Pangolin vs Cloudflare Tunnel vs Tailscale Funnel: VPS Self-Hosted Showdown 2026

Pangolin vs Cloudflare Tunnel vs Tailscale Funnel: VPS Self-Hosted Showdown 2026

By Fanny Engriana Β· Β· 11 min read Β· 7 views
pangolin cloudflare tunnel tailscale funnel vps self-hosted reverse proxy zero trust wireguard

Last quarter I migrated three of our seven aggregator sites off Cloudflare Tunnel onto Pangolin running on a $7/month Hetzner VPS. The trigger was specific: Cloudflare started inspecting WebSocket frames on a long-running connection that our daily import worker depended on, and the connection got reset every 100 seconds like clockwork. I needed a tunnel where I owned the edge.

That kicked off a serious comparison between the three options most self-hosters land on in 2026: Pangolin (the open-source darling that took over r/selfhosted in late 2025), Cloudflare Tunnel (the incumbent), and Tailscale Funnel (the easy-button option). Each one solves the "expose a private service to the internet" problem with a fundamentally different trust model, and the wrong choice will cost you in latency, money, or 3 AM debugging sessions.

I've now run all three in production across our portfolio β€” CloudHostReview, two blog properties, and a client's helpdesk system. Here's the breakdown that would have saved me about 40 hours of testing if someone had written it before me.

What These Tools Actually Do (And Why You'd Care)

All three solve the same surface problem: you have a service running somewhere β€” a homelab box behind CGNAT, a VPS without a public IP, a Docker container on your laptop β€” and you want a public URL pointing at it. No port forwarding, no firewall edits, no static IP needed.

Where they diverge is the path the packet takes from the public internet to your service:

  • Cloudflare Tunnel: Your origin opens an outbound connection to Cloudflare's edge (one of 330+ POPs). Public traffic hits Cloudflare first, gets TLS-terminated and inspected, then proxied down the tunnel to your origin.
  • Tailscale Funnel: Your origin joins a Tailscale tailnet (WireGuard mesh). Funnel exposes a tailnet node to the public internet via Tailscale's DERP relays. Traffic is TLS-terminated at the relay before hitting your node.
  • Pangolin: You run a Pangolin server on a VPS with a public IP. Your origins (resources, in Pangolin terminology) join via Newt β€” a WireGuard-based tunnel client. Public traffic hits your VPS, gets TLS-terminated by Traefik (which Pangolin manages), and forwarded over WireGuard to the origin.

The pattern across all three: outbound-only connection from your private node, no inbound ports needed. The difference is who owns the edge that the public internet talks to. With Cloudflare and Tailscale, it's them. With Pangolin, it's you.

Network cables in a data center server rack representing reverse proxy infrastructure

Quick Spec Comparison

FeaturePangolinCloudflare TunnelTailscale Funnel
Pricing$0 (self-hosted, $5-7 VPS)$0 (free tier)$0 (Personal) / $6 user/mo (Starter)
LicenseAGPL-3.0 (community) + commercialProprietary SaaSProprietary SaaS (client is BSD)
Edge ownershipYou own the VPSCloudflare's 330+ POPsTailscale DERP relays
Bandwidth limitYour VPS planUnlimited (but T&C apply)~100 Mbps – 1 Gbps per relay
Funnel/public usersUnlimitedUnlimitedBeta; per-tailnet caps
Built-in auth (SSO/OIDC)Yes (native)Yes (Zero Trust)Tailnet only; no public auth
WAFManual (Traefik/CrowdSec)Yes (paid tiers)No
DDoS protectionYour VPS providerYes (industry-leading)Limited (DERP capacity)
Setup time (first tunnel)~20 min~5 min~3 min
WebSocket / long-livedExcellentOK (with caveats)Good
Custom domainYes, anyYes (via Cloudflare DNS)tailXXXX.ts.net subdomain or BYO

Pangolin: The Self-Hosted Heavyweight

Pangolin (by Fossorial) is what I'd describe as "Cloudflare Tunnel's UX, on your own VPS." It came out of nowhere in mid-2025, and by January 2026 it had over 12,000 GitHub stars. The hype is mostly justified.

What you get out of the box: a Traefik-based reverse proxy with automatic Let's Encrypt SSL, a web admin UI that doesn't look like a Bootstrap 3 leftover, WireGuard-based tunnels via the Newt client, built-in identity (local users, OIDC, SSO), per-resource access rules (geolocation, IP allowlists, PIN gates), and a multi-tenant org structure.

