Your private cloud.
On your own hardware.
A decentralized private cloud and mesh across your own devices: distributed storage, an S3 API, a mesh VPN and encrypted tunnels in one Go binary — end-to-end encrypted, and working even when the public internet is unreliable or absent. Open your home router from another country, run an AI agent you reach from your phone, or switch on media and calls for a full home server. Nothing leaves hardware you own.
MeshHold is a decentralized, self-hosted private cloud and mesh network. Every node — your phone, your laptop, a VPS, an old NUC in a closet, a Raspberry Pi watching the front door — is a full peer. None is special. No central server runs the show, because there is no central server.
Add a node, and the cloud grows: more storage capacity, more redundancy, more relays for tunnelling traffic. Lose a node, and the rest keep working — your files are still there, your tunnels still route, your phone still reaches your home network through the remaining mesh. Connect once, and your client learns every other node — any of them can be your entry point next time.
The whole thing is one self-contained Go binary. No docker-compose stack of five services, no PostgreSQL to back up, no Redis to babysit. The same daemon stores files, exposes an S3 API, routes VPN traffic and tunnels, and carries encrypted chat — sharing one encrypted block layer and one peer-to-peer transport underneath. Media streaming and audio/video calls live on the same mesh too: optional, off by default, a checkbox away when you want a home server as well as infrastructure.
Your devices, working as one cloud.
Six things people use MeshHold for. The rest of this page is how it works under the hood.
Reach LAN-only services from outside
Router admin, NAS, IoT controllers, Pi-hole — any device on your home LAN. A management key with the tunnel capability gives your phone the whole LAN as if you were home.
Share files between your devices
Without Dropbox. Without Drive. The storage pool grows with every device you add — phone, laptop, VPS, Pi — and survives any single one of them dying.
Auto-backup your photos to your own cloud
Not to Apple's. Not to Google's. To hardware you own. Set RF=2 and photos exist on at least two devices before you delete the local copy.
Use your AI agent from anywhere
Run Claude Code or OpenCode on a beefy desktop. Connect from your phone, your laptop, hotel Wi-Fi. Approvals, transcripts, file attachments — all encrypted in transit.
Watch your home Jellyfin from anywhere
Tunnel into your local media server. Range-streaming works through the mesh — seek, skip, resume. No port-forward, no domain, no Let's Encrypt. Your phone reaches it over the encrypted transport.
Listen to your library on the train
Your music collection lives on your home PC. Your phone streams it block-by-block through the mesh and caches what you've already heard. Offline playback for the next train.
When the public cloud is not an option.
MeshHold isn't trying to replace Signal or Google Drive for everyone. It's for people who'd rather run their own infrastructure than rent someone else's — and want one stack that does the whole job.
Your devices, your cloud
Phone, laptop, home server, VPS, Raspberry Pi — glue them into one mesh. Music, files, chat, tunnels to your LAN, your own AI agent. One Go binary, six services — run it as a systemd unit, a single Docker container, or a portable bin in /usr/local/bin; no compose flowchart to babysit either way.
Many networks, one mesh
Drop a node into every network you look after — branch office, customer site, lab rack, IoT segment — and reach every device's web UI or SSH from one mesh. No per-site VPN to wire up, no port-forwards to maintain, no public endpoint to defend. Hand each helper a management key scoped to just the segments they're allowed to touch.
Everything on your own hardware
No third-party cloud in the chain. Data stays on machines you own, in a jurisdiction you choose. Open source under AGPL-3.0, reproducible builds, no phone-home. The cloud that doesn't need anyone's permission to keep running.
A cloud that grows with your hardware.
The topology is not a star. There is no hub. Every node knows the others and can talk to any of them directly, or relay through the rest when a direct path doesn't exist.
Nodes have two independent dimensions: trust (do they have your decryption keys?) and reliability (do they count toward your replication factor?). A cheap VPS can be untrusted-but-reliable: it stores ciphertext for you, helps blocks survive, and never sees your data. A phone can be trusted-but-unreliable: it decrypts files for you but doesn't replace a server.
- Dynamic membership. Add a node and capacity grows. Lose one and the others fill in. No re-config on the rest of the mesh.
- One trip to connect. After one successful handshake your client knows every peer in the network. Any of them can be the next entry point.
- Works on the LAN alone. Two phones in the same Wi-Fi can pair and chat with no internet at all — like walkie-talkies.
- Cross-platform peers. Linux, Windows, Android, Raspberry Pi — all first-class nodes running the same Go core, not thin clients of a server somewhere.
Three layers, separate keys per purpose.
A single shared key everywhere is a single point of failure. MeshHold stacks three independent layers, each with a different scope and a different rotation schedule. To intercept anything meaningful, an attacker needs to break all three.
