Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Secure External Access to Plex (& More!) Using Pangolin Tunneled Reverse Proxy

Featured Replies

Hey all, today we’re going to be setting up a Pangolin Tunnel / Reverse Proxy for use with Plex Media Server. Since CloudFlare doesn’t want folks streaming across their tunnels, this is a nice alternative that has a lot of great features!


What is Pangolin?


Pangolin is an open-source and identity-aware tunneled reverse proxy server. Pangolin’s distributed architecture with nodes provide highly available ingress to ensure applications always remain accessible.


Pangolin establishes secure connections from edge networks to nodes, bypassing the need for public inbound ports and complex firewall configurations. Pangolin is incredibly useful for exposing local services, IoT devices, or internal applications to the internet without direct exposure, enhancing security by reducing attack surface and simplifying network management. Additionally, Pangolin acts as an identity-aware proxy by authenticating every request against admin-defined access controls and rules.


1.PNG


What is needed?


  • A VPS ~$2-7 depending on requirements (Pangolin has a nice affiliate Racknerd deal for these here https://docs.digpangolin.com/self-host/choosing-a-vps )

  • A domain name

  • A Plex Server (I will not be covering Plex server configuration in this guide)

  • Decent upload speed (don’t forget about this!)



DNS

To start out, I’d just get the DNS entries set up first, as they can take a little bit to propagate sometimes. Check out their Docs here: https://docs.digpangolin.com/self-host/dns-and-networking

Essentially all you really need is a Wildcard A Record pointing to your VPS. If you’re using this domain for other things you might need to set these A Records up manually for each subdomain you’re using, but in my case, this domain is exclusively for use with Pangolin, so a wildcard works perfect.

I didn’t bother with the Root Domain Record, as it wasn’t necessary for my case. You might consider it if you want to run something through your Root Domain as well.


Getting Started With Pangolin


Check out the Pangolin Quick Install Guide first and foremost. This gives you an idea of what all you will need to do and has all of the commands necessary to get this going:

https://docs.digpangolin.com/self-host/quick-install-managed

First off, just create a Pangolin account now: https://pangolin.fossorial.io/auth/signup (You will need this later)

Get SSH’d into your VPS and run the commands to get the installer going.

During the installer you will have to make a few choices. You might want to set these differently from me, but this is what I ended up running with to start:

Basic Configuration

Do you want to install Pangolin as a cloud-managed (beta) node? (yes/no): no

Enter your base domain (no subdomain e.g. example.com): your base domain goes here

Enter the domain for the Pangolin dashboard (default: pangolin.example.com): pangolin.yourdomain.com

Enter email for Let's Encrypt certificates: Your email

Do you want to use Gerbil to allow tunneled connections (yes/no) (default: yes): yes (This is what will link up with Newt on our Unraid server for the tunnel.


Email Configuration

Enable email functionality (SMTP) (yes/no) (default: no): no


Advanced Configuration

Is your server IPv6 capable? (yes/no) (default: yes): yes


It will also ask you if you want to install and use Docker. I said yes, you can use Podman if you want, but Docker makes the most sense for most folks probably.


You will then be prompted about installing CrowdSec. By default this is set to No. I also opted for No to begin with. Later on if you want to add this you can just re-run the installer and select yes, but this does add another degree of management overhead that might not be worth the hassle for some. I will not be covering this in this guide, but it might be worth considering in the future, so keep it in mind for now.



Pangolin Dashboard Initial Setup

After all this, you will get a Setup Token and an Initial Setup URL. Browse to the Initial Setup URL which should work since you created the A Record for the site in an earlier step. If this is not working, it’s likely because you messed up the DNS record or it hasn’t propagated yet. (This usually is pretty quick though)


At the Initial setup screen make 100% sure that you’re connected to your VPS (pangolin.example.com) and not the Pangolin cloud (https://pangolin.fossorial.io/). Step through the initial setup, enter your Token from the previous steps and log in.



Once you log in you will be prompted to set up an Organization. The name doesn’t matter much, this is just so you can group your resources/sites. The default Subnet should be fine for you, as you likely won’t overlap with it, but you can change it if needed.

image.png


Next you will be prompted to set up a Site. This is the Server end of our tunnel. Name it whatever you want, the IP it’s bound to by default is fine. You will want to configure this as a Newt Tunnel and copy the Newt Endpoint, Newt ID, and Newt Secret. These will be used on the Newt config on the Unraid side later.


3.PNG

Lastly, you will be asked to set up a Resource. This is your service behind the tunnel. Name it Plex or whatever you want. This will be your subdomain for this service. Add an HTTP Method with the Internal IP Address of your Plex instance as the IP/Hostname. Port will be your Plex listening port which is 32400 by default. Enable SSL (https).