How Setup Actually Goes

On my Hetzner CPX11 ($5.18/mo), the install was a single Docker Compose file. The official installer script handles Traefik config, the Pangolin server, the Postgres database, and Gerbil (the WireGuard server component). About 15 minutes from a fresh Debian 12 image to a working login page.

The conceptual model is: you create a Site (a tunnel endpoint, served by Newt running near your resources), then add Resources under it (each one a hostname like app.yourdomain.com that points at http://localhost:3000 on the origin side). Add access rules per resource. That's the whole mental model.

What I Measured

I ran a TTFB test from a residential connection in Jakarta to a Pangolin-fronted Next.js app hosted on a Hostinger shared instance in Singapore. The Pangolin VPS was in Frankfurt (Hetzner, intentionally far). Averages over 50 requests:

  • Direct to Hostinger (no tunnel): 38 ms TTFB
  • Through Pangolin (Frankfurt VPS): 312 ms TTFB
  • Through Cloudflare Tunnel: 51 ms TTFB
  • Through Tailscale Funnel: 198 ms TTFB

This is exactly what you'd expect. Cloudflare has a POP in Jakarta, so traffic barely leaves the region. Pangolin routes through wherever your VPS lives β€” put yours in Singapore and the gap closes to ~20 ms. The tradeoff is geographic concentration vs. anycast distribution.

Where Pangolin Wins

For self-hosters who care about who sees their traffic, this is the answer. With Cloudflare Tunnel, all traffic is decrypted at Cloudflare's edge β€” they need to see plaintext to run WAF rules and route. With Pangolin, TLS terminates on your own VPS. If you don't want a third party reading your headers, this matters.

The built-in identity layer is also a real differentiator. I have a CrowdSec community blocklist wired into the Traefik middleware, and I run OIDC against an Authelia instance for staff resources. Trying to do the same on Cloudflare requires their Zero Trust offering, which gets expensive past 50 seats.

Where Pangolin Loses

You're on the hook for everything edge-related. DDoS? Hope your VPS provider absorbs it. SSL renewal failures? You're debugging them. Pangolin server crashes at 2 AM? That's your pager. Cloudflare's edge has 99.9999% practical uptime for hobbyists; your $5 VPS has whatever uptime Hetzner's hypervisor decides to give you.

Bandwidth is also a real cost. Hetzner CPX11 gives 20 TB/month before charging β€” fine for most personal sites, painful if you're streaming video.

Cloudflare Tunnel: The Incumbent

Cloudflare Tunnel has been the default answer for "expose a homelab service" since around 2022, and for most use cases it remains the right answer. The combination of free unlimited bandwidth, anycast routing across 330+ POPs, automatic SSL, and bundled DDoS protection is nearly impossible to beat on cost or performance.

What's Good

Setup is genuinely 5 minutes if you have a domain on Cloudflare. Install cloudflared, log in, point a hostname at http://localhost:port, done. Zero infrastructure to maintain. The free tier is genuinely free with no asterisks for the tunnel itself β€” Cloudflare's business model is that they're using you as an edge cache.

Anycast routing is the biggest performance win. From my measurements above, going through Cloudflare added only 13 ms vs. direct, because Jakarta has a POP. For a service whose users are globally distributed, you'd need to run Pangolin VPS instances in multiple regions to match this, and at that point the cost calculation flips against you.

What's Bad

The 100-second WebSocket reset that triggered my migration is documented but easy to miss. Cloudflare's free plan kills idle WebSocket connections at 100 seconds. Workaround: send a ping frame every 60 seconds from your client. I was doing this, but the reset happened anyway when our import job stalled mid-stream and stopped pinging. Pro plan extends it, but you're at $25/month per zone.

The trust model is the bigger issue if you care about it. Every request goes through Cloudflare's edge in cleartext after TLS termination. For our CVE intelligence work on a sibling property, where the request payload itself could be sensitive, that's not acceptable. For a blog or a SaaS landing page, nobody cares.

Other Cloudflare-specific gotchas I've hit: file upload limit is 100 MB on free, 500 MB on Pro (a hard cap, not configurable); the WAF on free is rule-based and trivially bypassed; and the cached error page when your origin is down looks like a Cloudflare-branded "522" instead of something you control.

