meshd logo meshd

DWN-Enabled Mesh Networking

WireGuard mesh.
No accounts. No vendor lock-in.

meshd is a WireGuard mesh VPN where identities are DIDs and network state lives in encrypted DWN records. No service provider sits between you and your network.

Explore dwn-mesh repo See planned CLI

No account signup

Identity comes from cryptographic keys and DIDs, not a vendor-managed account.

No hosted service required

Network state replicates through DWN records — no dependency on any third-party service.

Signed + encrypted records

Membership, endpoint updates, and access changes are verifiable and private by default.

WireGuard mesh data plane via dexnet

DID-based identity for every node

DWN protocols for membership + ACLs

Coexists with Tailscale side-by-side

Why meshd

No account system

Onboarding starts with key generation and a DID, not an email signup or vendor tenant.

No service provider dependency

Membership and node records replicate through DWNs. There is no third-party service in the loop.

Encrypted metadata

Not just tunnel traffic — endpoint and policy data is encrypted and signed too.

Human-friendly operations

Add peers with commands, not manual config edits and key copy/paste across nodes.

Private DWN infrastructure

Use mesh IPs to sync private replicas behind NAT without exposing every node publicly.

Migration-safe architecture

Built to run alongside existing networking tools while you transition critical systems gradually.

Planned command flow

The goal is to make encrypted mesh setup feel like a few obvious commands, with fine-grained access control and cryptographic verification built in. 

$ meshd init
$ meshd network create --name "my-network"
$ meshd peer add did:dht:k5f8...
$ meshd network join did:dht:abc1... <network-id>
$ meshd up

How the architecture works

Data plane: WireGuard mesh

meshd uses dexnet for peer connectivity, NAT traversal, relay fallback, and stable encrypted tunnels across networks.

WireGuard + STUN + relay + UDP hole punching

Control plane: DWN records

Network membership, access policy, and endpoint updates are published as signed DWN records instead of being managed by a hosted service.

wireguard-mesh + wireguard-node protocols

Identity and authorization

Each node has a DID-based cryptographic identity. All updates can be verified and rejected if not authored by authorized principals.

DID signatures + declarative access control

Privacy and coexistence

Metadata is encrypted at rest and the mesh runs in its own address space, so it works alongside tools like Tailscale on the same host.

JWE-encrypted records + dedicated IP ranges