Pangolin: the self-hosted Cloudflare-Tunnel replacement that finally landed in 2026

When I wrote up Tailscale vs Cloudflare Tunnel in October 2025, Pangolin was the emerging third option — interesting in concept, not yet mature enough to recommend without caveats. Three months and a 622-upvote r/selfhosted Pangolin 1.13.0 release thread later, the picture has changed. Christian Lempa published the Pangolin tutorial on January 16, 2026, describing it as: “a powerful open-source platform that combines a reverse proxy and VPN into a single ZTNA solution… a self-hosted alternative to Cloudflare and traditional VPNs.”

After three weeks of running Pangolin as my primary Cloudflare-Tunnel replacement, the honest assessment is: Pangolin is now the credible third option for homelab access, and for users who want to remove Cloudflare from their traffic path, it’s the working answer.

This piece works through what Pangolin actually is, when it’s the right choice, and the migration patterns that worked.

What Pangolin actually is

Pangolin is an open-source zero-trust network access (ZTNA) platform that combines:

• A reverse proxy. Like Traefik or Caddy, terminating TLS and routing requests to backend services.
• A WireGuard-based VPN. Like Tailscale, providing identity-bound mesh networking.
• A web-based admin UI. For configuring sites, services, users, and access policies.
• Authentication and authorization. Username/password, SSO via OIDC, MFA support.

The architecture: you deploy Pangolin on a small VPS with a public IP. Your home/homelab services connect to it via WireGuard (outbound from your network). Pangolin acts as the public-facing reverse proxy, terminating user traffic and forwarding through the WireGuard tunnel to your services.

This is functionally similar to Cloudflare Tunnel — outbound tunnel from your home, public TLS termination at a remote point. The difference is Pangolin runs on your own infrastructure (or a VPS you control). Cloudflare’s network isn’t in the path.

What Christian Lempa’s tutorial covers

Lempa’s January 16 video walks through:

1. Pangolin installation on a small VPS using Docker Compose
2. Configuring the WireGuard connection to a remote homelab site
3. Publishing both public-facing services (via the reverse proxy) and private services (via the VPN)
4. Access policies and user management

His framing captures the strategic positioning: “a self-hosted alternative to Cloudflare and traditional VPNs.” That’s the right way to think about Pangolin — it does the things Cloudflare Tunnel does, plus the things Tailscale does, without depending on either company.

The 622-upvote Pangolin 1.13 release thread

The r/selfhosted release thread for Pangolin 1.13.0 in early December was the moment Pangolin crossed from “interesting project” to “credible production option.” The release notes (paraphrased from the thread) introduced:

• Stable WireGuard tunnel management with reconnection logic
• Production-grade SSO/OIDC integration
• Multi-site support (multiple homelab/office sites connecting to one Pangolin instance)
• Per-resource access policies (not just per-user)
• Better operational tooling — logs, metrics, health checks

The community reception captured the maturation moment. Top comments converged on: “this is actually production-ready now,” “I migrated off Cloudflare Tunnel and have no regrets,” “the docs improved significantly,” “self-hosting it on a $5 VPS works fine.”

That’s the signal. December 2025 was when the early-adopter community judged Pangolin to have crossed the maturity threshold.

When Pangolin is the right choice

Pangolin is the right tool for:

• Users who want to remove Cloudflare from their traffic path. Privacy, sovereignty, or principle reasons. Cloudflare Tunnel routes your traffic through Cloudflare’s network and terminates TLS at their edge. Pangolin keeps that on your own infrastructure.
• Cloudflare Tunnel users hitting the streaming TOS issue. Cloudflare prohibits streaming Plex/Jellyfin through Tunnels. Pangolin doesn’t have this restriction (it’s your infrastructure, your rules).
• Users wanting unified access management. Pangolin does both public reverse proxy and private VPN in one product. Cloudflare Tunnel + Tailscale is two products.
• Homelab users with budget for a small VPS. $5-10/month on Hetzner CX22 or similar runs Pangolin comfortably.
• Users wanting open-source dependency reduction. Pangolin is Apache-licensed and the project is community-stewarded.

Pangolin is NOT the right choice for:

• Users who genuinely benefit from Cloudflare’s edge network. Real DDoS protection, global CDN, WAF — Cloudflare provides these. Pangolin doesn’t replicate them.
• Users who don’t want to run a VPS. Pangolin needs a public-IP host. If you don’t want operational responsibility for a small server, Cloudflare Tunnel’s “no public IP needed” model is genuinely simpler.
• Single-user homelabs where Tailscale is sufficient. If you don’t need public-facing services and Tailscale covers your access needs, adding Pangolin is overkill.

The migration from Cloudflare Tunnel to Pangolin

My homelab pre-migration: 8 services exposed via Cloudflare Tunnel + Cloudflare Access. Auth via Google. Real production usage for personal apps and friends-and-family access.

