Infrastructure●●Solid
Well-net – a friends-only IPv6 network with no central server
Decentralized VPN using stable IPv6 from MAC addresses, but WebRTC browser support incomplete.
Big BrainZero to OneNiche Gem
shynome
403mo ago
Back to browse
GitHub Repository
Identity-aware VPN and tunneled reverse proxy for remote access based on WireGuard®.
21,190 starsTypeScript
Pangolin: Open-source identity-based VPN (Twingate/Zscaler alternative)
by miloschwartz·Feb 15, 2026·81 points·28 comments
AI Analysis
●●●BangerZero to OneBig BrainSolve My Problem
P2P WireGuard VPN beats Twingate's central-server model without mesh VPN's flat-network mess.
Strengths
- •Resource-centric architecture sidesteps mesh VPN ACL complexity and avoids ZTNA latency penalty
- •NAT hole-punching enables direct peer-to-peer traffic, not cloud egress chokepoints
- •Self-hosted + managed cloud options with aggressive free tier (AGPL for small business under $100K/yr)
Weaknesses
- •Nascent project (19K stars but launched recently) — production maturity vs Twingate/Zscaler unproven
- •Requires running lightweight connectors per resource; operational overhead vs SaaS black-box
Category
Target Audience
DevOps/security teams, enterprises needing zero-trust remote access, self-hosted infrastructure operators
Similar To
Twingate · Zscaler ZTNA · Cloudflare Zero Trust
Post Description
Pangolin (https://github.com/fosrl/pangolin) is an open-source tool for identity-based remote access to internal resources - an alternative to Cloudflare ZTNA, Zscaler, and Twingate.
It’s different than existing approaches: mesh VPNs (Tailscale, ZeroTier, etc.) create flat overlay networks where ACL and IP space management becomes complex at scale and every device can talk to every other device, while corporate ZTNA solutions (Zscaler, Cato, Netskope etc.) are closed-source and add latency by forcing traffic through a central server.
Pangolin takes a resource-centric approach. You deploy lightweight connectors that bridge to specific resources (private web apps, SSH, databases, CIDR ranges). Admins delegate resource-access to specific users and roles. It uses WireGuard with NAT hole-punching for peer-to-peer connections and traffic goes directly between the user and connector instead of through a central server. It supports native clients (Mac/Windows/Linux/iOS/Android) plus identity-aware, browser-based access when a client isn’t required.
Pangolin has a cloud and is optionally self-hosted. The Community Edition is AGPLv3. The Enterprise Edition is also open-source under the commercial license which enables free personal/small business use.
Everything, from the server to the clients, is fully open-source and you can even self-host the whole stack. We’d love to hear what you think and I'm happy to answer any questions!
Similar Projects
Security●Mid
Amneziawg-installer – DPI-resistant WireGuard VPN in one command
Yet another VPN installer script; AmneziaWG does the work, this just automates setup.
Solve My Problem
bivlked
242mo ago
Security●●Solid
Qrvpn – deploy and run VPN server on any device and behind NAT/FW
One-click VPN deployment on any device—polished, but Tailscale and Zerotier exist.
SlickSolve My ProblemDark Horse
Serusk
103mo ago
Infrastructure●●●Banger
Mqvpn – Open-source multipath QUIC VPN
Standards-based multipath VPN with custom WLB scheduler beats MinRTT by 21%.
WizardryBig Brain
mp0rta
203mo ago
Hardware●Mid
Personal AI with Dedicated Hardware and App. Everything Runs Locally
Hardware + local inference + P2P, but ships March 2026 with zero proof of technology working.
Bold Bet
bvarghese
103mo ago
Finance●●●Banger
Zoneless – Open-source Stripe Connect clone with $0.002 fees using USDC
Stripe-compatible payouts at $0.002 vs Stripe's $9,400/month burn.
Solve My ProblemBold Bet
tinyprojects
1572mo ago