Generate a new Ed25519 identity keypair.
meshguard keygen [--force]| Flag | Description |
|---|---|
--force |
Overwrite existing keys (destructive) |
Output files (in $MESHGUARD_CONFIG_DIR, or the platform default config directory):
identity.key— secret key (permissions0600)identity.pub— public key
Safety: Refuses to overwrite existing keys unless --force is passed.
Print your public key to stdout.
meshguard export > my-node.pubAdd a peer's public key to your authorized keys.
meshguard trust <key-or-path> [--name <name>]| Argument | Description |
|---|---|
<key-or-path> |
Base64 public key string or path to a .pub file |
--name |
Human-readable name (default: auto-generated from key) |
Validation:
- Base64 decode check
- Ed25519 point-on-curve check
- Key collision check (same key, different name)
- Name collision check (same name, different key)
Remove a peer from your authorized keys.
meshguard revoke <name>Deletes $MESHGUARD_CONFIG_DIR/authorized_keys/<name>.pub.
Start the meshguard daemon.
meshguard up [options]| Flag | Default | Description |
|---|---|---|
--seed |
(none) | Seed peer ip:port. Can be repeated. |
--dns |
(none) | Discover seeds via DNS TXT records |
--mdns |
false |
Discover seeds via mDNS on LAN |
--announce |
(auto) | Manually specify public IP for announcement |
--encrypt-workers |
0 |
Number of encryption threads (0 = serial) |
--kernel |
false |
Use kernel WireGuard instead of userspace |
--gossip-only |
false |
Run discovery/rendezvous only, no TUN/WG |
--no-tun |
false |
Alias for --gossip-only |
--open |
false |
Accept all peers (skip trust enforcement) |
Startup sequence:
- Load identity from config directory
- Derive mesh IP from public key
- Create
mg0interface unless running--gossip-only - Assign mesh IPv4/IPv6 and set MTU (1420)
- Run STUN to discover public endpoint
- Connect to seed peers
- Enter SWIM gossip plus WireGuard event loop, or gossip-only loop
Stop the daemon.
meshguard downWhen a userspace daemon is running, this sends a graceful stop request through
the control socket (/run/meshguard/meshguard.sock, the per-user config socket
fallback, or \\.\pipe\meshguard on Windows). On Linux, if no control socket
answers, meshguard down falls back to RTNETLINK teardown for the kernel mg0
interface.
Display the current mesh state.
meshguard statusWhen a userspace daemon is running, this queries the control socket and reports
the node public key, mesh IP, and membership counts. On Linux, if no control
socket answers, meshguard status falls back to RTNETLINK and kernel WireGuard
Genetlink for mg0 where available.
Print the version.
meshguard versionDisplay the current node configuration.
meshguard config showManage service access control policies (port-level allow/deny rules).
meshguard service <command> [options]| Subcommand | Description |
|---|---|
list |
List all service policies |
allow <proto> <port> |
Add an allow rule |
deny <proto> <port> |
Add a deny rule |
default <allow|deny> |
Set default action (when no rule matches) |
show [peer-name] |
Show effective policy for a peer (or global summary) |
reset |
Remove all service policies |
| Flag | Description |
|---|---|
--peer <name> |
Target a specific peer (by alias or pubkey) |
--org <name> |
Target an organization |
| (no flag) | Target the global policy |
- Proto:
tcp,udp, orall - Port: single port (
22), range (8000-9000), orall
# Global: allow SSH and HTTPS, deny everything else
meshguard service allow tcp 22
meshguard service allow tcp 443
meshguard service deny all
# Set default-deny mode (when no services/ directory exists, default is allow)
meshguard service default deny
# Peer-specific: allow Postgres for node-1
meshguard service allow --peer node-1 tcp 5432
# Org-specific: allow HTTP for all eosrio members
meshguard service allow --org eosrio tcp 80
# List all policies
meshguard service list
# Show effective policy for a peer
meshguard service show node-1
# Clear all policies
meshguard service resetRules are evaluated in this order (first match wins):
- Peer-specific policy (by pubkey or alias)
- Org-specific policy (by org name)
- Global policy (
global.policy) - Default action (
services/defaultfile, defaults toallow)
Direct peer connection via token exchange — no seed server needed. Uses STUN-based coordinated hole punching.
