I replaced a VPN with my own VPS and it's awesome

I've been self-hosting apps on my NAS for a while now, and one of the things that has been a pain to handle is accessing those services outside my network. I've set up several reverse proxy options, and none worked properly, partly because I don't have a static IP and DDNS is hit-and-miss.

I've also tried similar tools, like Tailscale, which uses a third-party server to traverse the NAT issues I also seem to be experiencing with my ISP, which works well, but I prefer having everything self-hosted. I could host a Headscale instance as the coordinating server, but I'd still need to do it outside my home. Otherwise, the same issues apply, and I'd still have to set up a reverse proxy to make using my self-hosted services easier.

But then I found Pangolin, and while I've already written about it, one of the main selling points is that it works best when on a VPS. That way, you can use the Newt Docker client to do NAT traversal and avoid all the annoying ISP issues I've been having, and no doubt, you'd be having as well.

Self-hosting from home has a problem

Well, several problems, really, but they all revolve around your ISP

One of the many things wrong with Internet Service Providers (ISPs), especially in the US, is that features you'd want to use in the home lab are pay-gated in the business plans. If you want a static IP (or a few) for self-hosting, you need a business plan with most ISPs. Sure, you can set up DDNS, but that's one extra service to manage, and it also doesn't work quickly enough for all services, especially if you're self-hosting an email server, leading to lost messages. Which you're not supposed to on a home connection anyway, as the Terms of Service usually prohibit running a server with exposed ports.

I ran into this problem recently, and also noticed that Port 25, necessary for the email server, was blocked at the ISP level, no matter where I unblocked it in my firewall. Oh, and many ISPs in the US and elsewhere use Carrier Grade NAT (CGNAT) to preserve their IPv4 blocks and translate them into IPv6 for customers. This means you could share your public IPv4 address with several other customers, and trying to set up a VPN in these conditions is tricky at best.

The solution? Use an intermediary server to provide NAT traversal to bypass the ISP's arbitrary decisions without opening ports and still access your home lab services on your domain. While you could use Tailscale, NetBird, or ZeroTier to do this, I opted for Pangolin because I liked the idea of self-hosting it on my VPS (Virtual Private Server). It also gave me a way to forward port 25, so I could continue self-hosting email.

It's not just about access

Sidestepping NAT issues without needing open ports is great

I've never liked having to keep ports forwarded (and open!) to the internet, especially nowadays when auto-scans and Shodan can pick up those ports in seconds. Along with the extra security headache, that's not just a smart thing to do. But Pangolin doesn't need open ports, or privileged processes or containers to let you access your self-hosted services outside the home, because it uses NAT punching to connect your client and service together. It even works if your ISP has ports like 80, 443, or 25 blocked at their end, because it doesn't rely on ports.

It's so much more than just access though. Every subdomain Pangolin creates for your reverse-proxied services is locked behind your login details, which could be a password and username, or SSO, or several other options. You can even make it fully Zero Trust and get a PIN code sent to your email to access services, so it also does all the hard work of securing your services. It also has temporary sharing links so you can let people use your services for a set time before those links stop working. It's fantastic, and far better than sharing passwords for your self-hosted services.

It's still a work in progress

Okay, I mean I'm still learning the ropes

So far, I've had no issues with Pangolin when connecting to services I have running in Docker containers. I did have some problems installing in the first place, with the Newt and WireGuard modules not installing, which all seemed to have been due to running Debian on my VPS, instead of Ubuntu Server, but that was easy to fix.

I'm still working on connecting my non-Docker services, which I'm sure won't take much longer, especially since Pangolin uses Traefik for the reverse proxy part. Still, it's probably because I'm using the wrong IP address for the virtual machines. Did I mention I hate virtual networking? Cause I do, even when I get it working, I'm never quite sure why. But even with that, the rest of the setup was super simple, and I can reach all my other services from my domain name.

Now I can access my home lab from anywhere, without opening ports to the internet

I love that I can access my home lab from anywhere by typing in my domain name into any browser. It's also awesome that my email server works, while being protected by Cloudflare as that's my DNS provider, and I can still use that email address without worry as it allows to set up DKIM and all the other trust verification so that other email providers know I'm not a likely spammer. Plus, I can still use my VPS for other things, as I have plenty of space on the drive. I think I'm going to add an IRC bouncer, mainly for nostalgic reasons, but after that, I'm not quite sure what I'll use it for, just that it won't sit idle.