meshr / How it works

Install once. Connected everywhere.

meshr coordinates identity, keys and policy from a control plane — then gets out of the way so your traffic flows directly between nodes over encrypted WireGuard tunnels. Here's the whole picture.

1

Install the agent

One script per machine. The agent runs as a CLI for automation, a daemon on headless servers, or a desktop app — same audited core everywhere.

curl -fsSL https://get.meshr.to/install.sh | sudo bash
2

Authenticate

Log in with your SSO. The control plane verifies identity and device posture, then issues a fresh WireGuard keypair and the policy that applies to you.

meshr login --org acme
3

You're connected

The node joins the mesh and reaches every authorized peer by name over a direct encrypted tunnel. Open a web shell or expose a port instantly.

meshr up && meshr status
Architecture

A coordinating brain. A direct, private body.

The control plane handles identity, key distribution and policy. It never carries your traffic — data travels peer-to-peer over WireGuard, encrypted end to end.

live Control plane identity · keys · policy · coordination self-hostable · never sees your traffic 12ms 4ms 8ms laptopyour device web-01web server db-01database ci runnerCI/CD — direct encrypted WireGuard tunnels (data plane) —
Data plane — direct P2P, encrypted end-to-end Control plane — identity, keys & policy only
0open ports
P2Pdirect data path
~4msnode-to-node
100%self-hostable

Your data never hair-pins

Traffic flows straight between nodes. The control plane coordinates trust but is never in the data path — so there's no central bottleneck and no gateway to overload.

Coordination, not interception

The control plane issues short-lived keys and pushes policy. Host it yourself and even that metadata stays inside your own infrastructure.

Under the hood

What happens between login and connected.

Identity & enrollment

You authenticate through your SSO provider. The control plane checks device posture and enrolls the node against your org — before any key is issued.

Key exchange & rotation

Each node gets a fresh WireGuard keypair. Public keys are distributed to authorized peers and rotated automatically — private keys never leave the device.

NAT traversal

Nodes negotiate the most direct path through NATs and firewalls. When a direct route isn't possible, traffic falls back to an encrypted relay — transparently.

Policy enforcement

Before a tunnel carries a single packet, the connection is checked against your ACLs. Unauthorized paths are simply never established.

A request, end to end

How a single connection is authorized.

Every access follows the same path — identity first, policy second, encrypted tunnel third, recorded throughout.

01 · who

User + device

A person on an enrolled, healthy device initiates access.

02 · verify

Identity (SSO)

The control plane confirms identity and device posture.

03 · decide

Policy check

ACLs decide if this user may reach this service.

04 · connect

Encrypted tunnel

A direct WireGuard tunnel opens to the service.

05 · record

Recorded

The session is logged and replayable for audit.

Prefer to run it all yourself?

The control plane is self-hostable — deploy it in your own VPC or an air-gapped data center. Your identity, keys and policy never leave your infrastructure, and the data plane was always yours to begin with.

Read the self-hosting guide →

Run the three commands.

Free for every feature while we're in beta. You'll be connected before your coffee's cold.

Get early access Explore all features →