Open Source · MIT License

WGMesh

"Share a Secret, Build a Mesh."

Decentralized WireGuard mesh networking with DHT peer discovery. No central server. No subscriptions. Just encrypted, self-organizing networks.

Get Started View on GitHub
$ wgmesh join --secret "wgmesh://v1/my-shared-secret"
Generating WireGuard keypair...
Joining DHT swarm (key: sha256:a3f…)
Discovered 3 peers via DHT
NAT traversal: UDP hole-punch successful
✓ Mesh is up — 3 peers connected

$ wgmesh status
10.0.0.2 node-alpha last-seen: 0s
10.0.0.3 node-beta last-seen: 1s
10.0.0.4 node-gamma last-seen: 2s

Capabilities

Everything you need, nothing you don't

WGMesh handles the complexity of multi-node WireGuard so you don't have to juggle keys, endpoints, and config files manually.

🔗

DHT Peer Discovery

Nodes find each other automatically via a distributed hash table. No tracker server, no single point of failure.

🛡️

WireGuard Encryption

All traffic is encrypted end-to-end using WireGuard's modern cryptography — ChaCha20, Poly1305, Curve25519.

🌐

NAT Traversal

Automatically detects and handles NAT scenarios with UDP hole-punching to connect peers behind firewalls.

Zero-Downtime Updates

Configuration changes applied via wg set without interface restarts — peers stay connected.

🔒

Group-Based ACLs

Segment your network with group-based access control policies. Limit which peers can reach which resources.

💾

State Persistence

Mesh state stored locally with systemd integration. Survives reboots and reconnects automatically.

🐳

Docker Ready

Container images available on GitHub Container Registry. Runs in Docker with full mesh capability.

🔌

RPC Interface

Unix socket JSON-RPC for scripting and querying peer state programmatically from your own tools.

🏗️

Multi-Architecture

Pre-built binaries for Linux amd64, arm64, and armv7. Runs on servers, Raspberry Pis, and edge devices.

How it works

Simple by design

WGMesh reduces a complex multi-node WireGuard setup to a single shared secret and a one-line command.

1

Generate or choose a shared secret

All nodes joining the same mesh share a single secret. This is used to derive the DHT swarm key — only nodes with the secret can find each other.

2

Nodes join the DHT swarm

Each node announces itself to the distributed hash table. WGMesh resolves other peers from the DHT without any central registry.

3

WireGuard tunnels are established

Peer public keys and endpoints are exchanged via the DHT. NAT traversal is attempted automatically. WireGuard takes over from there.

4

Mesh self-heals as nodes come and go

When nodes join or leave, the DHT reflects this. WGMesh updates WireGuard config on the fly — no restarts, no manual edits.

Deployment

Two modes for every use case

Run fully decentralized for maximum autonomy, or use centralized mode for admin-controlled enterprise deployments.

Decentralized Mode

Nodes discover each other via DHT. No server required. Ideal for dynamic, distributed environments.

  • Automatic peer discovery via DHT
  • Only a shared secret required
  • Works across NAT and firewalls
  • Self-healing mesh topology
  • No infrastructure to manage
Centralized Mode

Admin controls the topology via SSH deployments with diff-based updates. Ideal for teams needing strict governance.

  • Admin-managed topology
  • SSH-based configuration push
  • AES-256-GCM encrypted state files
  • Group-based access control
  • Diff-based minimal updates

Comparison

WGMesh vs the alternatives

Open source, self-hosted, no subscriptions — and nothing phoning home.

Feature WGMesh Tailscale Netbird
Open Source ✓ MIT Partial
No central server Hosted or self-host
DHT peer discovery
WireGuard based
NAT traversal
Subscription fee Free Paid tiers Paid tiers
Self-hostable Partial

Installation

Up and running in minutes

Pre-built binaries for Linux amd64, arm64, and armv7. Requires WireGuard kernel module and wg-tools on Linux. Go 1.23+ needed to build from source.

Binary Source Docker
# Download pre-built binary (Linux amd64) wget https://github.com/atvirokodosprendimai/wgmesh/releases/latest/download/wgmesh-linux-amd64 chmod +x wgmesh-linux-amd64 sudo mv wgmesh-linux-amd64 /usr/local/bin/wgmesh # Also available: wgmesh-linux-arm64, wgmesh-linux-armv7 # Generate a shared secret (once) wgmesh init --secret # Join the mesh on every node — same secret sudo wgmesh join --secret "wgmesh://v1/your-secret" # Check mesh status wgmesh status --secret "wgmesh://v1/your-secret"

Origin

The Story

The Problem

Securely connecting your computers, servers, or home devices across the internet is surprisingly difficult. While tools exist to create private networks, making multiple devices talk directly to each other usually requires a deep technical background and constant maintenance. The "easy" alternatives solve this by acting as a middleman—forcing you to route your private traffic through their corporate servers, sign up for paid subscriptions, and trust a third party with your network's control switch.

The Frustration

I was exhausted by this tradeoff. I wanted blazing-fast, secure connections between my devices, but I hated that setting it up manually meant hours of managing complex configuration files every time a device changed networks. Even worse, I was deeply frustrated by the idea of relying on centralized servers just to let my own machines communicate. I wanted true ownership of my infrastructure—no single point of failure, no artificial limits, and absolutely no middlemen.

The Solution: WGMesh

I built WGMesh to make private networking effortless and entirely yours. The philosophy is simple: Share a secret, build a network. You don't need to rent a central server or understand advanced cryptography. By entering a single shared password, WGMesh acts like an invisible, highly secure cable connecting all your devices worldwide. It works in the background to bypass firewalls and automatically link your machines together into a self-healing web. What used to be a frustrating IT chore is now just a single command—giving you a fast, private network where you hold all the keys.