v0.3.1 · MIT License · Linux

meshguard

Decentralized WireGuard mesh VPN.
Zero central authority. Trust-agnostic.
Single static binary.

$curl -fsSL https://raw.githubusercontent.com/igorls/meshguard/main/install.sh | bash⧉

quick start — bash

# 1. generate an Ed25519 identity$ meshguard keygenIdentity keypair generated. ~/.config/meshguard/identity.key ~/.config/meshguard/identity.pub
# 2. export your public key$ meshguard export > my-node.pub
# 3. trust a peer$ meshguard trust /path/to/peer.pub --name validator-3Peer trusted: validator-3
# 4. join the mesh$ sudo meshguard up --seed 1.2.3.4:51821meshguard is running (userspace WG mode). mesh IP: 10.99.189.145 public endpoint: 203.0.113.42:8591 (behind NAT, cone) TUN device: mg0 (fd=6, mtu=1420) data-plane workers: 8 peer joined: 10.99.42.17 validator-3 [handshake complete]

// how it works

// trust

Serverless & Trustless

No control plane, no coordinator. Each node holds its own Ed25519 identity. The mesh is self-organizing.

// discovery

SWIM Gossip

O(log N) convergence with failure detection. Membership propagates in seconds via epidemic protocol.

// crypto

WireGuard Tunnels

Noise_IKpsk2 handshake, end-to-end encryption. Kernel or userspace mode with zero-copy data plane.

// nat

NAT Traversal

STUN discovery, UDP hole punching, relay fallback. Works behind cone and symmetric NATs.

// identity

Deterministic IPs

Mesh IP derived from Ed25519 public key via Blake3. No DHCP, no conflicts, no coordination needed.

// perf

Zero Overhead

Built in Zig. Single static binary, io_uring event loop, multi-queue TUN, GSO/GRO offloads.

4.8+

Gbps throughput

~6k

Lines of Zig

Dependencies

Binary