From bb58307502d52691681372afe640e941b6a4888b Mon Sep 17 00:00:00 2001 From: miloschwartz Date: Wed, 10 Dec 2025 16:40:03 -0500 Subject: [PATCH] update intro pages --- about/how-pangolin-works.mdx | 95 +++++++++------ about/pangolin-vs-reverse-proxy-vs-vpn.mdx | 55 +++++++++ .../pangolin-vs-traditional-reverse-proxy.mdx | 114 ------------------ about/pangolin-vs-vpn.mdx | 92 -------------- changelog.mdx | 4 - docs.json | 16 +-- index.mdx | 24 +++- self-host/quick-install.mdx | 4 +- 8 files changed, 140 insertions(+), 264 deletions(-) create mode 100644 about/pangolin-vs-reverse-proxy-vs-vpn.mdx delete mode 100644 about/pangolin-vs-traditional-reverse-proxy.mdx delete mode 100644 about/pangolin-vs-vpn.mdx diff --git a/about/how-pangolin-works.mdx b/about/how-pangolin-works.mdx index 4a4dc59..e747005 100644 --- a/about/how-pangolin-works.mdx +++ b/about/how-pangolin-works.mdx @@ -1,66 +1,81 @@ --- title: "How Pangolin Works" -description: "Learn about Pangolin's architecture and how its components work together to provide secure application access" +icon: "brain" +description: "Learn about the fundamentals of Pangolin and how they work together to provide simple and secure remote access." --- -Pangolin provides secure, application-specific ingress to your applications through a network of nodes. Users connect to the closest node, which authenticates them and routes their requests through secure tunnels to your backend. - - - - - -## How It Works +## Basic Steps - - DNS automatically routes users to the closest available regional node. A node is always available because the control plane fails over between nodes. + + Join remote networks together using site connectors. Pangolin's lightweight connectors use intelligent routing and NAT traversal to make any network anywhere available. - - The node verifies the user's identity, checks access permissions, and applies context aware rules such as IP and path based filters, geoblocking, and rate limiting. + + Create resources that represent services or entire network ranges available for remote access. Resources can be public or fully private. - - Authenticated requests are routed and flow through encrypted WireGuard tunnels to your applications with optional load balancing and failover for your backend servers. - - - - Your applications receive the requests and respond through the same secure path. + + Authenticated users can access resources anywhere using a web browser or when connected with a Pangolin client on their device. -## Deployment Options +## Key Concepts - - - Large network of nodes with automatic failover and routing to your backend services. We host the Pangolin server for you. +Pangolin relies on several components that work together to provide secure remote access. Each component has a specific role in ensuring that only authenticated users can access the resources they are authorized to use. + +### Pangolin Server + +The Pangolin server is the central coordination component for your network. It stores configuration changes, manages access policies, and coordinates connections between clients and sites. The server handles user authentication and generates access control lists that determine what resources each user can reach. + +You can use Pangolin Cloud, which is fully managed, or you can self-host your own Pangolin server for complete control over your infrastructure and data. + + + Learn how to deploy your own self-hosted Pangolin server or use Pangolin Cloud. - - Fully self-hosted, self-contained Pangolin server acting as a single node. +### Sites + +Sites connect remote networks to your Pangolin server. They use Newt connectors to create secure tunnels from remote networks back to Pangolin. Sites let you expose resources on those networks to authorized users. + +Sites run behind firewalls on remote networks. They maintain outbound connections to the Pangolin server. By default, sites block all traffic until you define resources and grant access. This ensures that just deploying a site does not expose any network resources. + +The Newt connector handles tunnel creation, NAT traversal, and routing. It makes remote networks available without requiring complex firewall rules or public IP addresses. + + + Learn about sites, how they work, and how to install and configure them. - - Self-host your own Pangolin node with cloud coordination for high availability and automatic failover. Data always transits your servers. - - +### Resources -## Key Benefits +Resources are the applications, hosts, or network ranges you make available to users. They exist on sites and represent what users can access. Users connect to