4.PNG

On the Authentication Tab you might want to Enable/Disable extra layers of security. These will prompt for Pangolin Authentication, Pins, etc. before your request is sent to your Services behind Pangolin. This is nice for security, but can break things like the Plex Mobile Apps that expect to just use the Plex Auth. YMMV, try this out and set it to whatever works for you and your users.

5.PNG

Once you’re done there, you should be all good to go on the Pangolin Dashboard. You can check your Tunnel health by going to the Sites section and looking at the Online Status. For now it will be Unhealthy, so let’s get Newt set up on our Unraid server to get this connected!


6.PNG


Configuring Newt


Go to the App store on your Unraid server and install Newt

7.PNG


After that is done, edit the Newt Container. This is where you will enter the Endpoint, ID, and Secret we generated during the Site setup. Enter those in and Apply them. The Container should reboot and afterwards you should show Online on the Pangolin Dashboard under Sites.


8.PNG


Plex Settings

In Plex Settings → Network set Custom Server Access URLs to the same thing that was configured in Resources. This will likely be https://plex.example.com

9.PNG


This might also be a good time to verify you have Hardware Transcoding, Bitrate Limits, etc. since more people might be utilizing your server after this.


Note: You do NOT need the Relay or even Remote Access enabled from the Plex Dashboard for this to work.


10.PNG


Testing

We should be fully configured now! Test access from your browser to https://plex.example.com and see if it works. If you get a 401 / 502 you likely messed something up in the Resource config or didn’t add the correct URL to Plex, so doublecheck those and try again.




Extras

After you get all this tested and working, you can start working on locking this down even further. Pangolin uses Traefik on the back end, so you can add plugins in for even more customization. One I’d recommend to start with is the Geoblock plugin. Adding this is as easy as editing your YAML files for Traefik on your VPS. Pangolin has a nice guide for that here:


https://docs.digpangolin.com/self-host/community-guides/geoblock



And that’s it! If you have any questions feel free to post them up here.

Edited by Skarm0ry
Removed unnecessary step.

18 hours ago, Skarm0ry said:

Go to the Sites tab and click Edit next to your newly created Site. From here you should set your Subnets for your internal network. For me I entered the /24 for my Docker network as well as my /32 (single ip) for my Plex Server.

11.PNG

Thanks for this guide. I've started playing with pangolin as well. Pretty nice software stack. Paired with one of their recommended racknerd VPS's, it costs almost nothing to operate.

Curious why you included the section above? Seems this is only needed for "Clients", which I don't quite understand yet.

  • Author
1 hour ago, boxer74 said:

Thanks for this guide. I've started playing with pangolin as well. Pretty nice software stack. Paired with one of their recommended racknerd VPS's, it costs almost nothing to operate.

Curious why you included the section above? Seems this is only needed for "Clients", which I don't quite understand yet.

Yeah I've been happy with it so far!

That would be because I also don't understand them yet and missed that they were only used for VPN Client connectivity haha. So these would only be used if you weren't using Newt to connect it seems. I went ahead and removed that step to avoid any confusion.

Thanks!

Edited by Skarm0ry

Started on this a couple weeks ago, can get it to work with the URL on PC but not any apps yet

  • Author
3 hours ago, stealthbob said:

Started on this a couple weeks ago, can get it to work with the URL on PC but not any apps yet

The apps rely on the Custom Server URL in the Plex settings, so you'll want to double-check that. One thing that I've seen others have to do is add :443 to the end of their custom URL in Plex, so:

https://plex.example.com:443

For whatever reason, that seems to be necessary for some. I also personally had to clear out the Plex Data from a couple Android TV devices and re-login from scratch to connect again. Not sure if that will be necessary for all, but it's worth a shot too.

One problem that i faced with Pangolin, that watching content was a bit of a drag from outside of the home network. The speed was horrendous. Did anyone faced similar issues or there are workaround for Pangolin?

  • Author
11 hours ago, Igiq said:

One problem that i faced with Pangolin, that watching content was a bit of a drag from outside of the home network. The speed was horrendous. Did anyone faced similar issues or there are workaround for Pangolin?


I think this is very heavily dependent on your VPS and your connection to it. I haven't had any speed issues with my RackNerd VPS personally and have had multiple clients streaming through it, but there are a lot of factors that could cause this. I don't think this is a Pangolin specific thing though.

Edited by Skarm0ry

  • 4 months later...
On 9/13/2025 at 7:05 PM, Skarm0ry said:

The apps rely on the Custom Server URL in the Plex settings, so you'll want to double-check that. One thing that I've seen others have to do is add :443 to the end of their custom URL in Plex, so:

https://plex.example.com:443

For whatever reason, that seems to be necessary for some. I also personally had to clear out the Plex Data from a couple Android TV devices and re-login from scratch to connect again. Not sure if that will be necessary for all, but it's worth a shot too.

I had to add this as well - unsure why exactly that is.
It might have to do with the fact that I use https between my nginx proxy manager and pangolin.
But it sealed the deal for plex, so thank you for the tip!

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.