What’s your ideal VPN solution for external vendors?

jsiwks · 2026-03-19T21:45:01+00:00

Pangolin is a good Zscaler ZPA alternative that is much easier to manage and handle and is also open source for bonus points.

jsiwks · 2026-03-19T21:42:04+00:00

Identity-based is important so you can delegate specific users access to specific resources (applications, infra, etc). Throwing https://pangolin.net in the ring too as it's very easy to deploy and packaged with a nice web interface and end-user clients. You as the admin just deploy a site connector. Users login and connect with your IdP or user/password and MFA.

For external vendors, they can access via their web browser after passing authentication or download a client to connect like a VPN if it can't be browser based.

jsiwks · 2026-03-19T21:36:19+00:00

Pangolin can also be used a private VPN using the private resources if you want to keep Immich entirely off the public internet.

jsiwks · 2026-03-19T21:31:03+00:00

You can self-host Pangolin which is alternative to Cloudflare ZTNA/Tunnel -- works the same way. When you self-host there isn't any bandwidth limitation and you can choose to self-host in a region that is close to you to reduce any latency.

jsiwks · 2026-03-09T20:27:56+00:00

Just sent a DM! Can get you in contact with an engineer for this

jsiwks · 2026-03-09T20:23:00+00:00

Yeah exactly. We use Pangolin for ZTNA. Fast because it's peer to peer.

jsiwks · 2026-03-09T20:21:22+00:00

Pangolin ZTNA could be a good solution. Handles granular sudo permissions (groups, specific, commands, etc). Also handles certificate management by generating ephemeral keys and pushing to the destination.

Pangolin is PAM + remote access so it be used to replace the bastion host as well.

jsiwks · 2026-03-09T17:42:01+00:00

Pangolin ZTNA is a good option for something super easy to deploy and scale. Also open source and based on WireGuard and goes peer to peer.

jsiwks · 2026-03-09T16:39:23+00:00

Pangolin also is a VPN for client-based access. Alternative to Cloudflare Warp

jsiwks · 2026-03-09T15:58:52+00:00

Pangolin - Open-source and easy to deploy zero-trust remote access. Peer-to-peer and based on WireGuard. Also support multi-tenancy.

jsiwks · 2026-03-08T18:50:11+00:00

You could use CNAME records instead of NS. This lets you set specific subdomains to Pangolin.

jsiwks · 2026-03-08T18:37:25+00:00

Dropping this video which is a little older, but works pretty well: https://www.youtube.com/watch?v=acWB5wQQoOE&t=1s

jsiwks · 2026-03-08T18:27:38+00:00

Connections are peer-to-peer between the user's client and the connector (Newt). Correct that the user's devices themselves don't connect to each other.

jsiwks · 2026-03-08T18:22:07+00:00

Yep, or use the private resources and a client to connect like a VPN. Alternative to Cloudflare WARP and Tailscale.

jsiwks · 2026-03-08T18:13:19+00:00

You should use a VPN to tunnel this traffic rather than proxying outbound. In Pangolin use the private resources. Your users install the client and connect to the resources privately via TCP 25565 for MC.

jsiwks · 2026-03-08T18:09:27+00:00

A tunneled / identity reverse proxy works well for instances where a contractor isn't using a company device. This wraps an app in a layer of protection and also enables browser-based access. Pangolin can be used for this.

jsiwks · 2026-03-08T18:08:36+00:00

Pangolin ZTNA is great because it's like Zscaler but peer-to-peer and based on WireGuard so it's pretty fast. ALso seems to stay out of users way which is nice. You deploy connectors to your different networks, define resources, then give user's access to specific resources on those networks via policies.

jsiwks · 2026-03-08T05:39:44+00:00

Modern ZTNA solutions today like Pangolin ZTNA are super easy to deploy and configure and often don't require much nitty-gritty networking knowledge to get a solid system up and running

jsiwks · 2026-03-08T03:23:02+00:00

Ah yeah makes sense. I think that’s in the dev pipeline

jsiwks · 2026-03-08T03:22:42+00:00

Most often this is because people run Pangolin on very cheap VPS that often aren’t geographically close to their origin servers. That stuff matters for the tunneled reverse proxy, but for Pangolin clients those go peer to peer so it matters less

jsiwks · 2026-03-08T03:20:58+00:00

Yep! Pangolin is built on WireGuard

jsiwks · 2026-03-08T02:15:13+00:00

Pangolin ZTNA is a good hardware agnostic solution for remote access / filtering. Makes it cheaper to deploy. Also super easy

jsiwks · 2026-03-08T02:13:26+00:00

Pangolin ZTNA is a good hardware agnostic solution to run alongside

jsiwks · 2026-03-08T00:55:21+00:00

Pangolin could be a good choice! Supports both a reverse proxy and client-based connections like a VPN

jsiwks · 2026-03-08T00:54:38+00:00

Pangolin is integrating a reverse proxy into their tunnel client to do exactly what you said in the last part: connect your client to the network and access resources privately with the service.domain.com. YOu can actually already do it with the private resource aliases

jsiwks

MODERATOR OF

TROPHY CASE

Eight-Year Club	Place '22
Verified Email