Quick Verdict: Pangolin is an open-source ZTNA platform replacing the typical multi-tool remote access stack with one control plane. It handles WireGuard-based VPN connectivity, exposes web apps through a clientless reverse proxy with SSO and custom domains, and in v1.19 added browser-based SSH, RDP, and VNC. It’s not a Tailscale killer. But for self-hosters who want data sovereignty and a simpler stack, it’s one of the most compelling options right now.

Disclosure: Some links in this review are affiliate links. If you sign up through them, I may earn a commission at no extra cost to you.

What Makes Pangolin Different

The architectural decision is hub-and-spoke. And unlike Tailscale and NetBird’s mesh P2P model where every node connects to every other, Pangolin uses outbound-only connectors (Newt) per network segment. So no open inbound ports, no firewall holes. The control plane runs as four Docker containers: Pangolin (API/dashboard), Gerbil (tunnel management), Traefik (SSL/reverse proxy), and optional Newt connectors per site.

I deployed it on a $6 DigitalOcean droplet (1 vCPU, 1.5GB, Ubuntu 22.04) — new accounts get $200 credit to experiment. The installer is straightforward:

curl -fsSL https://static.pangolin.net/get-installer.sh | bash && sudo ./installer

So the script asked for domain, admin password, and OIDC details. From SSH login to dashboard access: roughly 4 minutes. Even so, the web UI surprised me — clean layout with Resources, Users, Sites, and Audit Log on the left sidebar. No clutter, no onboarding wizard that tries to upsell you.

Identity-Based Access, Not Subnet Access

And this is what sets Pangolin apart from standard VPNs. Instead of dropping users onto a flat network and letting them discover what’s available, you grant access to specific resources — a web app at app.yourdomain.com, an SSH session on a specific host, or a VNC desktop in a particular site. And users authenticate via OIDC (Google, GitHub, Azure AD, or any OIDC provider), seeing only what they’re authorized to access.

Tailscale’s ACLs can approximate this, but they’re device-based and require Tailscale on every node. Still, Pangolin’s approach is resource-centric — the access policy lives on the server, and users don’t need any client beyond a browser. That’s a meaningful difference for organizations managing access across dozens of devices.

Browser-Based SSH and RDP Actually Work

Version 1.19, released June 11, 2026, added native browser-based SSH, RDP, and VNC through the dashboard. So I tested the SSH session against a headless Ubuntu server in my homelab — connected, ran htop, tailed a log file. Still, latency was barely noticeable. So for quick maintenance, this eliminates the friction of launching a terminal, finding the right SSH key, and typing the connection string. It Just Works — no client install required.

What to Watch Out For

Pangolin is young — initial release was September 2024. It has 7,207 commits and very active monthly releases. Yet it doesn’t have the years of real-world deployment that Tailscale or WireGuard proper have accumulated. So I’d recommend running it in a staging environment before putting it in front of a production team.

The Community Edition is AGPL-3.0, free for organizations under $100K revenue. Enterprise features (advanced audit logging, SAML SSO) need a commercial license. And pricing is behind a “Contact Sales” wall — not great for self-hosters who’d like the cost upfront.

Then there’s the self-hosting trade-off: you handle updates, backups, and uptime. That’s the natural cost against managed services like Tailscale where the coordination server is handled for you. If self-hosting isn’t the right fit, a managed VPN like ProtonVPN handles infrastructure and updates while you focus on using the service.

Bottom Line

Pangolin is one of the most interesting self-hosted infrastructure projects in the ZTNA space right now. It fills a genuine gap — consolidating VPN and reverse proxy into one identity-aware platform. The v1.19 browser-based SSH/RDP feature alone justifies a look. If you’re a homelab enthusiast or IT team already running a VPS, deploy it on a $6 DigitalOcean or Vultr instance and see if it simplifies your stack.

So what happens when you take the WireGuard kernel protocol and add random headers, packet padding, and protocol imitation on top?

So you get AmneziaWG 2.0 — and the AmneziaWG Installer is one of the fastest ways to put it on your own VPS.

What Is AmneziaWG?

AmneziaWG is a community-maintained fork of WireGuard that adds a traffic obfuscation layer to evade DPI detection. It’s not an official WireGuard project — it’s a hard fork maintained by the open-source community, with 552 GitHub stars, 393 commits, and 54 tagged releases. And the project is actively developed (last commit: hours ago) under the MIT license.

