Your private cloud.
On your own hardware.
Pool your phone, laptop, home server, VPS, and Raspberry Pi into one fault-tolerant cluster. Watch your home Jellyfin from a hotel. Open your router's admin from another country. Stream music from your home PC on the train. Run an AI agent on a beefy machine and use it from your phone. One open-source Go binary — run it bare, in a Docker container, or as a systemd unit; no third-party cloud, nothing leaves your hardware.
MeshVault is a distributed cloud that lives on your hardware. Every node — your phone, your laptop, a VPS, an old NUC in a closet, a Raspberry Pi watching the front door — is a full peer. None is special. No central server runs the show, because there is no central server.
Add a node, and the cloud grows: more storage capacity, more redundancy, more relays for tunnelling traffic. Lose a node, and the rest keep working — your files are still there, your chats still flow, your phone still reaches your home network through the remaining mesh. Connect to the mesh once, and your client learns every other node — any of them can be your entry point next time.
The whole thing is one self-contained Go binary. No docker-compose stack of five services. No PostgreSQL to backup. No Redis to babysit. The same daemon serves files, hosts chat rooms, places calls, routes VPN traffic, streams media, and exposes an S3 API — sharing one encrypted block layer and one peer-to-peer transport underneath.
Your devices, working as one cloud.
Six things people use MeshVault for. The rest of this page is how it works under the hood.
Watch your home Jellyfin from anywhere
Tunnel into your local media server. Range-streaming works through the mesh — seek, skip, resume. No port-forward, no domain, no Let's Encrypt. Your phone reaches it over the encrypted transport.
Listen to your library on the train
Your music collection lives on your home PC. Your phone streams it block-by-block through the mesh and caches what you've already heard. Offline playback for the next train.
Reach LAN-only services from outside
Router admin, NAS, IoT controllers, Pi-hole — any device on your home LAN. A management key with the tunnel capability gives your phone the whole LAN as if you were home.
Use your AI agent from anywhere
Run Claude Code or OpenCode on a beefy desktop. Connect from your phone, your laptop, hotel Wi-Fi. Approvals, transcripts, file attachments — all encrypted in transit.
Auto-backup your photos to your own cloud
Not to Apple's. Not to Google's. To hardware you own. Set RF=2 and photos exist on at least two devices before you delete the local copy.
Share files between your devices
Without Dropbox. Without Drive. The storage pool grows with every device you add — phone, laptop, VPS, Pi — and survives any single one of them dying.
When the public cloud is not an option.
MeshHold isn't trying to replace Signal or Google Drive for everyone. It's for people who'd rather run their own infrastructure than rent someone else's — and want one stack that does the whole job.
Your devices, your cloud
Phone, laptop, home server, VPS, Raspberry Pi — glue them into one mesh. Music, files, chat, tunnels to your LAN, your own AI agent. One Go binary, six services — run it as a systemd unit, a single Docker container, or a portable bin in /usr/local/bin; no compose flowchart to babysit either way.
Many networks, one mesh
Drop a node into every network you look after — branch office, customer site, lab rack, IoT segment — and reach every device's web UI or SSH from one mesh. No per-site VPN to wire up, no port-forwards to maintain, no public endpoint to defend. Hand each helper a management key scoped to just the segments they're allowed to touch.
Everything on your own hardware
No third-party cloud in the chain. Data stays on machines you own, in a jurisdiction you choose. Open source under Apache 2.0, reproducible builds, no phone-home. The cloud that doesn't need anyone's permission to keep running.
A cloud that grows with your hardware.
The topology is not a star. There is no hub. Every node knows the others and can talk to any of them directly, or relay through the rest when a direct path doesn't exist.
Nodes have two independent dimensions: trust (do they have your decryption keys?) and reliability (do they count toward your replication factor?). A cheap VPS can be untrusted-but-reliable: it stores ciphertext for you, helps blocks survive, and never sees your data. A phone can be trusted-but-unreliable: it decrypts files for you but doesn't replace a server.
- Dynamic membership. Add a node and capacity grows. Lose one and the others fill in. No re-config on the rest of the mesh.
- One trip to connect. After one successful handshake your client knows every peer in the network. Any of them can be the next entry point.
- Works on the LAN alone. Two phones in the same Wi-Fi can pair and chat with no internet at all — like walkie-talkies.
- Cross-platform peers. Linux, Windows, Android, Raspberry Pi — all first-class nodes running the same Go core, not thin clients of a server somewhere.
Three layers, separate keys per purpose.
A single shared key everywhere is a single point of failure. MeshVault stacks three independent layers, each with a different scope and a different rotation schedule. To intercept anything meaningful, an attacker needs to break all three.
And the inner layer isn't one key — it's a family. Every vault, every chat room, every tunnel, every agent instance gets its own content key. Hand a friend the chat-room key and they can read messages, but they still can't see your photos, your VPN traffic, or your AI conversations. Each can be shared independently: paste as text, send through chat, or scan as a QR code from another device.
- Convergent crypto. Identical files encrypt to identical ciphertext — automatic deduplication across the mesh, even between users.