# Generate a connection token (share with your peer)
meshguard connect --generate
# Generate a token that expires in 30 minutes
meshguard connect --generate --in 30
# Join using a token from another peer
meshguard connect --join mg://...| Flag | Description |
|---|---|
--generate |
Generate a connection token for a peer to join with |
--join |
Join using a mg:// token from another peer |
--in |
Token expiry in minutes (used with --generate) |
Flow:
- Peer A runs
meshguard connect --generate→ prints anmg://token - Peer A shares the token with Peer B
- Peer B runs
meshguard connect --join mg://... - Both peers perform STUN discovery, exchange endpoints, and establish a direct WireGuard tunnel
- Seeds are saved to config for future
meshguard upreconnection
| Variable | Description |
|---|---|
MESHGUARD_CONFIG_DIR |
Override config directory (default: ~/.config/meshguard) |
Default config directories are %APPDATA%\meshguard\ on Windows,
/etc/meshguard when running as root on POSIX systems, otherwise
$XDG_CONFIG_HOME/meshguard or ~/.config/meshguard.
Generate a new Ed25519 organization keypair.
meshguard org-keygenOutput files (in $MESHGUARD_CONFIG_DIR/org/):
org/org.key— secret key (permissions0600)org/org.pub— public key
Sign a node's public key with the organization key.
meshguard org-sign <node-key-or-path> [--name <label>] [--expires <unix-timestamp>] [--wg-pubkey <key-or-path>]| Argument | Description |
|---|---|
<node-key-or-path> |
Base64 public key string or path to a .pub file |
--name |
Human-readable name for the node |
--expires |
Unix timestamp when the signature expires (default: 0, never expires) |
--wg-pubkey |
Base64 WireGuard public key string or path to a file. When set, emits a v2 certificate that binds node identity to this WireGuard key. |
Without --wg-pubkey, org-sign emits a legacy v1 certificate for mixed-version
meshes. With --wg-pubkey, it emits a v2 certificate. Upgrade trust-enforcing
peers before relying on v2-only certificates.
Vouch for an external node. This action auto-propagates to organization members.
meshguard org-vouch <node-key-or-path>| Argument | Description |
|---|---|
<node-key-or-path> |
Base64 public key string or path to a .pub file |
Sign an organization certificate revocation for a node key.
meshguard org-revoke <node-key-or-path> [--reason <reason>]| Argument | Description |
|---|---|
<node-key-or-path> |
Base64 public key string or path to a .pub file |
--reason |
unspecified, key-compromised, or admin-removed (default) |
The command loads $MESHGUARD_CONFIG_DIR/org/org.key, writes a signed
OrgCertRevoke wire message to $MESHGUARD_CONFIG_DIR/revoked/*.revoke, and
queues that revocation for broadcast the next time meshguard up runs.
Revocations are scoped to the issuing org: they invalidate that org's
certificate or vouch for the node, not certificates or vouches from other
trusted orgs.
Upgrade meshguard to the latest release from GitHub.
Platform: Linux (amd64) only. This command downloads the
meshguard-linux-amd64asset from the latest GitHub release. It is not supported on other operating systems or architectures.Privileges: Requires write access to
/usr/local/bin/meshguard. Run withsudoif the current user does not have sufficient permissions.Service management: Uses
systemctlto stop themeshguardservice before installing the new binary and restart it afterwards. Ensuresystemdis available on your system.
meshguard upgrade
# or, if elevated privileges are required:
sudo meshguard upgradeThe command:
- Queries the GitHub Releases API for the latest tag.
- Downloads
meshguard-linux-amd64from that release. - Stops the
meshguardsystemd service. - Installs the new binary to
/usr/local/bin/meshguard. - Restarts the
meshguardsystemd service.