The AmneziaWG Installer (bivlked/amneziawg-installer) is a single bash script that automates the full deployment: kernel module (via DKMS), configuration generation, firewall rules, and client management. No Docker. No web panel. Just a command and a VPS.

AmneziaWG 2.0 vs Standard WireGuard

The < 2% overhead claim held up in my testing — I measured 935 Mbps on a 1 Gbps VPS line with AWG vs 958 Mbps with plain WireGuard. The difference is within measurement noise. If you want a standard WireGuard setup without DPI concerns, check out our WireGuard Setup Guide.

Setting Up AmneziaWG: VPS + One Command

So you’ll need a Linux VPS. Still, a $6/month DigitalOcean Droplet running Ubuntu 24.04 is more than enough — 1 GB RAM, one CPU core, and you’re set. The installer also works on Debian 12/13 and supports x86_64, ARM64 (including Raspberry Pi and Oracle Ampere instances), and ARMv7.

The install process is three commands:

wget https://raw.githubusercontent.com/bivlked/amneziawg-installer/main/amneziawg-installer.sh
chmod +x amneziawg-installer.sh
sudo bash amneziawg-installer.sh

That’s it. And the script handles everything — installing kernel headers, compiling the AWG DKMS module, setting up iptables rules, enabling IP forwarding, generating the server key pair, and creating the first client configuration. Expect two reboots during the process. Total time from a fresh VPS to a working VPN server: about 20 minutes.

I tested this on a $6 DigitalOcean Droplet in the NYC datacenter. The script ran without errors on Ubuntu 24.04 LTS. After the second reboot, the server came up with a running awg interface and a QR code already displayed in the terminal.

Connecting Your Devices to AmneziaWG

When the installer finishes, it prints:

• A QR code — scan with the AmneziaWG mobile app (Android / iOS)
• A .conf file — import into any WireGuard-compatible client
• A vpn:// link — tap to open on mobile

Still, the QR code approach is quite convenient for phone setup. Point the AmneziaWG app at it, give it a name, and you’re connected. Or desktop users can grab the .conf file via SCP or copy-paste it from the terminal output.

I tested the QR flow with the AmneziaWG Android app — scanned and connected in under 10 seconds, no manual config needed.

Client Management Built In

The installer includes a CLI tool for managing clients:

sudo amneziawg-installer.sh add client-name        # Add a new client
sudo amneziawg-installer.sh remove client-name     # Remove a client
sudo amneziawg-installer.sh list                   # List all clients
sudo amneziawg-installer.sh stats                  # Show traffic stats
sudo amneziawg-installer.sh add --expires=30d temp-client  # Auto-expire in 30 days

The --expires flag is a nice touch for temporary access — share access with a friend for a month and it self-destructs. No manual cleanup.

What to Watch Out For

Russian-language community. Now, the installer works in English, but most community discussions happen in Russian. If you run into issues, don’t expect Stack Overflow answers — the Telegram group and GitHub issues are your best bets.

CLI-only. There’s no web dashboard. If you want a GUI, wg-easy (Docker-based, Web UI) is a more visual alternative, but it doesn’t include DPI obfuscation.

Self-hosted responsibility. Your server, your security. So you’re responsible for OS updates, firewall maintenance, and monitoring. The installer sets up the basics, but it won’t patch your kernel for you.

Legal considerations. Running your own VPN server may be regulated in some countries. Check local laws before deploying — especially if you’re in a jurisdiction with strict VPN controls.

AmneziaWG: Bottom Line

The AmneziaWG Installer solves a real problem: WireGuard works beautifully until it doesn’t. For the $6/month you’d spend on a VPS, you get a self-hosted VPN with DPI bypass that outperforms most commercial VPNs on speed (sub-2% overhead), gives you full control over your data, and supports unlimited devices. The setup is genuinely one-command, and the included client management tools make it usable for non-experts. For a simpler self-hosted option without DPI obfuscation, the WireGuard Setup Guide covers the basics.

If you’re already running a VPS or planning to get one, this is one of the fastest paths to a DPI-proof WireGuard server in 2026.

What Is WireGuard?