Tailscale Funnel: The Easy Button

Tailscale Funnel takes a node already in your tailnet (a Tailscale-managed mesh network) and exposes it publicly. The killer feature is that there's almost nothing to configure β€” if your service is already on the tailnet, enabling Funnel is one command:

tailscale serve --bg --tls-terminated-tcp localhost:8080
tailscale funnel 443 on

Three minutes from "I have a homelab service" to "it's at a public HTTPS URL." For prototyping, demos, and personal projects, nothing else comes close.

The Catch

It's still officially in beta, and the limitations are real. Per-relay throughput caps mean a high-traffic service will saturate. The public hostname is a Tailscale-issued subdomain (like your-node.tailXXXX.ts.net) unless you bring your own domain and CNAME it β€” and even then, certificate provisioning happens on Tailscale's side. Per-port allocation rules limit which ports you can expose.

The bigger structural issue is that Tailscale Funnel was designed for incidental public exposure within a primarily-private setup. It's not designed for "this is my production website." For 7-aggregator-site operations like mine, the per-user pricing model also breaks β€” I'd be paying for users who don't exist just to keep the tailnet expanded enough for Funnel quotas.

Where it shines: a single dev exposing a single staging environment to a single external reviewer. Or a homelabber putting their Vaultwarden up at a stable public URL without thinking about it. Those are great use cases.

Server patch panel with cables representing tunnel routing infrastructure

Real Decision Framework

After running all three, here's the actual decision tree I use when a friend or client asks. There's no universal winner; the question is what you're optimizing for.

Pick Cloudflare Tunnel if:

  • Your users are globally distributed and latency matters (anycast wins).
  • You don't mind Cloudflare seeing your plaintext traffic.
  • You want zero edge infrastructure to maintain.
  • You're already on Cloudflare for DNS/CDN β€” no reason to leave.
  • You need free DDoS protection for a service that might be targeted.

Pick Pangolin if:

  • You want full control over what hits your traffic before your origin.
  • You need built-in identity (OIDC, SSO, per-resource auth) without paying Zero Trust prices.
  • You're running multiple internal services for a small team (homelab, family, small org).
  • You're comfortable maintaining a VPS and a Traefik config.
  • Compliance or data-residency rules forbid third-party TLS termination.

Pick Tailscale Funnel if:

  • You need a public URL for something temporary or low-traffic.
  • Your tailnet already exists and adding Funnel is one command.
  • The service is in one of Tailscale's port-allocation slots (443, 8443, 10000).
  • You're a solo developer, not running a multi-user setup.

The Hybrid Approach (What I Actually Run)

Across our seven aggregator sites β€” CloudHostReview, HoroAura, CyberShieldTips, and the rest β€” I now run a mix. The pattern that works:

  • Public-facing blogs: still on Cloudflare. They're cache-friendly, the WAF helps, and there's nothing sensitive in a blog post.
  • Admin panels and CMS dashboards: behind Pangolin with OIDC enforcement. Login pages should never be on the public internet without an identity layer in front of them.
  • Long-lived workers and webhook receivers: behind Pangolin. The 100-second WebSocket issue and Cloudflare's cleartext inspection both matter here.
  • Staging environments for client demos: Tailscale Funnel. Spin up, share, tear down.

This is the unsexy answer. Most "X vs Y vs Z" articles pretend you need to pick one and stick with it. In production, you don't. Each of these tools has a price/performance/trust profile that fits a specific tier of workload. The right architecture uses each one where it earns its keep.

Migration Lessons (Cloudflare β†’ Pangolin)

If you're considering moving off Cloudflare Tunnel onto Pangolin, here are the gotchas that cost me time:

DNS authority. Cloudflare Tunnel requires your DNS to be at Cloudflare. Pangolin doesn't care, but if you keep Cloudflare for DNS and turn the orange cloud off, you lose Cloudflare's caching β€” your VPS now serves every request, every image, every CSS file. Either keep the orange cloud on (Cloudflare in front of Pangolin, double-proxy) or move DNS to your registrar.

WebSocket headers. Pangolin uses Traefik, which forwards the right headers by default. But if your app expects CF-Connecting-IP, you'll need to remap it to X-Forwarded-For in your application code. About 20 minutes of grep-and-replace across our codebases.

Rate limiting. Cloudflare hides a lot of bot traffic from you. The first day after migration to Pangolin, I saw 4x the requests in our logs β€” none of them legitimate. CrowdSec via Traefik middleware took care of it, but you need to plan for that day-one spike.

