Pangolin Self-Hosted Reverse Proxy Service: Difference between revisions

Pangolin Self-Hosted Reverse Proxy Service
Basic Information
Release Year
Product Type
In Production	Yes
Official Website	https://pangolin.net/

← Older edit

VisualWikitext

Latest revision as of 00:22, 13 June 2026

An introductory paragraph starting with "Pangolin Self-Hosted Reverse Proxy Service is a ...^[1]". When writing the article, insert text in the space below this box, and then delete this tip box (and the other tip boxes below). In the visual editor, just click on a box and press backspace to delete it. In the source editor, simply delete the double curly brackets, and the text inside them.

Add your text below this box. Once this section is complete, delete this box by clicking on it and pressing backspace.

Consumer-impact summary

Overview of concerns that arise from the conduct towards users of the product (if applicable):

User freedom
User privacy
Business model
Market control

Add your text below this box. Once this section is complete, delete this box by clicking on it and pressing backspace.

Pangolin is a self-hosted open-source reverse proxy and identity-aware tunneling platform. While the core project remains GPL-licensed and self-hostable, recent releases introduce a consistent pattern where major new features are delivered in Enterprise or Cloud tiers rather than the Community Edition. This has resulted in a widening gap between the self-hosted version and paid deployments, particularly in identity management, infrastructure tooling, and remote access capabilities.

Feature gating by release (CE vs Enterprise divergence)

Release	Feature Area	Community Edition (Self-Hosted)	Enterprise / Cloud Edition	Source
1.19.0	Enterprise-gated remote access	Standard client-based access only (Requires local client software)	Browser-based SSH Browser-based RDP Browser-based VNC	https://github.com/fosrl/pangolin/releases/tag/1.19.0
1.18.0	Infrastructure platform features	Standard single-site routing Exact-match resources only Basic standard logging	Multi-site routing Wildcard resources System monitoring Audit logging	https://github.com/fosrl/pangolin/releases/tag/1.18.0
1.17.0	RBAC and access control scaling	Single role per user Basic identity provider mapping	Multiple roles per user (Multi-role RBAC) Advanced identity provider mapping Tier-based access separation	https://github.com/fosrl/pangolin/releases/tag/1.17.0
1.13.0	Identity and network model expansion	Standard tunneling only No private resources No device-based access policies	Private resources integration Device-based access model	https://github.com/fosrl/pangolin/releases/tag/1.13.0

Timeline of feature divergence

1.19.0 – Enterprise-gated remote access

Browser-based SSH, RDP, and VNC were introduced and explicitly documented as Cloud/Enterprise-only features.

Features Excluded from GPL (Community Edition):

Browser-based SSH
Browser-based RDP
Browser-based VNC

Source: https://github.com/fosrl/pangolin/releases/tag/1.19.0 Docs: https://docs.pangolin.net/manage/ssh

1.18.0 – Infrastructure platform features

Introduced multi-site routing, wildcard resources, monitoring, and audit logging, moving the project toward infrastructure orchestration functionality.

Features Excluded from GPL (Community Edition):

Multi-site routing
Wildcard resources
Monitoring tooling
Audit logging

Source: https://github.com/fosrl/pangolin/releases/tag/1.18.0

1.17.0 – RBAC and access control scaling

Expanded RBAC to support multiple roles per user and improved identity provider mapping. This release establishes the foundation for tier-based access separation.

Features Excluded from GPL (Community Edition):

Support for multiple roles per user
Advanced identity provider mapping

Source: https://github.com/fosrl/pangolin/releases/tag/1.17.0

1.13.0 – Identity and network model expansion

Introduced private resources and a device-based access model, expanding Pangolin beyond simple tunneling into structured identity-based networking.

Features Excluded from GPL (Community Edition):

Private resources
Device-based access model

Source: https://github.com/fosrl/pangolin/releases/tag/1.13.0

Consumer impact

The Community Edition continues to provide core tunneling functionality, but newer releases increasingly restrict major platform features to Enterprise or Cloud tiers. The result is a structured divergence between:

Community Edition: base self-hosted tunneling system
Enterprise/Cloud: full feature platform with advanced identity, infrastructure, and remote access tooling