And the inner layer isn't one key — it's a family. Every vault, every chat room, every tunnel, every agent instance gets its own content key. Hand a friend the chat-room key and they can read messages, but they still can't see your photos, your VPN traffic, or your AI conversations. Each can be shared independently: paste as text, send through chat, or scan as a QR code from another device.
- Convergent crypto. Identical files encrypt to identical ciphertext — automatic deduplication across the mesh, even between users.
- Forward secrecy. Compromising today's session key doesn't decrypt yesterday's traffic. Each Noise handshake is fresh.
- Capability-based access. Management keys carry capability flags (tunnel · camera · webui). Share one capability, others stay locked.
Files that survive any single node loss.
Files split into content-addressed blocks (≤512 KiB for small, 4 MiB for large) and gossip out to peers until your target replication factor is met. Block hashes are stable: re-uploading the same file is free, and conflict-detection falls out of the design — every version carries a hash-chain parent pointer.
Every vault has its own RF and its own trust set. A cheap VPS without your keys can still be the redundancy slot you need — it stores ciphertext and never sees what's inside. Want to read but not store? Set up a streaming vault: your node knows the directory, fetches blocks on demand, and never writes them to disk.
- Versioning. Every change is a new block with a parent hash. Old versions stay reachable until retention expires.
- Lazy delete. Tombstones, not destruction — accidental deletes are recoverable until purged.
- S3-compatible API. Garage-style. Map a vault to a bucket. AWS Sig v4. Plug Immich, Nextcloud, Mastodon, PeerTube directly into your mesh.
- Predictable cost. No per-GB egress, no per-API-request fees. Your hardware, your bandwidth, your bill.
One mesh, every node a relay.
The same encrypted transport that carries files and messages also routes arbitrary TCP traffic. Start a tunnel from your phone with the right key, and you can reach a remote node's web UI, SSH into a NAS, configure a router, or stream YouTube through a friend's IP — even when both ends are behind NAT, even when none of the intermediate hops can decrypt anything.
The transport itself can dress up as something else: a plain TCP listener, a TLS handshake masquerading as a real website (REALITY), or an SSH banner. Pick the order you want it tried on restrictive networks; the daemon falls through until one connects.
- Multi-hop circuit relay. Two nodes behind NAT can still meet, with intermediates that don't see the cleartext.
- HTTP proxy or full system VPN. Same key, two interfaces. Android can run a TUN device through the tunnel; desktop usually picks the local HTTP proxy.
- Forward & reverse port tunnels — TCP and UDP. Expose a service on your home server to a friend's machine, or vice versa. The SSH
-L/-Rpattern, but over the mesh and including UDP — game servers, DNS, custom protocols, anything. - Reach private LANs. With an exit-capability key, you reach not just the exit node, but every device on its LAN — router admin, NAS, IoT.
- No public admin endpoint needed. Web UI binds to
127.0.0.1; you reach it from a paired phone through the same tunnel transport. No domain, no Let's Encrypt, no port-forward. - Built-in latency probe. Measure bandwidth and round-trip between any two nodes from the Network page.
Chat and push — same encrypted block layer.
Encrypted chat rides the same primitives as your files — no separate messaging server to scale. Offline devices are woken by push with no third-party push service in the chain.
Encrypted chat & file transfer
Text, photos, audio clips, video, PDFs, archives. Everything goes through the block engine — large files and one-line replies share the same code path. Configurable per-room retention.
Offline push wake-ups
UnifiedPush-based wake-ups for Android peers offline longer than a configurable silence window. Any node in the mesh can carry the gateway role — no central FCM dependency.
Plug into the rest of your stack.
Remote AI agent
Run Claude Code or OpenCode on a beefy machine, attach from anywhere through the mesh. Per-instance state, MCP tool approval, attachments, transcript search.
S3-compatible API
Per-vault buckets, AWS Sig v4, multipart uploads. Plug Mastodon, Nextcloud, Immich, PeerTube, or a static-site host directly into your private cloud.
TCP & UDP port forwarding
Forward and reverse tunnels in both directions, for arbitrary protocols. SSH-port pattern, but mesh-wide and covering UDP — game servers, DNS, VoIP, custom binary protocols. Most VPN tools don't carry UDP forwarding at all.
Inbound webhooks
Mattermost-shape URLs to bridge Grafana, GitHub, GPIO sensors, IoT controllers. Config-only, no CRUD surface for an attacker to find.
One binary, many useful things to do with it.
Install once, pick a role. The same daemon scales from a Raspberry Pi to a 64-core server.
Mobile peer
Full Go core. Photos auto-upload, chat, calls, system VPN.
Home server
Trusted primary store. Holds full vault contents.
