Pangolin 1.17 Tunneled Reverse Proxy Adds Multiple Roles per User

Pangolin an open-source, self-hosted identity-based remote access platform that blends a tunneled reverse proxy with zero-trust VPN-style access has released version 1.17.

The standout enhancement in this release is support for multiple roles per user. Previously, each user was limited to a single role, restricting access control flexibility. With this update, administrators can assign multiple roles to a single user, allowing permissions to be combined for more granular and dynamic access management.

In addition, the update improves identity provider role mapping. For auto-provisioned users, administrators can now assign roles through fixed mappings, a new visual mapping builder that converts identity provider group or role IDs into Pangolin roles without requiring code, or advanced configurations using raw JMESPath expressions.

Pangolin 1.17 also introduces built-in templates for Google and Azure identity providers, available at the global server level. For site provisioning, a new approach replaces manually generated credentials with a long-lived token, enabling sites to automatically retrieve their credentials during startup.

Another major addition is the ability to record raw TCP and UDP sessions between clients and private resources. This provides a detailed audit trail, including user activity, session timing, and duration—particularly valuable for zero-trust environments. (Public browser-based resources already include access logging.)

Finally, the release adds log streaming capabilities, allowing administrators to forward events to third-party platforms such as Datadog, Splunk, and Microsoft Sentinel. Users can configure destinations, choose delivery methods like HTTP or S3, and select specific log types for export.

For more details, see the announcement or refer to the changelog.