resources, not to sites directly. - - - Your applications can run on private networks without exposing ports. +There are two types of resources. Public resources work through web browsers and act as reverse proxies to backend services. Private resources require a client connection and function like a zero-trust VPN. + +You must define resources and assign access before users can reach them. By default, no resources are available on sites. This ensures that only explicitly defined resources can be accessed. + + + Learn about public and private resources and how to create them. - - Users always connect to the closest available node. +### Clients + +Clients are software components installed on user devices or machines. They let users and automated systems connect to your Pangolin network and access private resources through a secure tunnel. + +Users authenticate through the client using their accounts. Machines connect with credentials. Once connected, users can reach all resources their account has access to. The client handles routing decisions and establishes encrypted tunnels to the appropriate sites. + +Clients are available for Mac, Windows, and Linux. They work transparently with applications, so no application configuration is required. + + + Learn about clients and where to download them for Mac, Windows, and Linux. - - Every request is authenticated and authorized before reaching your applications. - +### Remote Nodes - - Multiple nodes, failover, and load balancing between tunnels ensures there is always a way for users to access your applications. +Remote nodes are self-hosted Pangolin servers that you control while using Pangolin Cloud for management and coordination. You maintain complete control over your infrastructure and data flow, while the cloud handles the control plane, DNS, certificate management, and backups. + +You can deploy multiple remote nodes for high availability and automatic failover. If your nodes become unavailable, traffic can optionally fail over to cloud infrastructure until you restore service. + + + Learn about remote nodes and how they provide high availability and simplified operations. - diff --git a/about/pangolin-vs-reverse-proxy-vs-vpn.mdx b/about/pangolin-vs-reverse-proxy-vs-vpn.mdx new file mode 100644 index 0000000..c67dde6 --- /dev/null +++ b/about/pangolin-vs-reverse-proxy-vs-vpn.mdx @@ -0,0 +1,55 @@ +--- +title: "Pangolin vs. Reverse Proxy vs. VPN" +icon: "book" +description: "What are the similarities and differences between Pangolin and traditional reverse proxies and VPNs?" +--- + +Pangolin combines the capabilities of both a reverse proxy and a VPN into a single platform. It provides reverse proxy functionality through public resources and VPN functionality through private resources, all with zero-trust access control and distributed architecture. + +## What Each Solution Provides + +**Reverse Proxies** expose web applications to the internet. They handle SSL termination, load balancing, and basic authentication. Users access applications through web browsers using domain names. + +**VPNs** create encrypted tunnels that give users access to entire private networks. Users install client software and connect to a VPN server. Once connected, they can access any resource on the network they have network-level access to. + +**Pangolin** provides both capabilities. Public resources work like a reverse proxy, allowing browser-based access to specific applications. Private resources work like a zero-trust VPN, giving users access to specific hosts or network ranges when connected with a client. + +## Reverse Proxy Capabilities + +Pangolin's public resources function as reverse proxies. They expose web applications through domain names with automatic SSL certificates. Users access these resources through web browsers without installing any software. + +Public resources support identity-aware access control. You can require authentication, enforce multi-factor authentication, and create rules based on user identity, roles, geographic location, IP addresses, and URL paths. This goes beyond what traditional reverse proxies offer. + +Unlike traditional reverse proxies, Pangolin does not require public IP addresses or open ports on your network. Sites create outbound tunnels to Pangolin, so your applications remain behind firewalls. + +## VPN Capabilities + +Pangolin's private resources function like a zero-trust VPN. Users install a Pangolin client on their device and connect to your organization. Once connected, they can access the specific hosts or network ranges you have granted them access to. + +Private resources provide granular