MESH is a networking tool, to support remote logical forensics acquision on mobile devices
MESH gives analysts a direct, encrypted path to mobile devices for wireless debugging, network monitoring and forensic acquisition, even when those devices sit behind NAT, firewalls, or restrictive mobile networks. It builds a private overlay so a remote device behaves as if it were on the same local subnet. It does not require central VPN servers, no port forwarding, and no permanent infrastructure to maintain or defend. This allows for seemless and easy remote, over the internet, network monitoring and acquision with the likes of MVT and AndroidQF.
- Remote mobile forensics over ADB Wireless Debugging and libimobiledevice: run WARD, MVT, AndroidQF, and other ADB/iOS tooling as if the device were local.
- Remote network monitoring: PCAP capture and Suricata intrusion detection over the same encrypted mesh.
- MESH provides the networking necessary for remote acquision, but isn't the acquision tool.
- We include AndroidQF and MVT in the suite.
- Direct peer-to-peer first WireGuard transport when a path exists.
- Optional AmneziaWG to obfuscate WireGuard against DPI and national firewalls.
- Automatic fallback to encrypted HTTPS relays when UDP is blocked.
Meshes are ephemeral and analyst-controlled: bring devices online, collect, then tear the network down. Nothing is left running, which supports the avoidance of fingerprinting activity.
Important
Public Alpha: Currently in public alpha and under active development. A full third-party penetration has been completed and we have patched all major vulnerabilities. Things may change and breaking changes should be expected. It currently requires some level of technical expertise. Please report bugs or security concerns via GitHub Issues."
For full documentation:
https://docs.meshforensics.org/
- Git
- Docker Engine with the Compose V2 plugin (
docker compose, not legacydocker-compose). Install instructions. - Task (go-task) for build orchestration and interactive setup. Install instructions. Short version:
- Linux:
sudo snap install task --classic - macOS:
brew install go-task
- Linux:
Note
Most runtime operations work with plain docker compose, but the interactive setup tasks (.env management, config templating, auth-key rotation) require go-task.
git clone https://github.com/BARGHEST-ngo/mesh.git
cd MESH
task build
task controlPlane
task apikey
Local: https://localhost
Remote: https://your-domain:8443/login
The Web UI uses a self-signed certificate by default.
Important
The default ACL allows nodes in each network talk to each other. Production deployments should use restrictive policies. Modify these via the ACL tab.
Your MESH network is now ready to accept nodes.
See the documentation for node enrollment and forensic workflows.
MESH is a heavily modified fork of the Tailscale protocol, but does not require Tailscale infrastructure.
To establish peer-to-peer, end-to-end encrypted channel is created using UDP hole punching. If UDP is unavailable or blocked, it will fail over to E2EE HTTPs relays called DERP relays. The DERP protocol DERP (Designated Encrypted Relay for Packets) servers relay traffic between nodes when a direct peer-to-peer connection cannot be established.
MESH follows the same model. By default, if an operator has not configured their own DERP infrastructure (which can be done using MESH's control plane), MESH uses Tailscale’s public DERP servers to ensure reliable connectivity, particularly in restrictive network environments. However, MESH does not require Tailscale infrastructure: operators can deploy and use their own DERP servers via the control plane, which includes an embedded DERP implementation. This makes MESH fully self-hostable when desired.
DERP servers act purely as transport relays. They facilitate connectivity between devices but do not have visibility into the data exchanged, which remains end-to-end encrypted.
Enhancements include (but are not limited to):
- Self-hostable coordination server with a UI tailored for forensic operations
- Automatic WireGuard key distribution
- Optional AmneziaWG-based transport obfuscation
- Encrypted HTTPS relay fallback
The control plane is responsible only for peer discovery and key exchange. Forensic traffic flows directly between endpoints whenever possible.
- Peer-to-peer encrypted forensic subnets
- Automatic WireGuard / AmneziaWG key management
- Self-hostable control plane with ACL enforcement
- CGNAT-assigned virtual TUN interfaces
- ADB-over-WiFi & libimobiledevice compatibility
- AndroidQF + MVT integration
- Secure transfer of forensic artifacts
- Optional kill-switch containment
- Rapid mesh creation and teardown
Traditional VPN and hub-and-spoke architectures introduce:
- Persistent infrastructure risk
- Centralized traffic analysis points
- Single points of failure
- Increased operational exposure
MESH separates coordination from data transport:
- The control plane does not carry forensic traffic
- Peer connections are direct whenever possible
- Relays are transport fallbacks, not architectural hubs
- Meshes are disposable and task-scoped
MESH is optimized for transient, high-risk environments rather than permanent enterprise networking.
android-client— Android endpoint APKcontrol-plane— Coordination serveranalyst— Analyst CLI client
Workflow:
- Development happens on branches and is merged via PRs.
- Releases are cut as versioned tags.
- GitHub Actions mirrors tagged releases to
mesh-analyst-client. - External Go projects should depend on explicit version tags, not
main.
MESH is licensed under the GNU Affero General Public License v3.0 or later (AGPL-3.0-or-later).
Portions of this software are a derivative work of Tailscale, which is licensed under the BSD 3-Clause License. The original Tailscale copyright and license are preserved in accordance with the BSD-3-Clause requirements. AmneziaWG/Wireguard code is licensed under MIT license. See .licenses/ for details.
All modifications and additions by BARGHEST are Copyright (c) BARGHEST and licensed under AGPL-3.0-or-later.
WireGuard is a registered trademark of Jason A. Donenfeld.


