I think with the web UI it is a little more user friendly but not as super familiar with FRP. I think we might have a little more authentication control on top of the tunnel for web traffic as well.
We are always looking for security experts to review the code and to pen test the application. Please hammer it and let us know at [email protected] if there are any issues!
As the project grows and we have more resources to spend we will try to work with some professional service to take a look for sure.
Good question. I think absolute worse case scenario the tunnel and VPS is compromised and someone is able to gain access to the private network. We advise people in the docs to always consider this a possibility and secure Newt and what is has access to. A slightly worse case is there is a bypass in the forward auth and someone can get access to the webpage of a private service without passing the user/pass auth etc.
We are always looking for security experts to review the code and to pen test the application. Please hammer it and let us know at [email protected] if there are any issues!
It looks like there might be some overlap. There are a bunch of solutions in this space! It looks like they do provide public access to resources which is what Pangolin does. We might have a bit more of authentication options but dont hold me to that.
We are working on some "client" based solutions as well similar maybe to what Zrok is doing which we may release in Beta in the next couple of weeks!
From the little I understand about it I think you may be able to deploy Pangolin on it. Would need to do some research. But you could also use Pangolin to provide access to a self hosted Dokploy application I think.
It might be a bit too heavy for a MCU like ESPs. IoT we are thinking more like cellular modems, UPSs, cameras - devices that need remote access in the field at remote places that you typically would need a more convoluted VPN setup for.
Yes we have had some PR and some active ones that we need to merge soon haha.
We have not had any concern about the CLA that we are aware of. It was important that we found a way to allow businesses to pay for something to fund the project while keeping it free for individual homelabbers so this was one effort in that regard.
Yes and they are a "Fossorial" animal. A fossorial animal is one that is adapted to digging and which lives primarily (but not solely) underground. It was kind of a fun name to call out the tunneling. Fossorial is our company name.
Yep thats correct. All based on wireguard-go. It is growing in what it can do now but at its core its just a Wireguard wrapper that coordinates with Pangolin to get the tunnel up. It also runs in netstack user space so it does not need kernel permissions to open a port and it's only egress is proxied out with TCP/UDP reverse proxies built in to access what is needed on the network.
Good advice in this thread. If its just you then ssh tunnels or tailscale or netbird or pure wireguard are all fine. You could use Pangolin for this and put auth in front of the web page of Keycloak using a local Pangolin site and that would be fine too. It depends on how important the security is to you and who else might want access.
Yes! Most people I think rent a VPS (some can be had for like $1 a month) and install this. Because it tunnels back to your network your network can be anywhere behind anything and it should hole punch to it. And because the public is visiting the public address of the VPS your network is hidden behind that!
This is true! But you have a little more control over who you might choose to trust. For example - you might trust AWS not to snoop in your VM more than you might trust CF to not collect valuable usage data about you when they decrypt your traffic.
Yes! Thats where it excels I think. If you want public authenticated access for your users and / or need that tunneling component to get into your network or a set of distributed networks then Pangolin is your animal!
I think if that works for you then stick with it! Pangolin would mostly do the same thing. I think if you wanted more auth control like users and pin codes and OIDC and roles you might not get that with NPM out of the box but could add on.
Pangolin has a tunnel component to it so if you were challenged on the ISP front you can put this on the VPS and it just makes configuring the connection back to the network easier so you don't need to set up WG back etc... It wraps it all up nicely in a UI and simple install script. It can also all be automated with the API if you are into that kind of thing.
Yes I think so. I know it works quiet well in compose but as you scale to swarm I am not sure if there would be pains. You can just pop the connector into your compose stack and it will connect to anything in the docker network which we personally do to host some of our basic infrastructure.