs. Competitors:
   • Unlike Tailscale, Pangolin emphasizes enterprise features (SSO enforcement, geoblocking) and self-hosting via AGPLv3 licensing. It also provides a unified dashboard for multi-network management, whereas Tailscale focuses on mesh networking.
2. Key Innovation:
   Combines WireGuard’s speed with identity-aware routing, enabling resource-specific access (not entire network exposure) and automated NAT traversal for edge devices.

Frequently Asked Questions (FAQ)

1. How does Pangolin handle NAT traversal for remote devices?
   Pangolin automates NAT traversal using WireGuard’s UDP hole-punching, enabling direct P2P connections between firewalled devices (e.g., edge cameras) without manual port forwarding.
2. Can Pangolin integrate with existing SSO providers like Okta or Azure AD?
   Yes, Pangolin supports SSO and OIDC for authentication, allowing granular access rules synced with identity providers like Azure AD, Okta, or Google Workspace.
3. Is Pangolin suitable for high-traffic enterprise environments?
   Absolutely. Benchmarks show 244+ Mbps throughput on AWS VPC, and its WireGuard foundation ensures low latency for data-intensive applications like video streaming or large file transfers.
4. What distinguishes Pangolin’s open-source edition from its cloud offering?
   The self-hosted Community Edition (AGPLv3) provides full data sovereignty and infrastructure control, while the cloud version includes managed support and automated updates.