Skip to content

BARGHEST-ngo/MESH

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10,351 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

MESH

Documentation Public Alpha Status Ask DeepWiki License Latest Release

Get it on Google Play Get it on F-Droid

MESH is a networking tool, to support remote logical forensics acquision on mobile devices

MESH gives analysts a direct, encrypted path to mobile devices for wireless debugging, network monitoring and forensic acquisition, even when those devices sit behind NAT, firewalls, or restrictive mobile networks. It builds a private overlay so a remote device behaves as if it were on the same local subnet. It does not require central VPN servers, no port forwarding, and no permanent infrastructure to maintain or defend. This allows for seemless and easy remote, over the internet, network monitoring and acquision with the likes of MVT and AndroidQF.

What it does

  • Remote mobile forensics over ADB Wireless Debugging and libimobiledevice: run WARD, MVT, AndroidQF, and other ADB/iOS tooling as if the device were local.
  • Remote network monitoring: PCAP capture and Suricata intrusion detection over the same encrypted mesh.

What it doesn't

  • MESH provides the networking necessary for remote acquision, but isn't the acquision tool.
  • We include AndroidQF and MVT in the suite.

How it's hardened

  • Direct peer-to-peer first WireGuard transport when a path exists.
  • Optional AmneziaWG to obfuscate WireGuard against DPI and national firewalls.
  • Automatic fallback to encrypted HTTPS relays when UDP is blocked.

Meshes are ephemeral and analyst-controlled: bring devices online, collect, then tear the network down. Nothing is left running, which supports the avoidance of fingerprinting activity.

Important

Public Alpha: Currently in public alpha and under active development. A full third-party penetration has been completed and we have patched all major vulnerabilities. Things may change and breaking changes should be expected. It currently requires some level of technical expertise. Please report bugs or security concerns via GitHub Issues."

Quick start

For full documentation:
https://docs.meshforensics.org/

Prerequisites

  • Git
  • Docker Engine with the Compose V2 plugin (docker compose, not legacy docker-compose). Install instructions.
  • Task (go-task) for build orchestration and interactive setup. Install instructions. Short version:
    • Linux: sudo snap install task --classic
    • macOS: brew install go-task

Note

Most runtime operations work with plain docker compose, but the interactive setup tasks (.env management, config templating, auth-key rotation) require go-task.

1. Clone the repository

git clone https://github.com/BARGHEST-ngo/mesh.git
cd MESH

2. Start control plane and get an API key

task build
task controlPlane
task apikey

3. Access web UI with API key

Local:  https://localhost
Remote: https://your-domain:8443/login

The Web UI uses a self-signed certificate by default.

Important

The default ACL allows nodes in each network talk to each other. Production deployments should use restrictive policies. Modify these via the ACL tab.

image

Your MESH network is now ready to accept nodes.
See the documentation for node enrollment and forensic workflows.

Architecture summary

MESH is a heavily modified fork of the Tailscale protocol, but does not require Tailscale infrastructure.

To establish peer-to-peer, end-to-end encrypted channel is created using UDP hole punching. If UDP is unavailable or blocked, it will fail over to E2EE HTTPs relays called DERP relays. The DERP protocol DERP (Designated Encrypted Relay for Packets) servers relay traffic between nodes when a direct peer-to-peer connection cannot be established.

MESH follows the same model. By default, if an operator has not configured their own DERP infrastructure (which can be done using MESH's control plane), MESH uses Tailscale’s public DERP servers to ensure reliable connectivity, particularly in restrictive network environments. However, MESH does not require Tailscale infrastructure: operators can deploy and use their own DERP servers via the control plane, which includes an embedded DERP implementation. This makes MESH fully self-hostable when desired.

DERP servers act purely as transport relays. They facilitate connectivity between devices but do not have visibility into the data exchanged, which remains end-to-end encrypted.

Enhancements include (but are not limited to):

  • Self-hostable coordination server with a UI tailored for forensic operations
  • Automatic WireGuard key distribution
  • Optional AmneziaWG-based transport obfuscation
  • Encrypted HTTPS relay fallback

The control plane is responsible only for peer discovery and key exchange. Forensic traffic flows directly between endpoints whenever possible.

Key capabilities

  • Peer-to-peer encrypted forensic subnets
  • Automatic WireGuard / AmneziaWG key management
  • Self-hostable control plane with ACL enforcement
  • CGNAT-assigned virtual TUN interfaces
  • ADB-over-WiFi & libimobiledevice compatibility
  • AndroidQF + MVT integration
  • Secure transfer of forensic artifacts
  • Optional kill-switch containment
  • Rapid mesh creation and teardown
1 2 3

Why not a VPN?

Traditional VPN and hub-and-spoke architectures introduce:

  • Persistent infrastructure risk
  • Centralized traffic analysis points
  • Single points of failure
  • Increased operational exposure

MESH separates coordination from data transport:

  • The control plane does not carry forensic traffic
  • Peer connections are direct whenever possible
  • Relays are transport fallbacks, not architectural hubs
  • Meshes are disposable and task-scoped

MESH is optimized for transient, high-risk environments rather than permanent enterprise networking.

Repository structure

  • android-client — Android endpoint APK
  • control-plane — Coordination server
  • analyst — Analyst CLI client

Developer notes

Workflow:

  • Development happens on branches and is merged via PRs.
  • Releases are cut as versioned tags.
  • GitHub Actions mirrors tagged releases to mesh-analyst-client.
  • External Go projects should depend on explicit version tags, not main.

License

MESH is licensed under the GNU Affero General Public License v3.0 or later (AGPL-3.0-or-later).

Portions of this software are a derivative work of Tailscale, which is licensed under the BSD 3-Clause License. The original Tailscale copyright and license are preserved in accordance with the BSD-3-Clause requirements. AmneziaWG/Wireguard code is licensed under MIT license. See .licenses/ for details.

All modifications and additions by BARGHEST are Copyright (c) BARGHEST and licensed under AGPL-3.0-or-later.

Legal

WireGuard is a registered trademark of Jason A. Donenfeld.

About

Wireless ADB, over the internet; not just local Wi-Fi. An encrypted, censorship-resistant mesh VPN making remote forensics and network monitoring seamless.

Topics

Resources

License

Security policy

Stars

Watchers

Forks

Packages

 
 
 

Contributors