- Forward secrecy. Compromising today's session key doesn't decrypt yesterday's traffic. Each Noise handshake is fresh.
- Capability-based access. Management keys carry capability flags (tunnel · camera · webui). Share one capability, others stay locked.
Files that survive any single node loss.
Files split into content-addressed blocks (≤512 KiB for small, 4 MiB for large) and gossip out to peers until your target replication factor is met. Block hashes are stable: re-uploading the same file is free, and conflict-detection falls out of the design — every version carries a hash-chain parent pointer.
Every vault has its own RF and its own trust set. A cheap VPS without your keys can still be the redundancy slot you need — it stores ciphertext and never sees what's inside. Want to read but not store? Set up a streaming vault: your node knows the directory, fetches blocks on demand, and never writes them to disk.
- Versioning. Every change is a new block with a parent hash. Old versions stay reachable until retention expires.
- Lazy delete. Tombstones, not destruction — accidental deletes are recoverable until purged.
- S3-compatible API. Garage-style. Map a vault to a bucket. AWS Sig v4. Plug Immich, Nextcloud, Mastodon, PeerTube directly into your mesh.
- Predictable cost. No per-GB egress, no per-API-request fees. Your hardware, your bandwidth, your bill.
One mesh, every node a relay.
The same encrypted transport that carries files and messages also routes arbitrary TCP traffic. Start a tunnel from your phone with the right key, and you can reach a remote node's web UI, SSH into a NAS, configure a router, or stream YouTube through a friend's IP — even when both ends are behind NAT, even when none of the intermediate hops can decrypt anything.
The transport itself can dress up as something else: a plain TCP listener, a TLS handshake masquerading as a real website (REALITY), or an SSH banner. Pick the order you want it tried in censored networks; the daemon falls through until one connects.
- Multi-hop circuit relay. Two nodes behind NAT can still meet, with intermediates that don't see the cleartext.
- HTTP proxy or full system VPN. Same key, two interfaces. Android can run a TUN device through the tunnel; desktop usually picks the local HTTP proxy.
- Forward & reverse port tunnels — TCP and UDP. Expose a service on your home server to a friend's machine, or vice versa. The SSH
-L/-Rpattern, but over the mesh and including UDP — game servers, DNS, custom protocols, anything. - Reach private LANs. With an exit-capability key, you reach not just the exit node, but every device on its LAN — router admin, NAS, IoT.
- No public admin endpoint needed. Web UI binds to
127.0.0.1; you reach it from a paired phone through the same tunnel transport. No domain, no Let's Encrypt, no port-forward. - Built-in latency probe. Measure bandwidth and round-trip between any two nodes from the Network page.
Chat, calls, push — same encrypted block layer.
Messages and call media ride the same primitives as your files. There is no separate messaging server to scale, no separate media gateway to operate.
Encrypted chat & file transfer
Text, photos, audio clips, video, PDFs, archives. Everything goes through the block engine — large files and one-line replies share the same code path. Configurable per-room retention.
Audio & video calls
WebCodecs pipeline over libp2p with end-to-end AEAD. Multi-hop routing through relays when both ends are behind NAT. Camera switching and adaptive bitrate built in.
Offline push wake-ups
UnifiedPush-based wake-ups for Android peers offline longer than a configurable silence window. Any node in the mesh can carry the gateway role — no central FCM dependency.
Auto-answer cameras
Issue a key with the camera capability; the holder can auto-pickup video calls. Perfect for a Raspberry Pi door camera, a baby monitor, or a remote workshop.
Walkie-talkie pairing
Two phones on a shared Wi-Fi pair directly with a QR code — no internet, no VPS, nothing. Compact invite format covers every host × protocol combination.
Your library, your way to play it.
Audio library & radio
Browse your music collection from phone or desktop. Build playlists, or hit "radio" to let one of several algorithms pick what plays next from similar artists, mood, era.
Stream or download
Range-streaming over the mesh — you can listen to a track or watch a movie without first pulling the whole file. Or download for offline if you prefer.
Auto-enriched metadata
Audio metadata pulled from .nfo sidecars, ID3 tags, filename heuristics, AcoustID + MusicBrainz. Video matched against TMDB with Jellyfin-style folder parsing.
Plug into the rest of your stack.
Remote AI agent
Run Claude Code or OpenCode on a beefy machine, attach from anywhere through the mesh. Per-instance state, MCP tool approval, attachments, transcript search.
S3-compatible API
Per-vault buckets, AWS Sig v4, multipart uploads. Plug Mastodon, Nextcloud, Immich, PeerTube, or a static-site host directly into your private cloud.
TCP & UDP port forwarding
Forward and reverse tunnels in both directions, for arbitrary protocols. SSH-port pattern, but mesh-wide and covering UDP — game servers, DNS, VoIP, custom binary protocols. Most VPN tools don't carry UDP forwarding at all.
Inbound webhooks
Mattermost-shape URLs to bridge Grafana, GitHub, GPIO sensors, IoT controllers. Config-only, no CRUD surface for an attacker to find.
One binary, many useful things to do with it.
Install once, pick a role. The same daemon scales from a Raspberry Pi to a 64-core server.
