How to Geo-block with Pangolin
We're excited to announce that Pangolin now supports native geo blocking functionality within our cloud platform, remote node instances, and self-hosted editions. This allows you to have granular control over who can access your resources based on their geographic location (country, city, state).
What's New?
Geo blocking can be set up in the rules tab for any of your connected resources, and you'll find a new "Country" option alongside the existing IP and IP range filters. From there, you can create sophisticated access control policies.
You can combine country-based restrictions with other rule types like IP addresses, CIDR ranges, and path matching to create layered security policies that fit your exact needs.
Common Use Cases
Security Hardening: Reduce your attack surface by blocking access from regions with high levels of malicious activity or areas where you don't expect legitimate users.
Resource Optimization: Prevent unnecessary load on your services from regions where you don't operate, helping you optimize performance and costs.
Flexible Configuration Options
Pangolin's geo blocking supports multiple configuration patterns:
- Allowlist: Create "Allow" rules for approved countries and deny all others
- Blocklist: Block specific high-risk countries while allowing access from everywhere else
- Hybrid Policies: Combine geographic restrictions with authentication requirements using "Pass to Auth" actions
The rules process in priority order, giving you fine-grained control over complex access scenarios. For example, you might allow direct access from your headquarters country while requiring authentication from trusted partner countries and blocking access entirely from high-risk regions.
Real-World Example
Here's a typical configuration for a company operating in the US, UK, and Germany:
- Priority 1: Allow - Country: United States
- Priority 2: Allow - Country: United Kingdom
- Priority 3: Allow - Country: Germany
- Priority 4: Deny - Country: ALL
This setup provides immediate access for users in your approved regions while blocking everyone else.
Important Considerations
While geo blocking provides valuable security benefits, it's important to remember that IP geolocation isn't always 100% accurate. Users with VPNs, proxies, or mobile networks may appear to be from different countries than expected. We recommend testing your rules thoroughly and considering how legitimate users might be affected.
Pangolin is an open-source infrastructure company that provides secure, zero trust remote access for teams of all sizes. Built to simplify user workflows and protect critical systems, Pangolin helps companies and individuals connect to their networks, applications, and devices safely without relying on traditional VPNs. With a focus on device security, usability, and transparency, Pangolin empowers organizations to manage access efficiently while keeping their infrastructure secure.
Keep reading
Secure Remote Access: Enterprise ZTNA Implementation GuideTraditional enterprise remote access methods like legacy VPNs often grant overly broad network visibility, creating severe vulnerabilities and lateral movement risks. This comprehensive guide covers how to transition your organization to an identity-driven, resource-level secure remote access model. Discover the five core pillars of a resilient Zero Trust architecture, compare modern ZTNA solutions, and follow our step-by-step framework to eliminate public internet exposure without disrupting employee workflows.
Guides
Templated Provisioning and Rollouts for the EdgeLearn how to automate edge device management using Pangolin’s provisioning keys and declarative blueprints to achieve scalable, secure, and consistent remote access. This guide explores how to replace complex API scripting with a single "golden image" workflow for global fleet deployments.
Guides
Self-hosted Remote Nodes - What Are They, and Why Do They Exist?Learn about our new remote node self-hosted offering, which combines the best of self-hosted and cloud solutions.
Guides