The migration over three weeks:

Week 1: Setup and basic services.

• Deployed Pangolin on a Hetzner CX22 ($5/month) following Lempa’s pattern
• Set up the WireGuard connection from my homelab
• Migrated 2 low-priority services to test the flow
• Configured Authentik for SSO (separately deployed)

Week 2: Migrate remaining services.

• Moved the remaining 6 services to Pangolin over a few days
• Updated DNS records to point to the Pangolin VPS instead of Cloudflare
• Updated Authentik for the new SSO integration
• Kept Cloudflare Tunnel running in parallel for a week for fallback

Week 3: Cut over fully.

• Removed Cloudflare Tunnel configurations
• Removed cloudflared from homelab containers
• Confirmed everything still works
• Documented the new architecture

Total time: ~10 hours over three weeks. Cost: $5/month for the VPS. Operational complexity: comparable to running Cloudflare Tunnel, with the addition of “I now own the VPS so I have to keep it patched.”

What the migration revealed

Three things I didn’t anticipate but should have:

1. Pangolin’s reverse proxy is fine but Traefik is more battle-tested. For complex routing scenarios, you can run Traefik behind Pangolin (Pangolin as the WireGuard endpoint + simple proxy, Traefik for the heavier routing). My setup ended up doing exactly this.

2. The lack of edge DDoS protection is real. I haven’t been DDoSed yet, but Cloudflare was absorbing meaningful junk traffic that now hits my VPS directly. The VPS has held up, but I’ve added rate limiting and basic protection at the Pangolin layer. For real production with significant external traffic, this is a non-trivial concern.

3. Operational responsibility is real. With Cloudflare Tunnel, Cloudflare patches their endpoint. With Pangolin on a VPS, I patch the VPS. Adding “keep Pangolin VPS patched” to my homelab maintenance routine is the trade I made for sovereignty.

What the YouTube tutorials usually skip

Lempa’s tutorial is solid for the happy path. The things YouTube tutorials consistently skip on tools like Pangolin:

• The DDoS-protection trade-off. When you replace Cloudflare with self-hosted, you lose Cloudflare’s absorption layer. Most tutorials don’t mention this; it matters at scale.
• The migration story for existing Cloudflare Tunnel users. “Set up Pangolin” is straightforward. “Migrate without downtime” needs more thought.
• Long-term operational responsibility. Once you’ve set it up, you own it. Patches, security updates, certificate rotation, log monitoring. All on you.
• When Pangolin is overkill. Not every homelab needs Pangolin. The tutorials assume you’re watching because you do.

The reconciliation: Pangolin vs Tailscale vs Cloudflare Tunnel in 2026

The clean mental model in January 2026 (updated from the October 2025 analysis):

Use Tailscale for:

• Private mesh access between trusted devices/people
• Anything administrative (Proxmox UI, SSH, internal dashboards)
• Multi-site connectivity (homelab + parents’ Pi + VPS)

Use Cloudflare Tunnel for:

• Public services where you want Cloudflare’s edge protection
• Setups where you don’t want to run a VPS
• Services that aren’t streaming-media-shaped

Use Pangolin for:

• Public services where you want to remove Cloudflare from the path
• Streaming media exposure (Plex/Jellyfin) — Cloudflare TOS issue doesn’t apply
• Setups where you want unified ZTNA (public proxy + private VPN) in one product
• Users who genuinely value the open-source / self-hosted principle

Combinations work: Tailscale for admin access + Pangolin for public services + Cloudflare for the parts you specifically want Cloudflare for. The tools aren’t mutually exclusive.

What this means for your homelab in 2026

If you’re currently running Cloudflare Tunnel and happy: stay put. Pangolin isn’t a forced migration. Cloudflare Tunnel is a fine product.

If you’re hitting the streaming TOS issue, considering vendor diversification, or principled about open-source self-hosting: Pangolin is now ready. The migration cost is real but manageable. The ongoing maintenance is reasonable.

If you’re building a homelab from scratch in 2026: consider Pangolin from day one. The all-in-one ZTNA pattern is cleaner than stitching together Cloudflare Tunnel + Tailscale + Traefik.

The verdict

Pangolin is the credible self-hosted ZTNA option in 2026. A year ago this would have been a stretch. The 1.13 release in December and the steady iteration since have moved the project across the production-readiness line.

The bigger story: the self-hosted infrastructure tier keeps maturing. Pangolin joins n8n, NetBox, Coolify, and the broader selfhosting-is-not-a-hobby-anymore ecosystem as a tool that’s production-grade for the right use case.

For homelab users in January 2026: Pangolin is worth a serious look if you have a reason to move off Cloudflare Tunnel. Lempa’s tutorial is the right starting point. The migration is manageable. The result is durable.