Untrusted relay
Install the .deb, paste the swarm key, done. Stores ciphertext, relays traffic.
Headless camera
Pi + v4l2 + ALSA + a camera key. Auto-picks up video calls.
Push gateway
Any node can carry this role. Wakes offline Android peers via UnifiedPush.
A home server too — when you want one
The same mesh becomes a private home cloud: stream your media library, place end-to-end encrypted calls, point a Raspberry Pi camera at the front door. These are personal features, not infrastructure — so they stay out of the way until you ask for them.
Optional · off by default on server installs · toggle on per node in Settings
Audio library & radio
Browse your music collection from phone or desktop. Build playlists, or hit "radio" to let one of several algorithms pick what plays next from similar artists, mood, era.
Stream or download
Range-streaming over the mesh — you can listen to a track or watch a movie without first pulling the whole file. Or download for offline if you prefer.
Audio & video calls
WebCodecs pipeline over libp2p with end-to-end AEAD. Multi-hop routing through relays when both ends are behind NAT. Camera switching and adaptive bitrate built in.
Walkie-talkie pairing
Two phones on a shared Wi-Fi pair directly with a QR code — no internet, no VPS, nothing. Compact invite format covers every host × protocol combination.
Auto-answer cameras
Issue a key with the camera capability; the holder can auto-pickup video calls. Perfect for a Raspberry Pi door camera, a baby monitor, or a remote workshop.
What MeshHold covers that the usual stack doesn't.
None of these are bad tools. But each solves one piece of the problem, and the seam between them is where data leaks, integrations break, and the public attack surface accumulates.
| MeshHold | Nextcloud Enterprise | Tailscale | Syncthing | Garage | Nebula | |
|---|---|---|---|---|---|---|
| Mesh & networking | ||||||
| Mesh VPN with masquerade | ✓ | — | ✓ | — | — | ✓ |
| Flat mesh LAN (reach nodes by virtual IP) | ✓ | — | ✓ | — | — | ✓ |
| Forward / reverse TCP and UDP tunnels | TCP + UDP | — | TCP only | — | — | full overlay |
| QoS traffic prioritization | ✓ | — | — | — | — | — |
| Peer-to-peer, no central server | ✓ | — | coordination server | ✓ | cluster, not P2P | ✓ |
| Kernel-speed VPN (WireGuard) | userspace | — | ✓ | — | — | userspace |
| Files & storage | ||||||
| Encrypted storage with RF | ✓ | ✓ | — | peer mirror | ✓ | — |
| Deep file sync (versioning, ignore rules) | ✓ | ✓ | — | ✓ | — | — |
| S3-compatible API | ✓ | — | — | — | ✓ | — |
| Object larger than one node (sharding) | ✓ | — | — | — | ✓ | — |
| Communication & media | ||||||
| Chat & group messaging | ✓ | ✓ | — | — | — | — |
| Audio / video calls | ✓ | via Talk add-on | — | — | — | — |
| Media library / player | ✓ | add-on | — | — | — | — |
| Apps & productivity | ||||||
| Self-hosted AI agent access | ✓ | — | — | — | — | — |
| Real-time office / doc editing | roadmap | ✓ | — | — | — | — |
| Platform & security | ||||||
| E2E by default | ✓ | opt-in | ✓ | ✓ | — | ✓ |
| SSO / LDAP / multi-user accounts | roadmap | ✓ | SSO | — | — | — |
| Native macOS / iOS apps | roadmap | ✓ | ✓ | community | — | ✓ |
| No public admin endpoint | ✓ | — | n/a | localhost UI | — | — |
| Self-hostable on your hardware | ✓ | ✓ | client only | ✓ | ✓ | ✓ |
| Open source license | AGPL-3.0 | AGPL | client MIT | MPL-2.0 | AGPL | MIT |
Each row covers a feature class. Nextcloud — all-in-one self-hosted suite. Tailscale — overlay mesh VPN. Syncthing — pure P2P file sync. Garage (deuxfleurs.fr) — distributed S3-compatible object storage. MeshHold sits where all four overlap. Media streaming and calls are optional personal features, off by default.
Open source today. Business tier in 2026.
The core is, and stays, AGPL-3.0 — free to run, modify and self-host, including commercially. The Business tier adds what enterprise procurement needs on top, without taking anything away from the open core.
Open Source
Everything on this page. AGPL-3.0. Free to run, modify and self-host. No artificial limits on nodes, users, vaults, or replication factor.
- Run as many nodes as you want
- Full feature set — storage, chat, calls, VPN, media, S3, webhooks
- Forum + GitHub for help
- Build from source on any OS Go supports
Enterprise tier
For organizations that need a signed contract, an audit log, and someone to call. Built on the same open core — nothing is taken away from Community Edition.
