Pangolin, Cloudflare Tunnel, and Tailscale overlap around remote access, but they are not the same product category. Tailscale is best understood as a private mesh network; Cloudflare Tunnel publishes services through Cloudflare using outbound connectors; Pangolin is a self-hosted identity-aware VPN and tunneled reverse-proxy project built around WireGuard-style access.
The decision starts with control-plane trust. If you want SaaS-managed private networking, look at Tailscale. If you want Cloudflare edge publishing for web apps, look at Cloudflare Tunnel plus Access. If you want a self-hosted access gateway and accept more operational responsibility, Pangolin is the open-source option to evaluate.
What is Tailscale best for?
Tailscale is strongest when the goal is private device-to-device or user-to-server access. It is the clean answer for SSH to Linux servers, small-team admin access, and reaching private services without opening public ports.
Use Tailscale when:
- the service should be private, not public;
- devices or users can join the tailnet;
- ACLs and identity policy matter;
- you need SSH or private TCP access;
- CGNAT makes direct inbound networking painful.
For small teams, Tailscale often gives the fastest safe result because you do not have to publish a web hostname for every admin tool.
What is Cloudflare Tunnel best for?
Cloudflare Tunnel is strongest when you want to publish an application through Cloudflare without opening inbound origin ports. Cloudflare’s docs describe cloudflared creating outbound-only connections from the origin to Cloudflare’s network.
Use Cloudflare Tunnel when:
- the app is HTTP-oriented;
- a public hostname makes sense;
- Cloudflare edge policy is desired;
- origin IP exposure should be reduced;
- Cloudflare Access will protect sensitive self-hosted apps.
Tunnel is not the same as private networking. It is an application publishing path.
What is Pangolin best for?
Pangolin’s GitHub project describes it as an identity-aware VPN and tunneled reverse proxy for remote access based on WireGuard. Its Newt connector is described as a tunneled site and network connector.
That positions Pangolin as an open-source, self-hosted access layer for people who want more control than a SaaS-only setup. The tradeoff is that you become responsible for running, updating, securing, and recovering the access platform itself.
Evaluate Pangolin when:
- self-hosted control is a priority;
- you want an open-source access gateway model;
- you are comfortable operating the control plane;
- you have time to test upgrades and recovery;
- you want a Cloudflare/Tailscale alternative, not just the fastest path.
This page does not claim Pangolin was tested in TheLinuxForum’s lab. Treat it as a decision guide until a verifier-backed install guide exists.
Decision table
| Need | Better first look |
|---|---|
| Private SSH to a Linux VPS | Tailscale |
| Public web app without opening origin ports | Cloudflare Tunnel |
| Sensitive browser app with SSO policy | Cloudflare Tunnel plus Cloudflare Access, or Pangolin if self-hosted control is required |
| Homelab services behind CGNAT | Tailscale for private access; Cloudflare Tunnel for deliberate public HTTP apps |
| Self-hosted access control plane | Pangolin |
| Lowest operational burden | Tailscale or Cloudflare, depending on private-vs-public need |
If the service is an admin dashboard, start from no naked dashboards before choosing a tool.
The trust-model question
The technical feature list is not enough. Ask who controls identity, policy, DNS, routing, and emergency recovery.
Tailscale and Cloudflare reduce operational burden by providing managed control planes. That is useful, but it means trusting those providers for important parts of access. Pangolin shifts more control back to you, but also shifts more failure modes back to you.
For a small business, the right answer is often the one with the clearest recovery path, not the longest checklist of features.
FAQ
Is Pangolin a replacement for Cloudflare Tunnel?
Not exactly. It can overlap with tunneled reverse-proxy use cases, but Cloudflare Tunnel is tied to Cloudflare’s edge and Access ecosystem. Pangolin is a self-hosted access platform with a different operating model.
Is Tailscale better than Cloudflare Tunnel?
For private server access, usually yes. For publishing a public web app through Cloudflare, Cloudflare Tunnel is usually the more direct fit.
Should I use all three?
Usually no. Use the smallest access stack that clearly solves the problem. More access layers can mean more confusion unless each layer has a defined job.
Sources
- Tailscale documentation for private networking, subnet routers, and exit nodes
- Cloudflare One documentation for Cloudflare Tunnel and Access self-hosted applications
- Pangolin and Newt upstream GitHub project descriptions