Keeping traffic from clients to resources on the same network if Pangolin is external #685
Replies: 9 comments 3 replies
-
|
Would be very nice to keep local traffic local indeed. At the moment 80% of my traffic is inside my network to a couple of sub domains (managed with traefik) so it would be unnecessary to let the traffic go to the VPS and back to my local network. I think the local only solution would work great. That way, we don't have to set up a second traefik instance for local calls as well. |
Beta Was this translation helpful? Give feedback.
-
|
I would love the local-only approach if it were possible. Being able to connect directly to my self-hosted services while at home (even during an internet outage) but still being able to go through the vps while out and about, all with a single url. At the moment, I'm using Nginx Proxy Manager as a reverse proxy internally for some services that seem to be rather slow through the VPS. Acceptable when I'm outside of the house, but not when I'm on the same network as those services. |
Beta Was this translation helpful? Give feedback.
-
|
Interesting disucssion @patchmonkey, @fanaticDavid, @johanngrobe.
I was using NPM, but recently switched to Zoraxy (which is nice), but as Pangolin serves a similar function, it would be great to have just one interface, and be able to utilize it's access controls/identity providers. |
Beta Was this translation helpful? Give feedback.
-
|
This almost reminds me of the "Remote Nodes" feature available with Pangolin Cloud, albeit with some obvious differences. It's the idea of deploying some sorta remote agent to a site that acts as a local reverse proxy within that network, but pulls configs/certs from a primary instance. This type of functionality would probably clear my last big hurdle to fully adopting Pangolin 🙂 It'd be an absolute love-letter to homelab power users. In the "suggested solution" diagram, you have a local DNS server that routes resource names to the local node. This is what I'd initially imagined, too, but I noticed the "Remote Node" overview mentions the following:
If a theoretical implementation of this feature were to build on Pangolin Cloud's existing "Remote Node" feature, I'm curious as to how the DNS setup would work. Relying on the primary VPS node/control plane would still introduce a point of failure if it becomes unavailable for whatever reason. Maybe I'm misunderstanding the docs, though. It could be that the DNS routing wouldn't even be considered for a self-hosted version; I'm not sure how Cloud does it. Either way, I'm personally partial to just having a local wildcard DNS record pointing to the local node, but still wanted to bring it up for discussion. 🙂 |
Beta Was this translation helpful? Give feedback.
-
|
I think this is a key area to improve Pangolin. The system does so much right now but this would make it more complete. My proposed solution would be similar to the local clone option, but essentially opposite - a VPS outpost. I'd like to be able to run Pangolin within my local environment and just have a newt like cloud outpost on a VPS (or Pangolin cloud). Essentially, on each physical site, we'd be running the Pangolin stack allowing all the configuration, certificate management etc, to be managed locally. The VPS/Cloud outpost service would used to coordinate sites and essentially forward traffic to the local sites without requiring opening up ports in the firewall. The local DNS can point directly to the local Pangolin instance. The benefit compared to the current approach is that internal traffic isn't routed through the internet. The benefit compared to the suggestion proposed above, with a "clone" locally, is that management can be done and kept locally even when WAN or VPS is unavailable. Of course, automatic certificate renewals require WAN and if there are no holes punched in the firewall, they can't be renewed without the VPS/Cloud. Another option would that the outpost renews and keeps the certificates, with the local Pangolin instance retrieving them. It still requires the VPS running but it's an alternative architecture. |
Beta Was this translation helpful? Give feedback.
-
|
I was thinking of this feature to replace my local traefik reverse proxy! I'd glad someone else thought of it too. Although, "No SSL cert management through pangolin" can be a feature. Just use DNS challenge for ssl certs. |
Beta Was this translation helpful? Give feedback.
-
|
It would indeed be pretty cool if we can set up a second local Pangolin. It would also be interesting for me to use this second Pangolin server to handle external IPv6 connections, because a direct IPv6 connection has significantly less latency and higher bandwith than the VPS route. At the moment I am also running a second reverse proxy to accomplish this. |
Beta Was this translation helpful? Give feedback.
-
|
+1 from my side! I'am thinking about how to handel this back and forth. From a high level perspective somewhat of a Split-Horizon DNS configuration would be great for this. Pangolin would really benefit from this functionality. |
Beta Was this translation helpful? Give feedback.
-
|
I was able to sort of put into place a system with a similar outcome, although it's not ideal as the design I outlined above. Currently, I have my local caddy AND my pangolin VPS grabbing certificates for my domain using the DNS01 challenge. My local caddy serves LAN and VPN traffic to the resources directly without traversing the WAN using the same URLs; Pangolin via the VPS serves external traffic to my Caddy instance inside the LAN, which then routes the traffic internally. The main downside is this requires two very distinct configurations; a Caddy config for all of the resources and DNS01 challenge specific plugins and config, and a pangolin configuration to point the resource to the routing/Caddy endpoint inside my lan. Additionally for each of these Pangolin resources, I also have to set the TLS Server name and Custom Host Header to the url of the pangolin resource, so that the Caddy server on the local side routes the request correctly. The result is more or less the same as what I was trying to achieve, but it's a lot of manual config and it's very easy for configurations to diverge. I thought I'd share if that helps any of you while we hope for more pangolin-based feature-set |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
It would be really useful if there was a way to prevent requests from client A through pangolin to resource A from having to be routed out and in through a WAN connection.
Considerer the following:
Client A and Resource A both reside on the same network (Let's call it homenet). Pangolin resides on a VPS run by a common VPS provider, and uses the domain name "homenet.site".
If Client A wants to reach Resource A, there are no optimal paths:
Option 1: Everything through Pangolin
Pros:
Cons:
Option 2: Local through local https domain name
Pros:
Cons:
Option 3: Using local DNS Servers to redirect traffic to the correct resource
Pros:
Cons:
Suggested Solution
Create a "Pangolin local-only" clone or proxy:

A Pangolin "Local Only" clone could sync to the main pangolin installation and retrieve all of the required configuration and certs.
Alternatively, a "Local Only" Proxy could route traffic from client to resource, while offloading certs and authentication/authorization to the main installation.
Pros:
Beta Was this translation helpful? Give feedback.
All reactions