System Architecture

Pangolin is the main control center that orchestrates the entire system:

Web Interface: Management dashboard for configuring sites, users, and access policies
REST API: External API for automation and integration
WebSocket Server: Manages real-time connections to edge network clients
Authentication System: Handles user authentication and authorization
Database: Stores configuration, user data, and system state

Pangolin acts as the brain of the system, coordinating all other components and managing user access.

Gerbil manages the secure WireGuard tunnels between your edge networks and the central server:

Peer Management: Creates and maintains WireGuard connections
Tunnel Orchestration: Handles tunnel creation, updates, and cleanup
Security: Ensures all traffic is encrypted using WireGuard’s cryptographic protocols

WireGuard provides fast, secure, and reliable tunneling with minimal overhead.

Newt is a lightweight client that runs on your edge networks (servers, VMs, or containers):

Automatic Discovery: Finds the optimal point of presence for best performance
Dual Connection: Connects to Pangolin via WebSocket and Gerbil via WireGuard
Resource Proxy: Creates TCP/UDP proxies to expose your applications securely

Newt is designed to be resource-efficient and can run on minimal hardware or in containers.

The reverse proxy handles incoming requests and routes them to your applications:

Badger is Pangolin’s middleware that enforces access control:

Request Interception: Catches all incoming requests before they reach your applications
Authentication Check: Verifies user identity and permissions
Secure Redirects: Sends unauthenticated users to Pangolin’s login system

Badger ensures that only authenticated and authorized users can access your applications, even if they bypass other security measures.

System architecture showing Pangolin components and their interactions