MeshHold
Download
← All posts
2026-06-11 · Project update

One flat network for all your nodes: the mesh LAN

The tunnel browser and the VPN forwarders were always pointing at the same destination: giving your machines one private network of their own. This week it arrived — a flat, Tailscale-style mesh LAN, with MagicDNS and per-key ACLs, on Linux, Windows, and Android.

One flat network for all your nodes: the mesh LAN

For weeks the networking features were circling the same idea without saying it out loud: the tunnel browser, the exit nodes, the VPN forwarders. They were all halfway to one thing — a single private network spanning every machine you own. This week that became real. MeshHold now has a flat mesh LAN.

What it is

It's a Tailscale-style layer-3 overlay across your nodes. The shape of it:

  • Addresses with no coordinator. Every node gets a stable private IPv4 address derived deterministically from its identity. Nobody hands them out; there's no DHCP, no central registry to keep in sync.
  • Routing for free. The routing table is built straight from the topology the mesh already gossips. No new control plane — the overlay rides information the daemon was already exchanging.
  • The same encrypted circuits. Traffic travels over the same authenticated, end-to-end-encrypted paths as everything else. On Linux it surfaces as a TUN device, so ordinary apps just see a normal network interface and behave.
  • MagicDNS. Nodes answer to friendly .mesh names, resolved in-process and handed to the host the native way on each platform — systemd-resolved on Linux, NRPT split-DNS on Windows, the VPN resolver on Android. ssh myserver.mesh simply works.
  • Keys are membership. Access and permissions ride mesh-route keys: sharing a key grants access, and a per-key ACL editor decides what each key is allowed to reach. Default-deny, so nothing is exposed by accident.

Reach, in one dense push

This is one of the larger single stretches in the project so far. It went from "no overlay" to a working one on Linux (kernel TUN), then a Windows client driven by the privileged helper and a split-tunnel adapter, then an Android path through the system VpnService — plus forwarded LAN devices (a node acting as a subnet router for plain machines behind it) and real ping round-trips, all in the same wave. Along the way the IPv6 ULA experiment got cut: the overlay is IPv4-only, because simple and shipped beats clever and half-done.

Device testing on Windows and Android is still ongoing, but the Linux path is end-to-end and the shape is exactly what I wanted: your nodes, one network, no middleman.

Since the demo

  • Security hardening: per-IP brute-force lockout on login, bootstrap, and unlock — with fail2ban filters to match
  • Two-factor auth: an optional TOTP second factor with recovery codes, wired through login, the admin endpoints, and the CLI
  • An audit log of security-relevant actions, surfaced in the app
  • Tighter libp2p limits: connection and resource caps so a busy or hostile peer can't exhaust a node
  • Plus: a maturing S3-compatible API and the usual run of smaller fixes