Notes on Deploying Pangolin on a VPS

May 1, 2025 english selfhosted
Share on:

This isn't a complete step-by-step guide, but rather some supplementary notes to complement Pangolin's excellent official documentation and Jims Garage's helpful video tutorial.

Pangolin is a reverse proxy that leverages WireGuard to securely expose and share services hosted on your local home network. Here's how it works:

  1. You deploy Pangolin on a remote machine—like a low-cost VPS.
  2. You point a custom domain (e.g., yourdomain.com) to this VPS.
  3. On your home server/lab, you run a Newt container, which establishes a secure WebSocket tunnel to Pangolin.

Once the tunnel is active, you can configure Pangolin to expose specific ports or services from your home network while adding authentication layers for security. The video above explains this far better than I can, so I highly recommend watching it!

After some research on Reddit, I settled on a cheap 1-core Ubuntu VM from Ionos.co.uk. Once I SSH'd into the machine, I ran Pangolin's auto-installer (as per their docs). The installer is incredibly convenient—it even installs Docker if it's missing. After installation, you should have 2-3 Docker containers running, and the Pangolin dashboard should be accessible. From there, you can start configuring your sites (remote machines) and resources (services to expose).

Important: Before proceeding, ensure your VPS firewall allows traffic on:

  • TCP ports 80 & 443 (HTTP/HTTPS)
  • UDP port 51820 (WireGuard)

Check Pangolin's networking documentation for details.

I registered a cheap domain (e.g., javapapo.tech) via Cloudflare. Following the docs, I set up two A records:

1A pangolin.javapapo.tech <YOUR_VPS_IP>
2A *.javapapo.tech <YOUR_VPS_IP>
text

If you have already completed the basic installation of pangolin then if you enter on your browser https://pangolin.javapapo.tech the login screen should come up.

Assuming:

  • Your domain correctly resolves to your VPS’s public IP.
  • Pangolin is installed and accessible.

The final step is running Newt as a Docker container on your home server. In Pangolin’s terminology:

  • A Site is a remote machine (your home server) connected via tunnel.
  • A Resource is a service (e.g., OpenWebUI, Jellyfin) exposed through Pangolin.

Pro Tip : Ensure your VPS firewall allows ICMP (ping) so Pangolin and Newt can communicate.

Once the tunnel is live, you can expose services by defining subdomains in Pangolin—not in Cloudflare. For example, to expose an OpenWebUI instance, you’d configure:

openwebui.javapapo.tech

And just like that, it resolves automatically!

Pangolin lets you add additional security layers to exposed services, such as:

  • Username/password
  • PIN-based authentication

For instance, if you enable PIN protection for openwebui.javapapo.tech, visitors will first need to enter a valid PIN before being redirected to the service’s login page.