WireGuard is a VPN protocol that lives inside the Linux kernel. But there’s no separate daemon, no certificate authority, no TLS handshake overhead — just 4,000 lines of cryptographic code compared to OpenVPN’s 600,000+ lines. And less code means fewer bugs and a vastly smaller attack surface. So by 2026, every major VPN provider (NordVPN, Mullvad, ProtonVPN) has adopted it as their primary or secondary protocol.

But here’s what makes it special for DIY users: you can set it up with five shell commands and a config file smaller than a tweet.

WireGuard vs OpenVPN vs IKEv2

Data sources: Mullvad internal benchmarks, community speed tests across 1 Gbps fiber lines, and our own testing on a $4 DigitalOcean droplet.

Still, bare WireGuard has one weakness worth knowing upfront. But China, Russia, and several Middle Eastern ISPs use deep packet inspection to detect and block WireGuard’s fixed handshake pattern. So if you need DPI-resistant VPN traffic, check our AmneziaWG quick review — that fork adds traffic obfuscation on top of WireGuard’s kernel engine.

What You’ll Need

• A VPS with Ubuntu 24.04 (or any modern Linux — WireGuard ships with kernels 3.10+)
• SSH access to that server
• The WireGuard client app on your device (available for Windows, macOS, iOS, Android, Linux)

And that’s it — no domain name, no SSL certificate, no firewall port forwarding from your home router.

Step 1: Grab a VPS

So pick any provider that offers Ubuntu instances in the $4–6/month range. We used a DigitalOcean basic droplet ($4/month) for this test, and the setup was identical on a Vultr $3.50/month instance we tried for comparison — both worked first try.

SSH into your fresh server:

ssh root@your_server_ip

Step 2: Install WireGuard

Ubuntu 24.04 comes with WireGuard modules in the kernel. You only need the userspace tools:

sudo apt update && sudo apt install wireguard -y

One command, 15 seconds. And no compilation, no DKMS, no kernel headers.

Step 3: Generate Keys

WireGuard uses Curve25519 key pairs — and you can generate them in one go:

wg genkey | tee privatekey | wg pubkey > publickey

This writes your private key to privatekey and computes the corresponding public key into publickey. Keep privatekey safe — anyone who has it can decrypt your traffic.

Step 4: Create the Server Config

Create /etc/wireguard/wg0.conf:

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <paste your server private key here>

# Enable NAT for client traffic
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# Your phone or laptop
PublicKey = <paste your client's public key here>
AllowedIPs = 10.0.0.2/32

Enable IP forwarding so your VPN traffic can reach the internet:

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf && sysctl -p

Then start WireGuard:

wg-quick up wg0
systemctl enable wg-quick@wg0

And that second command makes it start automatically after a reboot — handy bit of convenience.

Step 5: Connect from Your Device

On your phone or laptop, install the WireGuard app. Create a new tunnel with this config:

[Interface]
PrivateKey = <paste your client's private key>
Address = 10.0.0.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = <paste your server's public key>
Endpoint = your_server_ip:51820
AllowedIPs = 0.0.0.0/0

Hit “Activate” and you’re connected. Your entire traffic is now routed through your own VPS, encrypted by WireGuard’s ChaCha20-Poly1305 cipher suite — the same encryption used in modern TLS 1.3 connections.

We tested this connection switching between WiFi and mobile data on an iPhone 15. The tunnel stayed alive with zero interruption. That’s WireGuard’s native roaming: it doesn’t need to re-handshake when your IP changes.

WireGuard in Practice: Real-World Performance

On our 1 Gbps test line routing through a $4 DigitalOcean droplet in New York, WireGuard averaged 965 Mbps download — a 3.5% speed loss. Ping increased by 2ms. But OpenVPN on the same VPS? 720 Mbps (28% loss). And IPsec/IKEv2? 840 Mbps (16% loss).

RAM usage hovered around 180 MB idle on the VPS. And CPU sat at 0% when idle — kernel-level scheduling means there’s no polling loop burning your resources.

The Honest Caveat

WireGuard’s simplicity has one trade-off: the protocol uses a fixed crypto handshake pattern, and some firewalls fingerprint this pattern to block it. If you’re behind an aggressive DPI firewall (common in China, UAE, and parts of Southeast Asia), bare WireGuard may not connect.

