Pangolin is a reverse proxy that provides identity-aware tunneling capabilities. In that way, pangolin serves as a self-hosted alternative to Cloudflare’s tunnels. Pangolin uses the open source library newt to establish these tunnels from the edge proxy into a network.

Newt as a systemd service

source

Install newt

curl -fsSL https://digpangolin.com/get-newt.sh | bash

Create user and setup directories

sudo useradd -r -s /bin/false newt
sudo mkdir -p /var/lib/newt
sudo chown newt:newt /var/lib/newt

Add systemd service, create this file at /etc/systemd/system/newt.service

[Unit]
Description=Newt Client Service
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service

[Service]
Type=simple
ExecStart=/usr/local/bin/newt --id YOUR_NEWT_ID --secret YOUR_NEWT_SECRET --endpoint YOUR_PANGOLIN_ENDPOINT
Restart=always
RestartSec=10

# Security hardening options
User=newt
Group=newt
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
PrivateDevices=yes
ReadWritePaths=/var/lib/newt

[Install]
WantedBy=multi-user.target

Reload and start service

sudo systemctl daemon-reload
sudo systemctl enable newt
sudo systemctl start newt