Pangolin offers browser zero-trust access

Remote access software is one of those boring categories that suddenly matters when it breaks. The old model was simple — connect to a VPN, land inside the network, and trust that the user should be there. But that model also gives attackers room to move sideways once they get in. Pangolin is part of the newer wave trying to fix that, and it’s getting attention because it packages a lot of zero-trust ideas into something self-hostable and open-source. ### What is Pangolin, exactly? Pangolin is a remote-access platform from Fossorial that mixes two things teams usually buy separately — a reverse proxy for web apps and a VPN-style tunnel for everything else. The project is open-source, built on WireGuard, and offered in cloud, community, and enterprise versions. In plain English, it tries to give users access to specific apps and services instead of dumping them onto the whole network. (github.com) ### Why is “browser access” the interesting part? Because a lot of internal tools are just web apps. Pangolin lets admins publish those through an identity-aware proxy so users can open them in a browser, authenticate, and get routed to the app without installing a client first. That sounds small, but it changes the experience from “join the network” to “open the thing you actually need.” Pangolin also handles SSL, routing, load balancing, and health checks around that path. (github.com) ### What about SSH, RDP, and databases? That’s the other half of the pitch. For non-browser resources — SSH servers, RDP targets, databases, and even whole network ranges — Pangolin uses client-based access over WireGuard-backed tunnels. So it is not just a pretty web launcher. It’s trying to cover the annoying real-world mix of dashboards in a browser and infrastructure tools that still need native protocols. (github.com) ### Why does NAT traversal matter so much? Because most private infrastructure sits behind firewalls, carrier-grade NAT, or home-office routers that you do not want to punch holes through. Pangolin’s “sites” use outbound tunnels and NAT traversal so networks behind restrictive firewalls can still be reached by authorized users without public IPs or inbound port forwarding. Basically, it is aiming to remove the classic homelab and branch-office mess of dynamic DNS, open ports, and hand-built tunnel glue. (github.com) ### Where does the zero-trust part show up? In the access model. Pangolin frames resources around identity, context, and granular controls rather than broad network admission. The company’s own pitch is that identity and context get checked at every step, with role-based access layered on top. That does not magically make every deployment secure, but it does line up with the bigger industry move away from “VPN equals trusted.” ### Is this a brand-new launch? (github.com) No — the project has been around for a while, and the latest public release listed on GitHub is version 1.18.3, updated within the last few days. The repo is active, the docs are live, and the GitHub project has crossed roughly 20k stars, which helps explain why it is surfacing more often in security and homelab circles now. ### So is Pangolin really a VPN replacement? Sort of — but that framing is a little too neat. (pangolin.net) Pangolin still uses tunnels, and some use cases still look VPN-like. The real difference is scope. A traditional VPN usually grants network presence first and asks finer-grained questions later. Pangolin tries to flip that around so the user gets only the app, host, or service they’re meant to reach. ### Bottom line? Pangolin is interesting because it compresses a modern remote-access stack into one open-source system — browser access for web apps, client access for private protocols, and NAT-friendly tunnels underneath. (github.com) The pitch is not just convenience. It’s reducing the blast radius that old-school VPN access tends to create. (github.com)