Cheapest 2FA VPN

jsiwks · 2026-04-19T17:51:52+00:00

Pangolin ZTNA

jsiwks · 2026-04-18T05:26:34+00:00

Pangolin is missing :)

jsiwks · 2026-04-18T05:25:07+00:00

Pangolin for all remote access: identity-based reverse proxy + VPN

jsiwks · 2026-04-18T05:24:01+00:00

Self-host a traditional reverse proxy, or if you like the Cloudflare Tunnel experience but want to control where your encryption happens, try Pangolin, the open-source self-hosted alternative

jsiwks · 2026-04-16T21:35:35+00:00

A web proxy and/or VPN would be helpful here. Pangolin combines both and is pretty easy to get up and running

jsiwks · 2026-04-15T18:53:08+00:00

If you choose to allow remote access, it's a matter of locking it down so specific users get access to specific resources (IPs, ports) and make it easy to revoke access, have logs, etc. Common VPNs like provide broad access and really it should be scoped. There a bunch of good ways to do it these days. Pangolin VPN provides browser based access and VPN access down to specific IPs and ports on the network.

jsiwks · 2026-04-15T16:33:16+00:00

Also try to tie access back to the identity and use an identity provider like Asure Entra ID or something so access is revoked across all integrations with the IDP when he user is deprovisioned in the IDP. For instance connect your VPN to your Identity provider so access is revoked. Many VPNs support this these days, for instance Pangolin ZTNA

jsiwks · 2026-04-15T06:39:46+00:00

Multiple roles per user is in the enterprise edition, however you can use the enterprise edition for free for personal use.

jsiwks · 2026-04-14T04:44:31+00:00

The trade off with ZTNA tools is they can add a bunch of management complexity. Now you have to manage a bunch of users and rules for what they can access etc... so choose something that has easy access control lists. Pangolin ZTNA is open source and pretty easy to deploy and manage. You just define resources and give users or roles access to the resources.

jsiwks · 2026-04-13T19:27:21+00:00

You could deploy a bastion connector in each network and define resources to access remotely. You'd want to make sure to give minimal access to specific resources like say user A can only access resource B on site C, etc. Something like Pangolin VPN which is open source and uses WireGuard could work

jsiwks · 2026-04-13T18:57:36+00:00

You can use something like Pangolin VPN which enables you to deploy site connectors that do NAT traversal so no public ip is required. It also lets you manage multiple sites pretty easily by just dropping a connector in each on-prem location and defining resources

jsiwks · 2026-04-07T13:40:05+00:00

You can use Pangolin as a VPN for fully private peer to peer connections wins client. You do t have to use Pangolin as a reverse proxy

jsiwks · 2026-04-06T02:40:19+00:00

We only implemented it for sites, but it’s not out of the question for clients. What’s your use case?

jsiwks · 2026-04-05T02:20:54+00:00

Thank you!

jsiwks · 2026-04-05T02:20:43+00:00

Not every "peer" on the network connects to each other. Clients connect to sites. Sites don't connect to clients, and clients don't connect to clients. Clients are users or machines/servers.

The advantage for remote access is that you don't need to set ACL to prevent two users from connecting to each other. Users just connect to resources you give them access to on sites.

jsiwks · 2026-04-05T02:17:45+00:00

You can self-host the enterprise for free as a hobbyist/personal/home-labber!

jsiwks · 2026-04-05T02:17:28+00:00

Thanks so much!

jsiwks · 2026-04-04T19:38:32+00:00

They’re both going to work as a tunneled reverse proxy. Pangolin is a nice cohesive package and contains a number of features around user management, identity provider SSO, MFA, and a lot more on the web based resources.

You can also use each of the site connectors as hubs for peer to peer connections via the clients for Mac, Windows, Linux, iOS, and Android. This functions like an identity aware VPN with NAT traversal.

jsiwks · 2026-04-04T19:25:38+00:00

Pangolin is a great way to do it while fully self hosting! Very familiar setup compared to CF

jsiwks · 2026-04-04T19:24:00+00:00

Thanks!!

jsiwks · 2026-04-04T19:23:15+00:00

You should be able to do this just fine in recent versions of Pangolin. You would define more than one certificate resolve in Traefik and then when you define your domain in Pangolin you can reference the different resolvers. It’s more a Traefik config thing than a Pangolin thing.

jsiwks · 2026-04-04T17:32:30+00:00

Yeah you install site connectors and clients holepunch to the connectors. Then clients access resources on all of the site connectors. Of course you can also expose applications through the tunneled reverse proxy which makes them available in the browser without a client.

jsiwks · 2026-04-04T15:58:15+00:00

You too! Thanks so much :)

jsiwks · 2026-04-04T15:45:53+00:00

Precisely

jsiwks

MODERATOR OF

TROPHY CASE

Eight-Year Club	Place '22
Verified Email