Open Source · MIT License

WGMesh

"Share a Secret, Build a Mesh."

Decentralized WireGuard mesh networking with DHT peer discovery. No central server. No subscriptions. Just encrypted, self-organizing networks.

Get Started View on GitHub
$ wgmesh join --secret "wgmesh://v1/my-shared-secret"
Generating WireGuard keypair...
Joining DHT swarm (key: sha256:a3f…)
Discovered 3 peers via DHT
NAT traversal: UDP hole-punch successful
✓ Mesh is up — 3 peers connected

$ wgmesh status
10.0.0.2 node-alpha last-seen: 0s
10.0.0.3 node-beta last-seen: 1s
10.0.0.4 node-gamma last-seen: 2s

Capabilities

Everything you need, nothing you don't

WGMesh handles the complexity of multi-node WireGuard so you don't have to juggle keys, endpoints, and config files manually.

🔗

DHT Peer Discovery

Nodes find each other automatically via a distributed hash table. No tracker server, no single point of failure.

🛡️

WireGuard Encryption

All traffic is encrypted end-to-end using WireGuard's modern cryptography — ChaCha20, Poly1305, Curve25519.

🌐

NAT Traversal

Automatically detects and handles NAT scenarios with UDP hole-punching to connect peers behind firewalls.

Zero-Downtime Updates

Configuration changes applied via wg set without interface restarts — peers stay connected.

🔒

Group-Based ACLs

Segment your network with group-based access control policies. Limit which peers can reach which resources.

💾

State Persistence

Mesh state stored locally with systemd integration. Survives reboots and reconnects automatically.

🐳

Docker Ready

Container images available on GitHub Container Registry. Runs in Docker with full mesh capability.

🔌

RPC Interface

Unix socket JSON-RPC for scripting and querying peer state programmatically from your own tools.

🏗️

Multi-Architecture

Pre-built binaries for Linux amd64, arm64, and armv7. Runs on servers, Raspberry Pis, and edge devices.

How it works

Simple by design

WGMesh reduces a complex multi-node WireGuard setup to a single shared secret and a one-line command.

1

Generate or choose a shared secret

All nodes joining the same mesh share a single secret. This is used to derive the DHT swarm key — only nodes with the secret can find each other.

2

Nodes join the DHT swarm

Each node announces itself to the distributed hash table. WGMesh resolves other peers from the DHT without any central registry.

3

WireGuard tunnels are established

Peer public keys and endpoints are exchanged via the DHT. NAT traversal is attempted automatically. WireGuard takes over from there.

4

Mesh self-heals as nodes come and go

When nodes join or leave, the DHT reflects this. WGMesh updates WireGuard config on the fly — no restarts, no manual edits.

Deployment

Two modes for every use case

Run fully decentralized for maximum autonomy, or use centralized mode for admin-controlled enterprise deployments.

Decentralized Mode

Nodes discover each other via DHT. No server required. Ideal for dynamic, distributed environments.

  • Automatic peer discovery via DHT
  • Only a shared secret required
  • Works across NAT and firewalls
  • Self-healing mesh topology
  • No infrastructure to manage
Centralized Mode

Admin controls the topology via SSH deployments with diff-based updates. Ideal for teams needing strict governance.

  • Admin-managed topology
  • SSH-based configuration push
  • AES-256-GCM encrypted state files
  • Group-based access control
  • Diff-based minimal updates

Comparison

WGMesh vs the alternatives

Open source, self-hosted, no subscriptions — and nothing phoning home.

Feature WGMesh Tailscale Netbird
Open Source ✓ MIT Partial
No central server Hosted or self-host
DHT peer discovery
WireGuard based
NAT traversal
Subscription fee Free Paid tiers Paid tiers
Self-hostable Partial

Installation

Up and running in minutes

Pre-built binaries for Linux and macOS. Requires WireGuard kernel module and wg-tools on Linux.

Homebrew Binary Go Docker
# macOS / Linux via Homebrew brew install atvirokodosprendimai/tap/wgmesh # Generate a shared secret (once) wgmesh init --secret # Join the mesh on every node — same secret sudo wgmesh join --secret "wgmesh://v1/your-secret" # Check mesh status and connected peers wgmesh status --secret "wgmesh://v1/your-secret"