

Traefik is what it uses to proxy things. You’re comparing a full suite of tools with just one piece.
I mean, that’s debatable. Taking a look at their docker-compose.yml there are 3 containers they recommend running, with a 4 optional container.
- image: docker.io/fosrl/pangolin:latest # Pangolin itself
- image: docker.io/fosrl/gerbil:latest # WireGuard server
- image: docker.io/traefik:v3.6 # Traefik Reverse Proxy
- image: hhftechnology/middleware-manager:latest # Optional middleware manager for Traefik
To say this is a “full-suite” is a bit much when majority of the heavy lifting is done by Traefik, the middleware’s you assign to Traefik and WireGuard. Pangolin if I’m reading this correctly;
“Pangolin combines reverse proxy and VPN capabilities into one platform.”
Which is great! However as I mentioned previously, does not integrate well when these services are already setup to work standalone.
I suspect the same reaction from folks when they hear “download pangolin from the App Store, and use xyz credentials to connect.” And “download WireGuard from the App Store, and use xyz file to connect.”


I can’t be much of a help with Caddy however, for Traefik you can use the OIDC Middleware to forward requests to your authentication service.
The only port that would need opening is :443, leave port :80 closed so that people cannot connect to your services insecurely. Slap fail2ban or geoblock on it and call it a day. Also, DDNS allowlist for that deny-first approach.