Pangolin: Self-Host Your Services Securely
Guide • Secure Self-Hosting

Pangolin: Self-Host Your Services Securely

Deploy Pangolin on Debian or Portainer, enable encrypted tunnels, and expose internal apps safely with Traefik & WireGuard. This guide adds requirements, hardening, monitoring, backups, and troubleshooting.

Why Choose Pangolin?

  • Secure by design with WireGuard tunnels (Gerbil/Newt) + TLS via Traefik.
  • Fast install: one-command installer or Docker Compose / Portainer Stacks.
  • Granular access via policies for HTTP/HTTPS/TCP/UDP resources.
  • Self-hosted control — your data stays on your server.

Pangolin Self-Hosting

Need hands-on setup or optimization? Hire a freelancer now.

Hire a Freelancer

If you need live agent support, talk on the website chat.

System Requirements

  • Debian 11/12 (root/sudo), 2 vCPU+, 2–4 GB RAM, 20 GB+ disk.
  • Public IP with DNS (subdomain for dashboard).
  • Open ports: 80/tcp, 443/tcp, 51820/udp, 21820/udp.

Quick Install (Debian)

sudo apt update && sudo apt -y upgrade
sudo apt -y install docker-ce docker-ce-cli containerd.io docker-compose-plugin
curl -fsSL https://digpangolin.com/get-installer.sh | bash
sudo ./installer   # then follow prompts and open: https://<dashboard-domain>/auth/initial-setup

Portainer (Web UI) Deployment

  1. Stacks → Add stack → paste Pangolin docker-compose → Deploy.
  2. Wait for containers healthy → open http://<SERVER_IP>:3002/auth/initial-setup.
  3. Complete admin onboarding; create first organization.

Connect Private Services (Newt)

Create a Site (Newt Tunnel) in the dashboard, copy Endpoint/ID/Secret, then run Newt on the host that can reach your app:

services:
  newt:
    image: fosrl/newt:latest
    restart: unless-stopped
    environment:
      - PANGOLIN_ENDPOINT=https://pangolin.example.com
      - NEWT_ID=xxxxxxxx
      - NEWT_SECRET=yyyyyyyy
    network_mode: host
# docker compose up -d

Security Hardening

  • Use strong admin passwords + enforce 2FA if available.
  • Restrict dashboard access by IP (Traefik middleware) or VPN-only.
  • Rotate Newt secrets and revoke unused Sites regularly.
  • Keep Docker images updated; enable automatic security updates on Debian.

Monitoring & Updates

  • Watch container healthchecks and logs (Portainer → Containers → Logs).
  • Recreate with image re-pull for upgrades; schedule monthly updates.
  • Track certificate renewal (Let’s Encrypt) and DNS validity.

Backups & Restore

  • Back up ~/pangolin/config (including Traefik & any DB/config files).
  • Snapshot the server or keep offsite copies (e.g., rclone to S3/Drive).
  • Document your compose/env values for quick redeploy.

Common Mistakes

  • Forgetting UDP ports 51820/21820 → tunnels won’t connect.
  • Wrong dashboard domain → Let’s Encrypt can’t issue certs.
  • Healthcheck fails on first boot → increase startup time or redeploy then re-enable checks.

FAQ

Do I need a domain?

Yes — required for HTTPS certificates and a stable dashboard URL.

Can I run without Docker?

Possible, but Docker/Compose (or installer) is the simplest supported path.

What traffic types are supported?

HTTP/HTTPS, TCP, and UDP resources can be tunneled and policy-controlled.

Where’s the setup page?

https://<dashboard-domain>/auth/initial-setup or for a quick test http://<IP>:3002/auth/initial-setup.

✅ Self-host with security and control. Keep ports open, update images, and back up configs for reliable operations.

About the author : Moreslot

About the author : Moreslot

Leave A Comment

Related Posts

How to Deploy Coolify on Docker (Step-by-Step)
How to Deploy Coolify on Docker (Step-by-Step)
Gallery

How to Deploy Coolify on Docker (Step-by-Step)

September 8, 2025
Traefik & Pangolin Fixes
Traefik & Pangolin Fixes
Gallery

Traefik & Pangolin Fixes

September 8, 2025
Fixing Ubuntu “EXT4-fs: Detected aborted journal → Read-only filesystem” & Boot Loops
Fixing Ubuntu “EXT4-fs: Detected aborted journal → Read-only filesystem” & Boot Loops
Gallery

Fixing Ubuntu “EXT4-fs: Detected aborted journal → Read-only filesystem” & Boot Loops

August 27, 2025