If you have spent any time looking at my project list, you know I am a fan of self hosting. At any given moment I am running dozens of services across my infrastructure. It is a scale that occasionally makes me question my own sanity, but that is where the joy of the build lives.
The real challenge with running a high volume of services is managing external access without compromising security.
I previously wrote about using Cloudflare Tunnels to expose services. It is an effective solution that removes the need for port forwarding or complex firewall rules. However, the more I expanded my lab, the more I realized I was creating a massive dependency on a single corporate entity. While Cloudflare is excellent for some things, I wanted more sovereignty over my most sensitive data.
This led me to Pangolin and Newt.
I am now using a hybrid approach that balances the convenience of a global CDN with the privacy of a self hosted tunnel. Here is how I split the workload between the two.
Cloudflare Tunnels: The Public Front End
Cloudflare Tunnels work by running an agent called cloudflared within the network. It establishes an outbound connection to their edge, allowing you to map public DNS records to internal IP addresses.
I still use this for specific use cases:
DDoS Protection and WAF: Their Web Application Firewall is among the best. It filters out bot noise and automated attacks before they ever reach my home hardware.
General Availability: If I need to access a utility service from a remote network or a restricted guest Wi-Fi, Cloudflare’s edge nodes ensure a stable connection.
Identity Integration: It is very easy to slap a Zero Trust login in front of a service using Google or GitHub as the provider.
The trade off is that Cloudflare terminates the SSL connection. On the free tier, they decrypt the traffic on their servers to inspect it before sending it through the tunnel. For basic utilities this is acceptable, but for my core infrastructure management, I prefer a path where I hold the keys.
Pangolin and Newt: The Private Backbone
Pangolin is a self hosted inverse proxy that runs on a VPS you control. The Newt agent sits inside the home lab and creates an outbound WireGuard tunnel to that VPS.
This setup appeals to me because it prioritizes the craft of the build:
Data Sovereignty: I own the entire path. Traffic flows from the client to my VPS and then through the WireGuard tunnel to the service. No third party decrypts the handshake.
WireGuard Performance: Newt is built on WireGuard, which is fast and extremely resilient. It handles NAT traversal just as well as Cloudflare but gives me full visibility into the tunnel itself.
Custom Identity: I can use my own instance of Authentik for authentication, keeping the entire security stack under my own management.
The downside is the maintenance. You have to manage the VPS and handle your own security hardening. It is not a set and forget solution, but for a home lab enthusiast, that is usually a feature rather than a bug.
The Hybrid Strategy
I don’t believe in a one size fits all architecture. I divide my services based on risk and protocol requirements.
Use Cloudflare Tunnels for:
Public Utilities: Services that need to be accessible from any device without a VPN client.
High Traffic Tools: Anything that might draw enough attention to benefit from a professional WAF.
Use Pangolin and Newt for:
The Management Stack: My Proxmox interface, Portainer, and internal documentation. These are the crown jewels of the lab and stay on the private tunnel.
Non HTTP Traffic: If I need to expose a specific TCP or UDP port for a secure shell or a specialized tool, Pangolin and Newt handle raw traffic much more naturally.
Experimental Projects: Anything where I want to test a new service without broadcasting its existence to the wider internet.
Final Thoughts
Cloudflare is the right choice for reliability and ease of use. Pangolin and Newt are the right choice for privacy and technical control. By running both, I get the best of both worlds. My network diagram is certainly more complex now, but that complexity is part of the fun.