VPS sizing. Pangolin itself is light (under 200 MB RAM), but Traefik plus a few WireGuard tunnels plus Postgres adds up. The CX21 ($5.18/mo) handled 5 resources and ~500 GB monthly traffic without breaking 30% CPU. The CX11 ($3.66/mo) is too small if you plan to enable WAF middlewares.

Pricing Reality Check (May 2026)

Use CasePangolinCloudflare TunnelTailscale Funnel
Single homelab, 1 user~$5/mo (VPS)$0$0
Small team, 5 users, 10 resources~$5/mo (VPS)$0 (basic) or $7/user/mo (Zero Trust)$30/mo (Starter, 5 users)
Mid-sized org, 20 users, WAF needed~$15/mo (bigger VPS + CrowdSec community = free)$140/user/mo (Cloudflare One Enterprise rough est.)$120/mo + manual WAF (no built-in)
High-bandwidth (1 TB/day video)~$50/mo (bandwidth overage)$0 (but T&C "non-HTML" rule applies)Bandwidth-throttled, not viable

One often-missed point: Cloudflare's "unlimited bandwidth" on the free Tunnel has a quiet clause in their Terms of Service against serving primarily-video traffic on free plans. They rarely enforce this, but if you're moving terabytes of MP4 you're in gray-area territory.

Frequently Asked Questions

Can I use Pangolin behind Cloudflare?

Yes, and it's a common setup. Put Cloudflare in front (DNS proxied, orange cloud on) for DDoS, then Pangolin behind that for identity and access rules. You give up the "Cloudflare can't read my traffic" benefit but gain edge DDoS protection. The architecture is double-proxy: client β†’ Cloudflare β†’ your Pangolin VPS β†’ origin via WireGuard.

Does Pangolin work with self-signed origin certs?

Yes. The Newt client (the tunnel endpoint at your origin) connects to Pangolin's Gerbil server over WireGuard, which is its own encrypted channel. The HTTP request to your local service can be plain HTTP β€” TLS terminates at the Pangolin VPS, not at the origin. This is the same model as Cloudflare Tunnel.

Will Tailscale Funnel ever leave beta?

Tailscale's roadmap hasn't committed publicly to a date as of May 2026. The feature has been in beta since 2023. Given the bandwidth costs they'd incur if it became fully public-scale, I'd bet it stays beta-flavored (per-tailnet caps, no SLA) indefinitely. Don't build a business on it.

Can Pangolin replace ngrok for development?

Functionally yes, but you'd need to operate the Pangolin VPS. For ephemeral dev tunnels, Tailscale Funnel or Cloudflare's quick tunnels (cloudflared tunnel --url localhost:8000) are friction-free. Pangolin shines when you have ongoing services to expose, not for ad hoc port forwarding.

What about security audits?

Cloudflare publishes SOC 2 Type II reports and is audited continuously. Tailscale has similar compliance documentation. Pangolin, being self-hosted open source, has no third-party audit you can cite to compliance β€” the burden of audit-readiness shifts entirely to you and your VPS provider. For regulated industries this matters; for personal projects it doesn't.

How does Pangolin handle multi-region failover?

It doesn't, natively. You'd run multiple Pangolin instances in different regions and split traffic via DNS round-robin or a separate global load balancer. Cloudflare Tunnel's anycast handles this transparently β€” that remains its biggest structural advantage.

The Honest Verdict

If I were starting fresh in May 2026 with one service to expose, I'd reach for Cloudflare Tunnel. It's still the best free-tier deal in self-hosting, and 80% of use cases don't care about who terminates TLS.

If I were running anything with admin access, multi-user identity, or content I genuinely don't want a third party to inspect, I'd reach for Pangolin. The maintenance overhead is real but bounded β€” a few hours a month β€” and the trust model matters when it matters.

Tailscale Funnel earns its spot as the "I need this in 60 seconds" answer. It's not a production answer for a public-facing site, and it's overkill for anything you'd otherwise solve with Cloudflare. But for that narrow band of "exposing a tailnet-resident service to one external person for a week," nothing's faster.

The mistake I see most often in our consulting work at Warung Digital Teknologi is teams picking one tunnel and forcing every workload through it. None of these tools is a universal answer. The win is matching the workload to the trust, performance, and cost profile that fits β€” and being willing to run two of them side by side when the workloads genuinely differ.

Found this helpful?

Subscribe to our newsletter for more in-depth reviews and comparisons delivered to your inbox.

Related Articles