Noise IKpsk2 · ChaCha20-Poly1305 · Go

Mesh Networking
for the Next
Frontier

Hyperconverged infrastructure for the edge. Encrypted mesh networking, built-in object storage, and a unified control plane, all written in Go.

Get Started →

Noise Protocol

IKpsk2 handshake with ChaCha20-Poly1305 encryption. Mutual authentication and forward secrecy built in.

Decentralised P2P

Direct peer connections with coordinator-assisted discovery. WebSocket relay fallback when NAT won't budge.

Smart Routing

Automatic NAT traversal, mesh DNS resolution, and policy-based packet filtering across all nodes.

Hyperconverged Infrastructure

Infrastructure as Turtle.
Connectivity, Hardened.

tunnelmesh is hyperconverged infrastructure, unifying networking, storage, and control into a single binary. Deploy on bare metal, cloud VMs, or containers, all three at once.

  • Automatic peer discovery via coordinator
  • CGNAT IP allocation with mesh DNS
  • TUN device for transparent kernel routing
  • UDP primary, SSH fallback, WebSocket relay
  • RBAC with admin groups and role bindings
tunnelmesh
Peers 8/8
| |
Network
NameMesh IPLatencyThroughputStatus
node-nyc-1 100.64.0.2 1.2ms 940 Mbps online
node-ams-1 100.64.0.3 18.4ms 620 Mbps online
node-sgp-1 100.64.0.4 82.1ms 310 Mbps online
laptop-dev 100.64.0.9 offline
tunnelmesh
Uptime 4d 11h
| |
Filter
Peer: node-nyc-1 Default Policy: Allow
PortProtoActionFrom PeerExpires
22 TCP allow any
443 TCP allow any
8080 TCP allow any 2h 14m
* UDP deny any
Object Storage

S3-Compatible Storage,
Built for the Mesh

Every coordinator ships with a fully-featured object store, with no separate infrastructure required. Store, version, and replicate files across the entire mesh with standard S3 semantics.

  • Content-addressable deduplication. Identical chunks stored once regardless of filename or bucket.
  • Automatic replication. Objects sync across coordinator replicas with chunk-level diffing.
  • Full version history. Every write is versioned. Restore any previous state on demand.
  • RBAC & file sharing. Bucket-scoped access control with time-limited share links.
tunnelmesh-docs 3 objects · 44 KB
NameSizeVersionReplicated
architecture.md 24 KB v3 3/3
getting-started.md 12 KB v1 3/3
api-reference.md 8 KB v7 3/3
18 KB saved via deduplication Replication active
S3 API compatible
Version history
E2E Encrypted at rest
0-cfg No extra infra
https://this.tunnelmesh
tunnelmesh
Uptime 12d 4h · Peers 8/8
| |
Object Viewer
ml-sandbox run-42 notes.md MARKDOWN

Training Run #42

Configuration

  • Nodes: gpu-01, gpu-02, gpu-03
  • Network isolation: mesh-vlan-42
  • Dataset: s3://ml-sandbox/imagenet-v2

Results

Epoch 12 converged: loss 0.0312, accuracy 96.1%. See metrics.csv for full breakdown.

Connected Peers
NameAddressTransport LatencyThroughputStatus
gpu-01 100.64.0.2 UDP 1.2ms 940 Mbps online
gpu-02 100.64.0.3 UDP 2.4ms 880 Mbps online
coordinator 100.64.0.1 SSH 0.8ms online
Admin Interface

A Control Plane Built for
Secure AI & ML Sandboxes

tunnelmesh's web dashboard goes beyond network ops. A built-in markdown editor and dataframe viewer let researchers document experiments and inspect results without leaving the secure mesh boundary.

  • Markdown editor

    Write and publish experiment notes, runbooks, and model cards directly inside the mesh, served from S3 and never exposed externally.

  • DataFrame viewer

    Inspect JSON files stored in S3 straight from the dashboard. Filter, sort, and share slices with RBAC-controlled links.

  • Air-gapped ML sandbox

    Route GPU cluster traffic over the mesh for fully isolated training runs. No cloud egress, no data leakage, full audit trail.

Capabilities

Everything you need,
nothing you don’t

Mutual Authentication

SSH key-based identity. Every peer cryptographically proves who they are via Noise IKpsk2 before any data flows.

NAT Traversal

UDP hole-punching with PCP, NAT-PMP, and UPnP port mapping. Automatic relay fallback over WebSocket.

Mesh DNS

Automatic DNS resolution for all mesh peers. Reach any node by name, with no /etc/hosts hacks required.

Object Storage

Built-in S3-compatible store with replication, versioning, deduplication, and RBAC across the mesh.

Docker Integration

Auto port-forwarding rules when containers start. Real-time stats, container control via web UI.

Observability

All three pillars: metrics (Prometheus), logs (Loki), and traces (OpenTelemetry) — wired together from the ground up.

Certificate Authority

Mesh-internal CA issues TLS certificates to every node automatically. Services get HTTPS inside the mesh with no external PKI dependency.

Packet Filter

Per-peer port firewall with four-layer rule merging: coordinator policy, peer config, CLI, and auto-generated rules all compose with least-privilege wins.

Exit Peers

Route internet traffic through any designated mesh node. Full split-tunnel VPN built in, with no separate gateway software required.

Ready to mesh?

Deploy your first encrypted mesh network in minutes. Open source, self-hosted.

Get Started → Read the Docs