
Pangolin: Self-Host Your Services Securely
Deploy Pangolin on Debian or Portainer, enable encrypted tunnels, and expose internal apps safely with Traefik & WireGuard. This guide adds requirements, hardening, monitoring, backups, and troubleshooting.
Why Choose Pangolin?
- Secure by design with WireGuard tunnels (Gerbil/Newt) + TLS via Traefik.
- Fast install: one-command installer or Docker Compose / Portainer Stacks.
- Granular access via policies for HTTP/HTTPS/TCP/UDP resources.
- Self-hosted control — your data stays on your server.
Pangolin Self-Hosting
Need hands-on setup or optimization? Hire a freelancer now.
If you need live agent support, talk on the website chat.
System Requirements
- Debian 11/12 (root/sudo), 2 vCPU+, 2–4 GB RAM, 20 GB+ disk.
- Public IP with DNS (subdomain for dashboard).
- Open ports:
80/tcp
,443/tcp
,51820/udp
,21820/udp
.
Quick Install (Debian)
sudo apt update && sudo apt -y upgrade
sudo apt -y install docker-ce docker-ce-cli containerd.io docker-compose-plugin
curl -fsSL https://digpangolin.com/get-installer.sh | bash
sudo ./installer # then follow prompts and open: https://<dashboard-domain>/auth/initial-setup
Portainer (Web UI) Deployment
- Stacks → Add stack → paste Pangolin docker-compose → Deploy.
- Wait for containers healthy → open
http://<SERVER_IP>:3002/auth/initial-setup
. - Complete admin onboarding; create first organization.
Connect Private Services (Newt)
Create a Site (Newt Tunnel) in the dashboard, copy Endpoint/ID/Secret, then run Newt on the host that can reach your app:
services:
newt:
image: fosrl/newt:latest
restart: unless-stopped
environment:
- PANGOLIN_ENDPOINT=https://pangolin.example.com
- NEWT_ID=xxxxxxxx
- NEWT_SECRET=yyyyyyyy
network_mode: host
# docker compose up -d
Security Hardening
- Use strong admin passwords + enforce 2FA if available.
- Restrict dashboard access by IP (Traefik middleware) or VPN-only.
- Rotate Newt secrets and revoke unused Sites regularly.
- Keep Docker images updated; enable automatic security updates on Debian.
Monitoring & Updates
- Watch container healthchecks and logs (Portainer → Containers → Logs).
- Recreate with image re-pull for upgrades; schedule monthly updates.
- Track certificate renewal (Let’s Encrypt) and DNS validity.
Backups & Restore
- Back up
~/pangolin/config
(including Traefik & any DB/config files). - Snapshot the server or keep offsite copies (e.g., rclone to S3/Drive).
- Document your compose/env values for quick redeploy.
Common Mistakes
- Forgetting UDP ports 51820/21820 → tunnels won’t connect.
- Wrong dashboard domain → Let’s Encrypt can’t issue certs.
- Healthcheck fails on first boot → increase startup time or redeploy then re-enable checks.
FAQ
Do I need a domain?
Yes — required for HTTPS certificates and a stable dashboard URL.
Can I run without Docker?
Possible, but Docker/Compose (or installer) is the simplest supported path.
What traffic types are supported?
HTTP/HTTPS, TCP, and UDP resources can be tunneled and policy-controlled.
Where’s the setup page?
https://<dashboard-domain>/auth/initial-setup
or for a quick test http://<IP>:3002/auth/initial-setup
.