access control. Users only get access to the specific resources you define, not entire networks. This reduces the risk of over-permission that comes with traditional VPNs. + +Clients work transparently with applications. No application configuration is required. Users connect once and can access all their authorized resources. The client handles routing and establishes encrypted tunnels automatically. + +## Why Pangolin Combines Both + +Many organizations need both reverse proxy and VPN capabilities. You might want to expose web applications to users through browsers while also providing secure access to databases, SSH servers, or internal services that require a VPN-like connection. + +With Pangolin, you use one platform for both use cases. Public resources handle web application access. Private resources handle VPN-like access. Both use the same authentication system, access control policies, and infrastructure. + +This unified approach simplifies management. You configure users, roles, and access policies once. Those policies apply to both public and private resources. You do not need to maintain separate systems for reverse proxy and VPN access. + +## Infrastructure and Availability + +Traditional reverse proxies and VPNs typically run on a single server. If that server fails, all access is lost. They also require public IP addresses and open ports, which adds complexity and security concerns. + +Pangolin uses a distributed architecture with multiple nodes. If one node fails, traffic automatically routes to another node. Sites create outbound tunnels, so your networks do not need public IP addresses or open ports. + +You can deploy multiple remote nodes for high availability. If your nodes become unavailable, traffic can optionally fail over to cloud infrastructure until you restore service. This provides redundancy that single-server solutions cannot match. + +## When to Use Each Solution + +Use a traditional reverse proxy if you only need to expose web applications, you have a public IP address, and you do not need advanced access control or high availability. + +Use a traditional VPN if you need full network access, you can accept the security risks of broad access, and you do not need application-specific access control. + +Use Pangolin if you need both reverse proxy and VPN capabilities, you want granular access control, you need high availability, or you want to avoid public IP addresses and open ports. diff --git a/about/pangolin-vs-traditional-reverse-proxy.mdx b/about/pangolin-vs-traditional-reverse-proxy.mdx deleted file mode 100644 index 90266fb..0000000 --- a/about/pangolin-vs-traditional-reverse-proxy.mdx +++ /dev/null @@ -1,114 +0,0 @@ ---- -title: "Pangolin vs. Reverse Proxy" -description: "Learn how Pangolin's distributed architecture eliminates single points of failure and provides authenticated access to your applications" ---- - -Pangolin builds upon traditional reverse proxy principles but adds distributed architecture, tunneling, and identity-aware access control. While traditional reverse proxies are typically single-server solutions, Pangolin operates as a distributed network of nodes that provide highly-available access to your applications. - -## Traditional Reverse Proxy Limitations - - - - If the reverse proxy server goes down, all applications become inaccessible. - - - - Users far from the server location experience higher latency. - - - - Requires public IP addresses and open ports on your network. - - - - Typically relies on network-based trust rather than user identity. - - - -## Pangolin's Dual-Layer High Availability - -Pangolin provides high availability at two critical layers: ingress points and backend routing. - -### How It Works - - - - Request is routed to the closest available node. If one goes down, there is always another point available. - - - - User identity is verified at the node before getting routed to your backend. - - - - Pangolin selects the optimal tunnel route to your backend service. - - - - If the primary tunnel fails, traffic automatically switches to an alternative route. - - - - Response follows the same resilient path back to the user. - - - - -This dual-layer approach ensures your applications remain accessible even if individual nodes or tunnel connections fail. - - -## Key Differences - -### Tunneling vs. Direct Network Access - -| Traditional Reverse Proxy | Pangolin | -|--------------------------|----------| -| **Public IP Required** | **No Public IP Needed** | -| **Open Ports (80, 443)** | **No Open Ports** | -| **Complex Network Setup** | **Automatic Discovery** | -| **Network-Based Security** | **Encrypted