BETA — every feature free while we build

One encrypted mesh for every server, device & team.

meshr is a WireGuard mesh VPN with Zero Trust access, web SSH and HTTP tunneling. No open ports, no gateways, no config files — deploy in minutes, not days.

Start free → 5 min setup

Built on open-source WireGuard Audited & kernel-fast Self-hostable

01 WIREGUARD MESH VPN

From zero to connected in under 5 minutes.

Install the agent, authenticate once, and the device joins your encrypted mesh. No firewall rules, no gateways, no config files to babysit.

Peer-to-peer encrypted tunnels
Auto NAT traversal & key rotation

~/meshr

$ meshr up

→ authenticating device… ok

→ generating wireguard keys… ok

→ joining mesh "acme-prod"… ok

✓ connected · 14 peers · 0 ports opened

02 ZERO TRUST ACCESS

Identity-aware access. Nothing trusted by default.

Every connection is mutually authenticated and authorized against policy — per user, per device, per service. Revoke access instantly.

Policy as code, per-service ACLs
SSO + device posture checks

[email protected]

device: MacBook · verified

policy.hcl

allow alice → db-prod:5432

allow ci → deploy:*

deny * → internal/*

03 WEB SSH

SSH into any node — straight from the browser.

No client, no key juggling, no bastion. Click a node and you're in a fully audited shell session over the mesh.

Zero local config or key sprawl
Every keystroke authorized & logged

🔒 mesh.acme.dev/ssh/web-01

Last login: from 10.50.0.3 via meshr

web-01 ~ # systemctl status nginx

● nginx.service — active (running)

uptime 42d · reqs 1.2M/min

web-01 ~ #

04 NO OPEN PORTS

Your firewall stays shut. Forever.

meshr connects outbound only. There are no listening ports, no VPN gateways and no public attack surface to scan or exploit.

Invisible to port scanners
No inbound rules to maintain

nmap mesh-node-01

22/tcp sshfiltered ✕

80/tcp httpfiltered ✕

443/tcp httpsfiltered ✕

mesh (out)encrypted ✓

05 HTTP TUNNELING

Expose a local service with one command.

Share a dev server, webhook endpoint or internal dashboard over a private, authenticated mesh URL — no public exposure required.

Stable private hostnames
TLS end-to-end, access-controlled

tunnel

$ meshr tunnel 3000

→ tunneling localhost:3000

forwarding

https://app.acme.mesh → :3000

access: team-only · TLS · 0 public ports

06 SESSION RECORD

Every session, recorded and replayable.

Capture full SSH and tunnel sessions for audit and compliance. Scrub the timeline, replay keystrokes, export for review.

Tamper-evident audit trail
SOC2 / ISO-ready exports

REC · session a91f · alice@web-01

14:02:11 $ cd /var/www
14:02:18 $ git pull origin main
14:02:24 $ ./deploy.sh prod

00:0004:37

auto

Everything in the box

One agent. The whole secure network.

Stop stitching together VPN gateways, bastions, port-forwards and audit tooling. meshr ships it as one fast, open-source-grounded mesh.

Three commands to a secure mesh.

Install the agent

One script on macOS, Linux or Windows. CLI for automation, daemon for servers, GUI for daily work.

curl -fsSL https://get.meshr.to/install.sh | sudo bash

Authenticate

meshr login --org acme

You're connected

Reach every node by name over an encrypted tunnel. Open a web shell or tunnel a port instantly.

meshr up && meshr status

Why teams switch

Everything a mesh VPN should do — plus the rest.

Web SSH, HTTP tunneling and session recording, built in. Self-host the whole control plane when you need to.

Capability

Typical mesh VPN

meshr

WireGuard mesh networking

✓ yes

Zero Trust policy access

✓ yes

Browser-based Web SSH

— add-on

✓ built in

HTTP tunneling

✕ separate tool

✓ built in

Session recording & replay

✕ no

✓ built in

Self-hosted control plane

— limited

✓ full

See the full comparison →

Build your mesh in the next 5 minutes.

Free for every feature while we're in beta. No credit card, no gateways, no config files.

Get early access Read the docs