Comparison: Pangolin vs. Tailscale 4
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore.
Pangolin is an open-source, identity-based remote access platform built on WireGuard. You think in terms of networks, not nodes on a network. You install a lightweight connector (Pangolin calls it a site) on a machine that already has access to a network: your office LAN, a VPS, a cloud VPC, or a home lab.
That connector is the entry point. Anything it can see on the network can be turned into a resource. A resource might be a web app, a database, an SSH host, or an internal API. You grant users and roles access to specific resources. You do not necessarily grant access to the whole network. Users get only the resources you allow, and you never expose the underlying network or open ports.
Pangolin combines reverse proxy and VPN in one system. For web apps you can give users browser-based access: they sign in and reach the app without installing a client. For things like databases and SSH you give them access through the Pangolin client, which tunnels traffic to the right resource. Both paths use the same identity and permissions, so you manage users and access in one place.
You never open ports. Sites create outbound-only tunnels for web access. Clients form direct connections and use NAT hole punching when they can, falling back to relaying through the Pangolin server when they cannot.
The table below summarizes the main differences. The sections after it walk through each area in order.
Pangolin uses a hub-and-spoke style. The Pangolin server is the control plane: it handles auth, keys, and coordination. Sites (connectors) in your networks connect outbound to that server. For private access, clients connect directly to sites: the server helps with discovery and NAT traversal (or relays when a direct link is not possible), but the data path is client to site to resource. Clients do not talk to each other. They only reach the resources you grant them. This keeps the model simple and scales by adding sites and resources, not by growing a mesh. This avoids the "N-squared" complexity of mesh networks, where managing peer-to-peer ACLs and large overlay IP spaces becomes exponentially harder as you scale. By keeping the underlying network hidden, Pangolin ensures that users only ever see the specific applications they are authorized to use.