WireGuard Tunnels** | - - -This tunneling capability makes Pangolin ideal for environments behind restrictive firewalls, CGNAT, or corporate networks. - - -### Identity-Aware Proxy (IAP) - -Traditional reverse proxies rely on network-based trust, while Pangolin implements zero-trust access control: - - - - Support for 2FA, passkeys, and OTP. - - - - Integration with Google, Okta, and other identity providers. - - - - Role-based access control and path-based rules. - - - - IP-based, path-based, and geographic access policies. - - - - -Unlike traditional reverse proxies, Pangolin authenticates every single request, ensuring that only authorized users can access your applications. - - -## Benefits Summary - -| Feature | Traditional Reverse Proxy | Pangolin | -|---------|--------------------------|----------| -| **Availability** | Single point of failure | Distributed, fault-tolerant | -| **Performance** | Limited by server location | Regionally, optimized routing | -| **Security** | Network-based trust | Zero-trust, identity-aware | -| **Network Requirements** | Public IP, open ports | No public IP needed | -| **Authentication** | Basic or none | Advanced, multi-factor | -| **Scalability** | Manual scaling | Automatic regional distribution | - - - Get distributed, authenticated access to your applications with Pangolin's regional network of nodes. - diff --git a/about/pangolin-vs-vpn.mdx b/about/pangolin-vs-vpn.mdx deleted file mode 100644 index 7f10402..0000000 --- a/about/pangolin-vs-vpn.mdx +++ /dev/null @@ -1,92 +0,0 @@ ---- -title: "Pangolin vs. VPN" -description: "Learn how Pangolin provides application-specific access with zero-trust security compared to traditional VPNs" ---- - -Pangolin and VPNs serve different purposes: Pangolin focuses on secure ingress and application routing, while VPNs provide remote access to internal networks. They offer different approaches to secure connectivity. - -## Traditional VPN Limitations - - - - Users get access to entire networks, not just the applications they need. - - - - Users must install and configure VPN client software. - - - - Requires public IP addresses, open ports, and complex network configuration. - - - - Basic network-level security with few granular controls or complicated ACLs. - - - - If the VPN server goes down, all access is lost. - - - - Broad network access can be risky if user devices are compromised. - - - -## Pangolin's Ingress-First Approach - -Pangolin provides secure, application-specific ingress and routing without the limitations of traditional VPNs: - -### Zero-Trust Access Control - - - - Users access only the applications they're authorized to use. - - - - No client software installation required - works with any web browser. - - - - Role-based access control, path-based rules, and contextual policies. - - - - Support for SSO, OIDC, 2FA, and passkeys. - - - -### Simplified Ingress Infrastructure - - - - Edge networks don't need public IP addresses. - - - -Multiple nodes ensure high availability. - - - -## Key Differences - -| Feature | Traditional VPN | Pangolin | -|---------|----------------|----------| -| **Access Scope** | Full network access | Application-specific access | -| **Client Software** | Required | Not needed (browser-based) | -| **Network Requirements** | Public IP, open ports | No public IP needed | -| **Access Control** | Network-level | Zero-trust, granular | -| **Authentication** | Basic credentials | Multi-factor, SSO, OIDC | -| **Infrastructure** | Single server | Distributed nodes | -| **Security Model** | Network-based trust | Identity-based trust | - - - Get application-specific access with zero-trust security and no client software required. - - -# Pangolin vs. Mesh VPN (e.g., Tailscale, Netbird) - -Pangolin and mesh VPNs like Tailscale or Netbird both provide secure remote access, but they differ in their approach and functionality. Mesh VPNs focus on creating peer-to-peer connections between devices for full network access, while Pangolin is designed to expose specific applications or services securely through nodes, with no need for client-side software on user devices. - -Pangolin is a better choice for application-specific access with zero-trust security and no client-side software requirements. Mesh VPNs like Tailscale or Netbird are more suitable for full network access and peer-to-peer connectivity. For environments prioritizing granular access control and simplicity, Pangolin offers a more focused and secure solution. diff --git a/changelog.mdx b/changelog.mdx index 3a49977..2bd23a5 100644 --- a/changelog.mdx +++ b/changelog.mdx @@ -1,7 +1,3 @@ -2025-12-10 Unknown - - * - --- title: "Changelog" description: "Updates and announcements" diff --git a/docs.json b/docs.json index 1a4348a..0bd0392 100644 --- a/docs.json +++ b/docs.json @@ -17,8 +17,8 @@ { "group": "About", "pages": [ - "about/pangolin-vs-traditional-reverse-proxy", - "about/pangolin-vs-vpn" + "about/how-pangolin-works", + "about/pangolin-vs-reverse-proxy-vs-vpn" ] }, { @@ -113,7 +113,7 @@ "manage/blueprints", { "group": "Remote Nodes", - "icon": "server", + "icon": "circle-nodes", "pages": [ "manage/remote-node/ha", "manage/remote-node/nodes", @@ -130,6 +130,7 @@ "group": "Self-host Pangolin", "pages": [ "self-host/quick-install", + "self-host/choosing-a-vps", { "group": "Manual Installation", "pages": [ @@ -138,9 +139,6 @@ ] }, "self-host/dns-and-networking", - "self-host/choosing-a-vps", - "self-host/how-to-update", - "self-host/supporter-program", { "group": "Advanced Configuration", "pages": [ @@ -152,9 +150,11 @@ "self-host/advanced/database-options", "self-host/advanced/integration-api", "self-host/advanced/enable-geoblocking", - "self-host/advanced/metrics" + "self-host/advanced/metrics", + "self-host/telemetry" ] }, + "self-host/how-to-update", { "group": "Community Guides", "pages": [ @@ -167,7 +167,7 @@ "self-host/community-guides/geolite2automation" ] }, - "self-host/telemetry", + "self-host/supporter-program", "self-host/enterprise-edition" ] }, diff --git a/index.mdx b/index.mdx index ce851e4..5d92d1c 100644 --- a/index.mdx +++ b/index.mdx @@ -2,24 +2,40 @@ title: "Introduction to Pangolin" --- -Pangolin is an open-source and identity-aware tunneled reverse proxy server. Pangolin's distributed architecture with nodes provide highly available ingress to ensure applications always remain accessible. +Pangolin is an open-source, identity-based remote access platform built on WireGuard that enables secure, seamless connectivity to private and public resources. Pangolin Dashboard -Pangolin establishes secure connections from edge networks to nodes, bypassing the need for public inbound ports and complex firewall configurations. Pangolin is incredibly useful for exposing local services, IoT devices, or internal applications to the internet without direct exposure, enhancing security by reducing attack surface and simplifying network management. Additionally, Pangolin acts as an identity-aware proxy by authenticating every request against admin-defined access controls and rules. +Pangolin combines reverse proxy and VPN capabilities into one platform. It provides browser-based access to web applications and client-based access to private resources like databases and SSH servers, all with zero-trust security and granular access control. + +Pangolin connects remote networks using lightweight software connectors called sites. Sites create secure tunnels without requiring public IP addresses or open ports. Admins define specific resources that users can access, not entire networks. This gives users only the access they need while keeping everything else secure. + +Users access public resources through any web browser with authentication. Users access private resources by connecting with a Pangolin client on their device. Both methods use the same identity-based access control, so you manage users and permissions in one place. + +## Keep Reading + + + Learn about the fundamentals of Pangolin and how they work together to provide simple and secure remote access. + + + + What are the similarities and differences between Pangolin and traditional reverse proxies and VPNs? + + +## Deployment Options - Use Cloud for a highly available and access-controlled ingress service with nodes all over the world. Optionally self-host a node to keep your traffic private. + Use Cloud for low-maintenance, highly available remote access. Optionally self-host a node to keep your traffic private. Self-host a fully isolated Pangolin server. Install the Community Edition or Enterprise Edition easily using the quick installer. -## What is a fossorial animal? +## What is a Fossorial Animal? The Pangolin system is made up of many components, all with unique animal names. These animals are called fossorial animals. diff --git a/self-host/quick-install.mdx b/self-host/quick-install.mdx index 0df59f0..ee9b5a0 100644 --- a/self-host/quick-install.mdx +++ b/self-host/quick-install.mdx @@ -143,8 +143,8 @@ https://pangolin.example.com/auth/initial-setup After logging in: - 1. Click "Create Organization" - 2. Enter organization name and description + 1. Enter organization name and description + 2. Click "Create Organization" You're now ready to start adding applications and configuring your reverse proxy!