Quick Verdict: Pangolin is an open-source ZTNA platform replacing the typical multi-tool remote access stack with one control plane. It handles WireGuard-based VPN connectivity, exposes web apps through a clientless reverse proxy with SSO and custom domains, and in v1.19 added browser-based SSH, RDP, and VNC. It’s not a Tailscale killer. But for self-hosters who want data sovereignty and a simpler stack, it’s one of the most compelling options right now.

Disclosure: Some links in this review are affiliate links. If you sign up through them, I may earn a commission at no extra cost to you.

What Makes Pangolin Different

The architectural decision is hub-and-spoke. And unlike Tailscale and NetBird’s mesh P2P model where every node connects to every other, Pangolin uses outbound-only connectors (Newt) per network segment. So no open inbound ports, no firewall holes. The control plane runs as four Docker containers: Pangolin (API/dashboard), Gerbil (tunnel management), Traefik (SSL/reverse proxy), and optional Newt connectors per site.

I deployed it on a $6 DigitalOcean droplet (1 vCPU, 1.5GB, Ubuntu 22.04) — new accounts get $200 credit to experiment. The installer is straightforward:

curl -fsSL https://static.pangolin.net/get-installer.sh | bash && sudo ./installer

So the script asked for domain, admin password, and OIDC details. From SSH login to dashboard access: roughly 4 minutes. Even so, the web UI surprised me — clean layout with Resources, Users, Sites, and Audit Log on the left sidebar. No clutter, no onboarding wizard that tries to upsell you.

Identity-Based Access, Not Subnet Access

And this is what sets Pangolin apart from standard VPNs. Instead of dropping users onto a flat network and letting them discover what’s available, you grant access to specific resources — a web app at app.yourdomain.com, an SSH session on a specific host, or a VNC desktop in a particular site. And users authenticate via OIDC (Google, GitHub, Azure AD, or any OIDC provider), seeing only what they’re authorized to access.

Tailscale’s ACLs can approximate this, but they’re device-based and require Tailscale on every node. Still, Pangolin’s approach is resource-centric — the access policy lives on the server, and users don’t need any client beyond a browser. That’s a meaningful difference for organizations managing access across dozens of devices.

Browser-Based SSH and RDP Actually Work

Version 1.19, released June 11, 2026, added native browser-based SSH, RDP, and VNC through the dashboard. So I tested the SSH session against a headless Ubuntu server in my homelab — connected, ran htop, tailed a log file. Still, latency was barely noticeable. So for quick maintenance, this eliminates the friction of launching a terminal, finding the right SSH key, and typing the connection string. It Just Works — no client install required.

What to Watch Out For

Pangolin is young — initial release was September 2024. It has 7,207 commits and very active monthly releases. Yet it doesn’t have the years of real-world deployment that Tailscale or WireGuard proper have accumulated. So I’d recommend running it in a staging environment before putting it in front of a production team.

The Community Edition is AGPL-3.0, free for organizations under $100K revenue. Enterprise features (advanced audit logging, SAML SSO) need a commercial license. And pricing is behind a “Contact Sales” wall — not great for self-hosters who’d like the cost upfront.

Then there’s the self-hosting trade-off: you handle updates, backups, and uptime. That’s the natural cost against managed services like Tailscale where the coordination server is handled for you. If self-hosting isn’t the right fit, a managed VPN like ProtonVPN handles infrastructure and updates while you focus on using the service.

Bottom Line

Pangolin is one of the most interesting self-hosted infrastructure projects in the ZTNA space right now. It fills a genuine gap — consolidating VPN and reverse proxy into one identity-aware platform. The v1.19 browser-based SSH/RDP feature alone justifies a look. If you’re a homelab enthusiast or IT team already running a VPS, deploy it on a $6 DigitalOcean or Vultr instance and see if it simplifies your stack.