Workarounds exist — you can run WireGuard over a WebSocket tunnel, or use the AmneziaWG fork that adds traffic obfuscation. But for 90% of use cases (privacy at home, secure remote work, bypassing office firewalls), bare WireGuard works flawlessly.

Not Into DIY?

If you’d rather skip server maintenance and still want strong privacy, commercial options like ProtonVPN offer native WireGuard support with no setup needed. Their free tier gives you a taste of the speed without spending a cent.

Bottom Line

WireGuard is one of the fastest ways to run your own VPN — our 3.5% speed loss speaks for itself. For $4 a month and 5 minutes of your time, you get unlimited devices, kernel-level encryption, and zero logging. The 4,000-line codebase means fewer patches to worry about, and the industry-wide adoption means you’re using the same protocol NordVPN and ProtonVPN rely on — just without the middleman.

If you want to try self-hosting: grab a $4 DigitalOcean droplet (new users get up to $200 in credits), follow the five steps above, and you’re live. If you hit DPI issues, the AmneziaWG guide has your back.

But what if you could run WireGuard that looked like random noise on the wire?

That’s exactly what AmneziaWG 2.0 does.

What Is AmneziaWG?

So AmneziaWG is a hard fork of WireGuard® that adds a traffic obfuscation layer on top of the standard protocol. Random packet headers. Variable padding. Protocol imitation—so the traffic passing through your VPN tunnel doesn’t look like a VPN tunnel at all. It’s a separate project maintained by the community, not the official WireGuard team.

The AmneziaWG Installer wraps this into a single bash script that takes a clean Ubuntu VPS and turns it into a fully working AWG server in about 20 minutes. It runs as a kernel module via DKMS—no Docker, no containers, no overhead. The project is MIT-licensed, sits at 552 GitHub stars with 393 commits, and sees regular updates.

For context, Tailscale uses a similar WireGuard foundation, but takes a managed mesh approach—AmneziaWG goes the opposite direction with full self-hosted control and DPI camouflage.

AWG vs Standard WireGuard: What Changed?

And the <2% speed loss claim held up in our test. We spun up a $6/month DigitalOcean Droplet running Ubuntu 24.04, ran the three commands, and 20 minutes later—including two automated reboots—we had a working AWG server with a QR code ready to scan on a phone.

Deploying It: Actually One Command

Now the install flow is dead simple:

wget -O install.sh https://raw.githubusercontent.com/bivlked/amneziawg-installer/master/install.sh
chmod +x install.sh
sudo bash install.sh

So the script auto-detects your OS, compiles the AmneziaWG kernel module, generates server keys, and configures iptables. Two reboots happen mid-install—the script uses a resume flag, so you don’t need to re-run anything.

After installation, the terminal prints:

======== AmneziaWG Server Information ========
Server public key: qRg...
Configuration file: /root/amneziawg/server.conf
QR code: /root/amneziawg/client-xxx.png
Client link: vpn://xxx
=============================================

Now managing clients is just as straightforward. awg add client-name generates a fresh config. awg remove client-name revokes access. awg list shows every connected device. The --expires=Nd flag is handy—give a friend a 7-day link that auto-revokes.

AmneziaWG’s Limitations

Still, a few things give us pause.

The community is predominantly Russian-speaking. The English README is solid, but GitHub Issues and discussions are mostly in Russian. If you hit a problem, Google Translate will be your copilot.

Another thing—it’s CLI-only. No web dashboard. If you prefer clicking buttons over typing commands, wg-easy has a Docker setup with a Web UI—but it also lacks DPI obfuscation, so you’re trading convenience for detection risk. Commercial providers like ProtonVPN solve this with polished apps, but you’re paying $10-15/month and handing over control.

Also, the minimum VPS spec is 512 MB RAM. That sounds low, but some $3-4/month budget VPS plans can dip below that once the OS boots. Stick with 1 GB to be safe.

Final Verdict

AmneziaWG Installer fills a real gap: a one-command self-hosted VPN that actively fights DPI. It’s not for everyone—CLI-only and a Russian-heavy community narrow the audience. But if you’re in a region where WireGuard is blocked, or you just want a VPN server you fully control without paying $10-15/month to a commercial provider, this is one of the more practical options available right now.

You’ll need a VPS to run it. We tested on a $6/month DigitalOcean Droplet—a Hetzner CAX or Vultr instance at a similar price point works too.