Migrating to Pangolin
For a while I’ve been struggling with my dynamic IP, lack of IPv6, and blocked ports from my ISP. I decided to invest in a small VPS to work around these limitations. The VPS runs Pangolin, an identity-aware reverse proxy that tunnels traffic to services running elsewhere.
Setting up Pangolin
I set up a Hetzner VPS with Debian, SSH’d in and started installing Pangolin. The installation script required some manual steps I didn’t expect: I had to install Docker and Docker Compose separately before running it.
On the cluster side, I deployed Newt, Pangolin’s tunnel agent. It establishes an outbound connection from the cluster to the VPS, allowing Pangolin to route HTTP(S), TCP, and UDP traffic back to services on the cluster. After configuring DNS and HTTPS via Let’s Encrypt, everything was accessible through the VPS.
This let me remove my edge ingress controller, the external-dns instance I had for it, and a bunch of ingress resources. It trades one type of complexity for another, but the result is cleaner.
CrowdSec
The Pangolin installer includes CrowdSec, so I followed the community guide to configure it. The guide needed some adjustments: the Traefik bouncer plugin wasn’t registered in the static config by default, and the AppSec component required an additional acquisition config file to actually start listening.
CrowdSec now protects both web traffic (via a Traefik middleware that shows a ban page) and the host itself (via a firewall bouncer on iptables), covering SSH, mail, and all other exposed ports.
Overall the setup feels more secure. My local ISP no longer has any ports opened, and the ports exposed through Pangolin are better protected than before. It was a bit rough to set up, but worth it.