Pangolin: Open-Source Identity-Based VPN as a ZTNA Alternative

Pangolin is an open-source tool designed for identity-based remote access to internal resources, positioning itself as an alternative to traditional corporate ZTNA solutions like Cloudflare, Zscaler, and Twingate. Unlike traditional mesh VPNs such as Tailscale or ZeroTier, Pangolin does not create flat overlay networks, thereby avoiding complex ACL and IP space management. It tackles the latency issue of corporate ZTNA solutions by establishing direct peer-to-peer connections via WireGuard with NAT hole-punching, bypassing the need for routing all traffic through central servers.

Pangolin introduces a resource-centric model by deploying lightweight connectors bridging users to specific resources like private web applications, SSH, databases, and network CIDR ranges. This approach simplifies resource management by letting admins delegate access to particular users or roles, thereby maintaining a zero-trust, granular access control model.

Key features include support for native clients across various platforms (Mac, Windows, Linux, iOS, Android), as well as browser-based access for situations where a client isn’t necessary. Administrators can manage everything from self-hosted setups to fully managed cloud-based services. The open-source nature of Pangolin — with the Community Edition licensed under AGPLv3 and the Enterprise Edition under a commercial license allowing for free use for personal or small business projects — makes it flexible for both small teams and larger enterprises.

Pangolin is particularly beneficial for developers and IT teams wanting a more transparent and customizable alternative to proprietary remote access solutions. The ability to self-host the entire stack further enhances security for organizations with stringent compliance requirements.