- Multi-user inside one node, RBAC per vault
- OIDC / SAML / Active Directory integration
- Tamper-evident audit log, Prometheus exporter
- Centralized fleet management across N nodes
- Signed contract, MSA / DPA, SLA support
Where MeshHold is going.
Built incrementally, in the open. The community shapes what comes next.
Shipped
- Distributed storage with replication factor
- Encrypted chat, audio + video calls
- Mesh VPN + multi-hop tunnels (TCP & UDP)
- Forward / reverse port forwards
- S3-compatible API (Garage-style)
- Media library — audio + video, auto-enriched metadata
- AI agent integration (Claude Code, OpenCode)
- Inbound webhooks (Slack / Mattermost shape)
- Headless Pi cameras, auto-answer calls
- Offline UnifiedPush wake-ups
- Linux (DEB / RPM), Windows (MSI), Android, Raspberry Pi
In progress
- Phone-as-admin pivot — web UI on
127.0.0.1only, managed exclusively via libp2p tunnel from a paired device. No public admin endpoint, no domain, no TLS cert. - More AI agent back-ends — Codex (OpenAI), Gemini CLI (Google), Aider, Cursor and GitHub Copilot alongside the current Claude Code and OpenCode.
- UI translations — the web UI and Android app are i18n-ready; we're filling in more languages.
- Stability & quality — fewer rough edges, better error handling, more tests on every release.
- At-rest encryption for daemon state; password-locked vaults and chats.
Considering
- App store releases — Google Play and Apple's App Store, so install is one tap and updates land automatically.
- macOS & iOS apps — native clients (today we bundle a WebView2 wrapper on Windows). Apple's P2P restrictions make iOS hard; it'll ship when there's a clear path.
- Linux distro repositories — APT / RPM / AUR repos so
apt install meshholdjust works and stays updated. - Theme customization — light / dark and custom accent colours across the web UI.
- Public API for third-party apps — a documented, stable API surface so external tools and integrations can build on MeshHold.
- Real-time office / document editing — collaborative editing of documents and spreadsheets in the browser, the way Nextcloud does with Collabora / OnlyOffice.
- Better documentation — more guides, recipes and reference docs.
- Enterprise tier — OIDC / SAML / AD integration, tamper-evident audit log, RBAC per vault, fleet management across N nodes.
- Plugin marketplace — third-party extensions to the core daemon.
What you'd add
Drop your idea on the forum. We read everything, and the roadmap is shaped by what the community keeps asking for.
Common questions
What is MeshHold?
MeshHold is a decentralized, self-hosted private cloud and mesh network. It gives you distributed storage, an S3-compatible API, a mesh VPN and encrypted tunnels as a single Go binary that runs on hardware you own — with no central server and end-to-end encryption.
Is MeshHold free and open source?
Yes. The core is AGPL-3.0 — free to run, modify and self-host, including commercially. A paid Business tier (with a commercial license for organizations that need it) adds enterprise identity, audit logging and fleet management on top, without removing anything from the open core.
How is MeshHold different from Nextcloud, Tailscale, Syncthing or Garage?
Each of those solves one piece: Nextcloud is an all-in-one suite, Tailscale is a mesh VPN, Syncthing is P2P file sync, Garage is S3 object storage. MeshHold sits where all four overlap — one daemon doing distributed storage, S3, mesh VPN, tunnels and encrypted chat over a single peer-to-peer transport.
Does MeshHold work offline or without the public internet?
Yes. Nodes connect directly or relay through each other. Two devices on the same Wi-Fi can pair and work with no internet at all, and the mesh keeps functioning when the public internet is unreliable or absent.
Is the media player required?
No. The media library, streaming and audio/video calls are optional personal features, off by default on server installs. Enable them per node with a toggle when you want a home server in addition to infrastructure.
Which platforms does MeshHold run on?
Linux (DEB and RPM), Windows (MSI), Android, Docker and Raspberry Pi. The same Go core runs on every platform as a first-class peer.
We're building this for ourselves and people like us.
MeshHold started because we wanted a private cloud across our own devices. If that resonates — come hang out. Share what you'd want next, what works, what doesn't.
Up in three commands.
# 1. Install on your first server (Ubuntu / Debian)
sudo apt-get install -y ./meshhold-unreleased-amd64.deb
# 2. Set a password for the web UI (daemon stays running)
sudo -u meshhold meshhold set-password
# 3. Open the web UI, scan the pairing QR in the phone app — your mesh is live
No domain. No certificate. No port-forwarding. Your phone is the management UI.
The cloud that doesn't need permission.
MeshHold is free, open source, and self-hosted by definition. There's nothing to sign up for, no one to pay, and no third party in the chain.