Important
Public Alpha: Currently in public alpha and under active development. It is not production-ready. A full penetration test is in progress. Until it is complete, do not use this project in production environments. Things may change and breaking changes should be expected. It currently requires some level of technical expertise. Please report bugs or security concerns via GitHub Issues.
MESH enables remote wireless debugging for mobile devices, providing mobile forensics & network monitoring over an encrypted, censorship-resistant peer-to-peer mesh network.
Mobile devices are often placed behind NAT, firewalls, or restrictive mobile networks that prevent direct inbound access. Traditional remote forensics typically requires centralized VPN servers or risky port-forwarding.
MESH solves this by creating an encrypted peer-to-peer overlay network and assigning each node a CGNAT-range address via a virtual TUN interface. Devices appear as if they are on the same local subnet — even when geographically distant or behind multiple NAT layers.
This enables remote mobile forensics using ADB Wireless Debugging and libimobiledevice, allowing tools such as WARD, MVT, and AndroidQF to operate remotely without exposing devices to the public internet.
The mesh can also be used for remote network monitoring, including PCAP capture and Suricata-based intrusion detection over the encrypted overlay. Allowing for both immediate forensics capture and network capture.
MESH is designed specifically for civil society forensics & hardened for hostile/censored networks:
- Direct peer-to-peer WireGuard transport when available
- Optional AmneziaWG to obfuscate WireGuard fingerprints to evade national firewalls or DPI inspection
- Automatic fallback to end-to-end encrypted HTTPS relays when UDP is blocked
Meshes are ephemeral and analyst-controlled: bring devices online, collect evidence, and tear the network down immediately afterward. No complicated hub-and-spoke configurations.
For full documentation:
https://docs.meshforensics.org/
git clone https://github.com/BARGHEST-ngo/mesh.git
cd MESH
task build
task controlPlane
task apikey
Local: https://localhost
Remote: https://your-domain:8443/login
The Web UI uses a self-signed certificate by default.
Important
The default ACL allows nodes in each network talk to each other. Production deployments should use restrictive policies. Modify these via the ACL tab.
Your MESH network is now ready to accept nodes.
See the documentation for node enrollment and forensic workflows.
MESH is a heavily modified fork of the Tailscale protocol, but does not require Tailscale infrastructure.
To establish peer-to-peer, end-to-end encrypted channel is created using UDP hole punching. If UDP is unavailable or blocked, it will fail over to E2EE HTTPs relays called DERP relays. The DERP protocol DERP (Designated Encrypted Relay for Packets) servers relay traffic between nodes when a direct peer-to-peer connection cannot be established.
MESH follows the same model. By default, if an operator has not configured their own DERP infrastructure (which can be done using MESH's control plane), MESH uses Tailscale’s public DERP servers to ensure reliable connectivity, particularly in restrictive network environments. However, MESH does not require Tailscale infrastructure: operators can deploy and use their own DERP servers via the control plane, which includes an embedded DERP implementation. This makes MESH fully self-hostable when desired.
DERP servers act purely as transport relays. They facilitate connectivity between devices but do not have visibility into the data exchanged, which remains end-to-end encrypted.
Enhancements include (but are not limited to):
- Self-hostable coordination server with a UI tailored for forensic operations
- Automatic WireGuard key distribution
- Optional AmneziaWG-based transport obfuscation
- Encrypted HTTPS relay fallback
The control plane is responsible only for peer discovery and key exchange. Forensic traffic flows directly between endpoints whenever possible.
- Peer-to-peer encrypted forensic subnets
- Automatic WireGuard / AmneziaWG key management
- Self-hostable control plane with ACL enforcement
- CGNAT-assigned virtual TUN interfaces
- ADB-over-WiFi & libimobiledevice compatibility
- AndroidQF + MVT integration
- Secure transfer of forensic artifacts
- Optional kill-switch containment
- Rapid mesh creation and teardown
Traditional VPN and hub-and-spoke architectures introduce:
- Persistent infrastructure risk
- Centralized traffic analysis points
- Single points of failure
- Increased operational exposure
MESH separates coordination from data transport:
- The control plane does not carry forensic traffic
- Peer connections are direct whenever possible
- Relays are transport fallbacks, not architectural hubs
- Meshes are disposable and task-scoped
MESH is optimized for transient, high-risk environments rather than permanent enterprise networking.
android-client— Android endpoint APKcontrol-plane— Coordination serveranalyst— Analyst CLI client
Workflow:
- Development happens on branches and is merged via PRs.
- Releases are cut as versioned tags.
- GitHub Actions mirrors tagged releases to
mesh-analyst-client. - External Go projects should depend on explicit version tags, not
main.
MESH is licensed under the GNU Affero General Public License v3.0 or later (AGPL-3.0-or-later).
Portions of this software are a derivative work of Tailscale, which is licensed under the BSD 3-Clause License. The original Tailscale copyright and license are preserved in accordance with the BSD-3-Clause requirements. AmneziaWG/Wireguard code is licensed under MIT license. See .licenses/ for details.
All modifications and additions by BARGHEST are Copyright (c) BARGHEST and licensed under AGPL-3.0-or-later.
WireGuard is a registered trademark of Jason A. Donenfeld.