MeshWG is an open-source WireGuard mesh controller. Connect any router, laptop, or server that runs WireGuard — TP-Link, MikroTik, OpenWrt, Ubiquiti, your homelab, your phone — into one private network with policy-based access control. Self-host free, or pay $1/machine/month.
No vendor firmware. No agent. The controller speaks standard WireGuard to your machines and writes policy at the kernel level.
Sign up, name your organization. Each org gets its own isolated Linux network namespace and a unique WireGuard hub keypair (private key AES-256 encrypted at rest).
# tenantname = "acme-networks"namespace = "qm_acme_networks"hub_ip = "10.100.0.1/16"
Each machine — router, laptop, server, phone — is one peer. The controller generates the keypair, allocates an overlay IP, and returns a ready-to-paste wg-quick config.
# machinename = "branch-mumbai"device_type = "site"overlay_ip = "10.100.0.2"lan_subnets = ["192.168.10.0/24"]
Define which machines can reach which. Allow / deny, by protocol and port. Rules write into the tenant namespace's iptables FORWARD chain in real time.
# access_policysource_id = <machine-A>dest_id = <machine-B>dest_protocol = "tcp"dest_ports = "443,8000-8100"action = "allow"
The controller emits standard WireGuard. Paste it into your router, laptop, or server's existing WireGuard interface. The machine keeps doing what it does. MeshWG just brokers the tunnel.
# wg0.conf — generated for machine "branch-mumbai" [Interface] PrivateKey = <generated, returned once> Address = 10.100.0.2/16 MTU = 1420 [Peer] # tenant hub for "acme-networks" PublicKey = <tenant hub public key> Endpoint = vpn.your-domain.com:51820 AllowedIPs = 10.100.0.0/16 PersistentKeepalive = 25
Everything below is in the codebase today and exercised by an end-to-end harness on every release. No roadmap items.
Each peer is one row — site (with LAN subnets) or user endpoint. The controller generates the keypair, allocates the next overlay IP atomically, and returns a one-time wg-quick config.
handlers/devices.go Allow / deny rules between any two machines by protocol and port (single, comma list, or ranges). Rules flush and re-apply to the tenant namespace's iptables FORWARD chain in real time.
e2e step 11 + 14 Each org gets its own Linux network namespace. tcpdump in one tenant's namespace sees zero packets while another tenant floods — proved by step 12 of the e2e harness.
namespace/manager.go The hub forwards overlay traffic between peers. It's explicitly not an internet exit — no MASQUERADE, no SNAT, only wg0+lo inside the tenant ns. Verified by step 17b.
e2e step 17b A startup reconciler walks every tenant in PostgreSQL and rebuilds namespace, wg0, peers and routes from DB. Fresh deploy or host reboot: kernel state restores itself in seconds.
wireguard/reconcile.go One controller, many orgs, per-tenant admin accounts, per-tenant private keys (AES-256-GCM at rest). No second deployment when you onboard a new customer.
handlers/tenants.go Tailscale, Netbird and ZeroTier are agent-based — every device runs their daemon. MeshWG works with the WireGuard interface your router and OS already ship. Different problem, different price model.
| Tailscale | Netbird | ZeroTier | MeshWG | |
|---|---|---|---|---|
| Needs a per-device agent? | Yes (tailscaled) | Yes (netbird agent) | Yes (zerotier-one) | No — uses native WireGuard already in your router / OS |
| Works with consumer routers (TP-Link, MikroTik)? | Workaround via subnet router | Workaround via netbird-relay | Workaround via bridging | Direct — paste a wg-quick config, done |
| Self-hostable? | Headscale (community) | Yes (Apache 2) | Yes (BSL) | Yes (MIT) — first-class, this is the deployment model |
| Free tier | 3 users / 100 devices | 5 users / 100 peers | 1 network / 25 devices | 2 machines, forever — or unlimited if self-hosted |
| Paid pricing | $6 / user / mo | $5 / user / mo | $5 / mo for 25 devices | $1 / machine / month — or $3 monthly |
| Pricing scales by | Users | Users | Devices | Machines — the thing you actually count |
| ACL granularity | L4 (tailnet policy file) | L4 (groups + rules) | L2 / L3 (flow rules) | L3/L4 with multi-port (tcp 443,8000-8100) |
| Tenant isolation | Tailnets (logical) | Single-account | Networks (logical) | Linux network namespace per tenant (kernel-level) |
| If the provider dies | Run Headscale | Self-host the dashboard | Self-host moons + planet | wg-quick keeps running; source is on GitHub |
A "machine" is any peer in your mesh — a router, a laptop, a server, a phone. Two free, forever. After that, $1/machine/month on annual billing or $3/machine/month monthly.
The OSS. Run it on your own Linux VM with full source.
Hosted controller on our infrastructure. Free up to 2 machines.
Bigger fleets, dedicated infrastructure, priority support.
All Cloud plans share the same product — no feature gates on ACLs, reconciler, multi-tenant or any core function. The OSS and the Cloud version are built from the same codebase.
Tailscale needs its agent (tailscaled) running on every device. That's great for laptops and servers, awkward for branch routers. MeshWG works with whatever WireGuard implementation is already on the device — the one TP-Link, MikroTik, OpenWrt and Ubiquiti ship in their stock firmware. No agent install. Also: MeshWG prices by machine, not by user, which matches the homelab / multi-site / MSP shape better.
An open-source Go controller that manages WireGuard peers and L3/L4 ACLs for one or more organizations. Self-hosted on a single Linux VM. No cloud relays, no SaaS lock-in — the dashboard and API are the whole product surface.
It's WireGuard with a UI, plus per-tenant Linux namespace isolation, iptables-enforced ACLs, a startup reconciler that rebuilds kernel state from the database, and an e2e harness that validates every claim against real kernel oracles. If 'SDWAN' means a $1,500 box, this isn't that. If it means software-defined site-to-site networking with central policy, it is.
Anything that speaks WireGuard. That's TP-Link Archer/Deco/ER, D-Link DIR/COVR/DSR, Ubiquiti UDM/EdgeRouter, MikroTik RouterOS 7+, OpenWrt 19.07+, OPNsense, pfSense, and any Linux/Mac/Windows machine. The controller emits stock wg-quick config.
Tenant hub private keys are generated by the controller and stored encrypted at rest with AES-256-GCM. Per-machine private keys are returned exactly once when the machine is created and not retained server-side after the .conf is shown.
No. By design and verified by the e2e harness: the tenant namespace has zero MASQUERADE rules, zero SNAT rules, only wg0 + lo interfaces, and external IPs are unreachable from inside it. The hub forwards overlay traffic between peers only. Machines reach the internet via their own local network.
Existing tunnels keep running — WireGuard is a kernel feature on each peer, it doesn't depend on the controller. You lose the dashboard and the ability to change policy until it's back. The startup reconciler rebuilds kernel state from PostgreSQL when it comes back up.
Sign in with Google or with an email + password. That's it. No SSO providers, no SAML, no Microsoft Entra — this is intentionally a tool for individuals and small teams, not enterprise procurement. If your use case needs SAML, talk to us about Pro.
Two machines free, forever. Mesh your homelab, your laptop, and your router in five minutes. No card. No agent install.