Mobile peer
Full Go core. Photos auto-upload, chat, calls, system VPN.
Home server
Trusted primary store. Holds full vault contents.
Untrusted relay
Install the .deb, paste the swarm key, done. Stores ciphertext, relays traffic.
Headless camera
Pi + v4l2 + ALSA + a camera key. Auto-picks up video calls.
Push gateway
Any node can carry this role. Wakes offline Android peers via UnifiedPush.
What MeshVault covers that the usual stack doesn't.
None of these are bad tools. But each solves one piece of the problem, and the seam between them is where data leaks, integrations break, and the public attack surface accumulates.
| MeshHold | Nextcloud Enterprise | Tailscale | Syncthing | Garage | |
|---|---|---|---|---|---|
| Encrypted storage with RF | ✓ | ✓ | — | peer mirror | ✓ |
| Chat & group messaging | ✓ | ✓ | — | — | — |
| Audio / video calls | ✓ | via Talk add-on | — | — | — |
| Mesh VPN with masquerade | ✓ | — | ✓ | — | — |
| Forward / reverse TCP and UDP tunnels | TCP + UDP | — | TCP only | — | — |
| Media library / player | ✓ | add-on | — | — | — |
| S3-compatible API | ✓ | — | — | — | ✓ |
| Peer-to-peer, no central server | ✓ | — | coordination server | ✓ | cluster, not P2P |
| No public admin endpoint | ✓ | — | n/a | localhost UI | — |
| E2E by default | ✓ | opt-in | ✓ | ✓ | — |
| Self-hostable on your hardware | ✓ | ✓ | client only | ✓ | ✓ |
| Open source license | Apache 2.0 | AGPL | client MIT | MPL-2.0 | AGPL |
Each row covers a feature class. Nextcloud — all-in-one self-hosted suite. Tailscale — overlay mesh VPN. Syncthing — pure P2P file sync. Garage (deuxfleurs.fr) — distributed S3-compatible object storage. MeshVault sits where all four overlap.
Open source today. Business tier in 2026.
The core is, and stays, Apache 2.0 — free for any use, including commercial deployment. The Business tier adds what enterprise procurement needs on top, without taking anything away from the open core.
Open Source
Everything on this page. Apache 2.0. Free for any use. No artificial limits on nodes, users, vaults, or replication factor.
- Run as many nodes as you want
- Full feature set — storage, chat, calls, VPN, media, S3, webhooks
- Forum + GitHub for help
- Build from source on any OS Go supports
Enterprise tier
For organizations that need a signed contract, an audit log, and someone to call. Built on the same open core — nothing is taken away from Community Edition.
- Multi-user inside one node, RBAC per vault
- OIDC / SAML / Active Directory integration
- Tamper-evident audit log, Prometheus exporter
- Centralized fleet management across N nodes
- Signed contract, MSA / DPA, SLA support
Where MeshVault is going.
Built incrementally, in the open. The community shapes what comes next.
Shipped
- Distributed storage with replication factor
- Encrypted chat, audio + video calls
- Mesh VPN + multi-hop tunnels (TCP & UDP)
- Forward / reverse port forwards
- S3-compatible API (Garage-style)
- Media library — audio + video, auto-enriched metadata
- AI agent integration (Claude Code, OpenCode)
- Inbound webhooks (Slack / Mattermost shape)
- Headless Pi cameras, auto-answer calls
- Offline UnifiedPush wake-ups
- Linux (DEB / RPM), Windows (MSI), Android, Raspberry Pi
In progress
- Phone-as-admin pivot — web UI on
127.0.0.1only, managed exclusively via libp2p tunnel from a paired device. No public admin endpoint, no domain, no TLS cert. - At-rest encryption for daemon state (Badger, identity).
- Password-locked vaults and chats.
- This website + forum (you're on it).
Considering
- Enterprise tier — OIDC / SAML / AD integration, tamper-evident audit log, RBAC per vault, fleet management across N nodes, signed contracts.
- Plugin marketplace — third-party extensions to the core daemon.
- Native desktop apps — proper Windows / macOS clients (we currently bundle a WebView2 wrapper on Windows).
- iOS app — eventually. Apple's restrictions make P2P difficult; it'll happen when there's a clear path.
What you'd add
Drop your idea on the forum. We read everything, and the roadmap is shaped by what the community keeps asking for.
We're building this for ourselves and people like us.
MeshVault started because we wanted a private cloud across our own devices. If that resonates — come hang out. Share what you'd want next, what works, what doesn't.
Up in three commands.
# 1. Install on your first server (Ubuntu / Debian)
sudo apt-get install -y ./meshvault-0.7.36-amd64.deb
# 2. Set a password for the web UI (daemon stays running)
sudo -u meshvault meshvault set-password -c /etc/meshvault/config.yaml
# 3. Pair your phone — scan the QR, your mesh is live
sudo meshvault pairNo domain. No certificate. No port-forwarding. Your phone is the management UI.
The cloud that doesn't need permission.
MeshVault is free, open source, and self-hosted by definition. There's nothing to sign up for, no one to pay, and no third party in the chain.