@@ Line 7: / Line 7: @@
 |Description=Identity-based reverse proxy and zero-trust remote access platform based on WireGuard®.
 }}
 {{Ph-C-Int}}
+==Consumer-impact summary==
-==Consumer-impact summary==
 {{Ph-C-CIS}}
+Pangolin is a self-hosted open-source reverse proxy and identity-aware tunneling platform.
+While the core project remains GPL-licensed and self-hostable, recent releases introduce a consistent pattern where major new features are delivered in Enterprise or Cloud tiers rather than the Community Edition.
+This has resulted in a widening gap between the self-hosted version and paid deployments, particularly in identity management, infrastructure tooling, and remote access capabilities.
-Pangolin is a self-hosted open-source reverse proxy and identity-aware tunneling platform positioned as an alternative to Cloudflare Tunnels.
+==Feature gating by release (CE vs Enterprise divergence)==
+{| class="wikitable"
+|-
+! Release !! Feature Area !! Community Edition (Self-Hosted) !! Enterprise / Cloud Edition !! Source
+|-
+| 1.19.0
+| Enterprise-gated remote access
+|
+* Standard client-based access only (Requires local client software)
+|
+* Browser-based SSH
+* Browser-based RDP
+* Browser-based VNC
+| https://github.com/fosrl/pangolin/releases/tag/1.19.0
+|-
+| 1.18.0
+| Infrastructure platform features
+|
+* Standard single-site routing
+* Exact-match resources only
+* Basic standard logging
+|
+* Multi-site routing
+* Wildcard resources
+* System monitoring
+* Audit logging
+| https://github.com/fosrl/pangolin/releases/tag/1.18.0
+|-
+| 1.17.0
+| RBAC and access control scaling
+|
+* Single role per user
+* Basic identity provider mapping
+|
+* Multiple roles per user (Multi-role RBAC)
+* Advanced identity provider mapping
+* Tier-based access separation
+| https://github.com/fosrl/pangolin/releases/tag/1.17.0
+|-
+| 1.13.0
+| Identity and network model expansion
+|
+* Standard tunneling only
+* No private resources
+* No device-based access policies
+|
+* Private resources integration
+* Device-based access model
+| https://github.com/fosrl/pangolin/releases/tag/1.13.0
+|}
-While the core system remains open source, recent development has introduced a structured separation between Community Edition and Enterprise/Cloud editions. Over successive releases, major platform features have increasingly been introduced with explicit or implicit restrictions that place advanced functionality outside the Community Edition.
+==Timeline of feature divergence==
-This results in a functional divergence between the self-hosted GPL version and paid tiers, where Community Edition remains focused on baseline tunneling while newer platform capabilities are delivered in Enterprise/Cloud.
+===1.19.0 – Enterprise-gated remote access===
+Browser-based SSH, RDP, and VNC were introduced and explicitly documented as Cloud/Enterprise-only features.
-==Release-by-release CE vs Enterprise feature exclusion audit==
+'''Features Excluded from GPL (Community Edition):'''
+* Browser-based SSH
+* Browser-based RDP
+* Browser-based VNC
-{| class="wikitable"
+Source: https://github.com/fosrl/pangolin/releases/tag/1.19.0
-|-
+Docs: https://docs.pangolin.net/manage/ssh
-! Release !! Feature introduced !! Community Edition (GPL self-hosted) !! Enterprise / Cloud Edition !! Source
+===1.18.0 – Infrastructure platform features===
-.13.0
+Introduced multi-site routing, wildcard resources, monitoring, and audit logging, moving the project toward infrastructure orchestration functionality.
--
-.13.0
--
-.17.0
--
-.17.0
--
-.18.0
--
-.18.0
--
-.18.0
--
-.18.0
--
-.18.0
--
-.19.0
--
-.19.0
--
-.19.0
--
-.19.0
-}
-==Timeline of product positioning shift==
+'''Features Excluded from GPL (Community Edition):'''
+* Multi-site routing
+* Wildcard resources
+* Monitoring tooling
+* Audit logging
-===Initial positioning (1.0.0 era)===
+Source: https://github.com/fosrl/pangolin/releases/tag/1.18.0
-Pangolin was introduced as a self-hosted alternative to Cloudflare Tunnels, designed for full user-controlled deployment of identity-aware reverse proxy infrastructure.
-Source: https://github.com/fosrl/pangolin/releases/tag/1.0.0
-===Feature expansion phase (1.13.0)===
-Private resource controls and device-based identity models expanded the system beyond simple tunneling into a broader access-control platform.
-Source: https://github.com/fosrl/pangolin/releases/tag/1.13.0
+===1.17.0 – RBAC and access control scaling===
+Expanded RBAC to support multiple roles per user and improved identity provider mapping. This release establishes the foundation for tier-based access separation.
-===RBAC and identity segmentation (1.17.0)===
+'''Features Excluded from GPL (Community Edition):'''
-Advanced RBAC features including multi-role support were introduced, forming the basis for later tier separation between Community and Enterprise editions.
+* Support for multiple roles per user
+* Advanced identity provider mapping
 Source: https://github.com/fosrl/pangolin/releases/tag/1.17.0
-===Infrastructure platform expansion (1.18.0)===
+===1.13.0 – Identity and network model expansion===
-Multi-site routing, wildcard resources, monitoring, and audit features were introduced, significantly expanding the system into infrastructure orchestration territory.
+Introduced private resources and a device-based access model, expanding Pangolin beyond simple tunneling into structured identity-based networking.
-Source: https://github.com/fosrl/pangolin/releases/tag/1.18.0
-===Enterprise-gated remote access layer (1.19.0)===
+'''Features Excluded from GPL (Community Edition):'''
-Browser-based SSH, RDP, and VNC access were introduced and documented as Cloud/Enterprise-only features, excluding them from the Community Edition.
+* Private resources
+* Device-based access model
-Source: https://github.com/fosrl/pangolin/releases/tag/1.19.0
+Source: https://github.com/fosrl/pangolin/releases/tag/1.13.0
-Docs: https://docs.pangolin.net/manage/ssh
 ==Consumer impact==
-The Community Edition remains functional as a self-hosted tunneling system, but successive releases introduce major platform capabilities outside the GPL self-hosted version.
+The Community Edition continues to provide core tunneling functionality, but newer releases increasingly restrict major platform features to Enterprise or Cloud tiers.
+The result is a structured divergence between:
-This produces a consistent structural pattern:
+* Community Edition: base self-hosted tunneling system
+* Enterprise/Cloud: full feature platform with advanced identity, infrastructure, and remote access tooling
-Community Edition retains core tunneling functionality
-Advanced identity, infrastructure, and remote access features are moved to Enterprise/Cloud tiers
-Feature parity between self-hosted and hosted versions decreases over time
 ==See also==
+* Open-core software model
-Open-core software model
+* Self-hosted infrastructure platforms
-Self-hosted infrastructure platforms
+* WireGuard
-WireGuard
+* Cloudflare Tunnels
-Cloudflare Tunnels
+* Twingate
-Twingate