← Back to CDN Architecture macOS + Linux + Remote Servers

Mesh Local & Remote into One LAN

Connect your Mac, Linux machines, and remote VPS servers into a single private network using WireGuard mesh. Access any machine from anywhere, as if they were on the same local network.

What You'll Build

🍎

MacBook

10.77.0.10

↔

🔐

WireGuard Mesh

10.77.0.0/16

↔

🐧

Linux Server

10.77.0.20

🏠

Home Server

10.77.0.30

↔

☁️

VPS

10.77.0.40

↔

🗄️

Database

10.77.0.50

All machines can reach each other directly via mesh IP addresses

Prerequisites

🍎 macOS

macOS 10.14+ (Mojave or later)
Admin access for installation
Homebrew (optional but recommended)

🐧 Linux

Kernel 5.6+ (or WireGuard module)
Root/sudo access
systemd (most distributions)

☁️ Remote Servers

Any VPS (Vultr, Hetzner, DigitalOcean)
SSH access with sudo
Public IP or NAT with port forward

Step 1: Install WireGuard

Option A: Homebrew (Recommended)

                Terminal
# Install WireGuard tools
brew install wireguard-tools

# Verify installation
wg --version

Option B: Mac App Store (GUI)

Download WireGuard from the App Store for a graphical interface. The CLI tools are still recommended for wgmesh.

💡 Note: On macOS, WireGuard creates a utun interface. You may need to approve the network extension in System Preferences → Security & Privacy.

                Ubuntu/Debian
# Update and install
sudo apt update
sudo apt install -y wireguard wireguard-tools

# Load the kernel module
sudo modprobe wireguard

# Verify
wg --version
ip link add dev test0 type wireguard 2>/dev/null && echo "OK" && ip link del test0

Older Ubuntu (18.04)

sudo add-apt-repository ppa:wireguard/wireguard
sudo apt update
sudo apt install -y wireguard

                Fedora/RHEL/CentOS
# Fedora
sudo dnf install -y wireguard-tools

# RHEL/CentOS 8+
sudo dnf install -y elrepo-release
sudo dnf install -y kmod-wireguard wireguard-tools

# Enable and load module
sudo modprobe wireguard

                Arch Linux
# Install WireGuard
sudo pacman -S wireguard-tools

# For LTS kernels, also install:
sudo pacman -S wireguard-lts

# Load module
sudo modprobe wireguard

Step 2: Install wgmesh

                Terminal
# Download latest release
curl -sL https://github.com/atvirokodosprendimai/wgmesh/releases/latest/download/wgmesh-darwin-arm64 -o wgmesh

# For Intel Macs, use:
# curl -sL https://github.com/atvirokodosprendimai/wgmesh/releases/latest/download/wgmesh-darwin-amd64 -o wgmesh

# Make executable
chmod +x wgmesh

# Move to PATH
sudo mv wgmesh /usr/local/bin/

# Verify
wgmesh --help

                Linux
# Download for your architecture
curl -sL https://github.com/atvirokodosprendimai/wgmesh/releases/latest/download/wgmesh-linux-amd64 -o wgmesh

# For ARM (Raspberry Pi, etc.)
# curl -sL https://github.com/atvirokodosprendimai/wgmesh/releases/latest/download/wgmesh-linux-arm64 -o wgmesh

# Install
chmod +x wgmesh && sudo mv wgmesh /usr/local/bin/

# Verify
wgmesh --help

                Docker
# Pull image
docker pull ghcr.io/atvirokodosprendimai/wgmesh:latest

# Run with full network access
docker run --rm --privileged --network host \
  -v $(pwd)/data:/data \
  ghcr.io/atvirokodosprendimai/wgmesh:latest --help

                From Source
# Requires Go 1.23+
git clone https://github.com/atvirokodosprendimai/wgmesh.git
cd wgmesh
go build -o wgmesh
sudo mv wgmesh /usr/local/bin/

Step 3: Create Your Mesh

Option A: Decentralized Mode (Easiest)

Nodes self-discover using a shared secret. Perfect for quickly connecting machines.

Generate a mesh secret

Run this once on any machine:

wgmesh init --secret
# Output: wgmesh://v1/A1B2C3D4E5F6...

Join on each machine

Use the same secret on all devices (Mac, Linux, servers):

# Basic join - auto-assigns mesh IP
sudo wgmesh join --secret "wgmesh://v1/YOUR-SECRET-HERE"

# With custom options
sudo wgmesh join \
  --secret "wgmesh://v1/YOUR-SECRET-HERE" \
  --advertise-routes "192.168.1.0/24" \
  --listen-port 51820 \
  --interface wg0

Verify connection

# Check mesh status
sudo wgmesh status --secret "wgmesh://v1/YOUR-SECRET-HERE"

# View WireGuard peers
sudo wg show

# Ping another mesh node
ping 10.77.0.20

Option B: Centralized Mode (SSH Deployment)

For managing servers from a central control node. Best for production deployments.

Initialize mesh state

wgmesh -init
# Creates mesh-state.json with defaults

Add nodes

# Format: hostname:mesh_ip:ssh_host[:port]
wgmesh -add macbook:10.77.0.10:localhost
wgmesh -add server1:10.77.0.20:192.168.1.100
wgmesh -add vps:10.77.0.30:203.0.113.50
wgmesh -add home:10.77.0.40:home.example.com:2222

Deploy to all nodes

wgmesh -deploy
# SSHs to each node, installs WireGuard, configures mesh

Step 4: Expose Local Networks

Make your home/office network accessible from anywhere through the mesh.

MacBook (remote)

10.77.0.10

→

WireGuard Mesh

→

Home Server

10.77.0.30

→

192.168.1.0/24

Home LAN

On the gateway node (e.g., home server):

# Join with route advertisement
sudo wgmesh join \
  --secret "wgmesh://v1/YOUR-SECRET" \
  --advertise-routes "192.168.1.0/24"

# Enable IP forwarding (Linux)
echo "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.d/99-wireguard.conf
sudo sysctl -p /etc/sysctl.d/99-wireguard.conf

On macOS gateway:

# Enable IP forwarding (requires restart)
sudo sysctl -w net.inet.ip.forwarding=1

# Make permanent
echo "net.inet.ip.forwarding=1" | sudo tee -a /etc/sysctl.conf

Access from any mesh node:

# Now you can reach home LAN devices
ping 192.168.1.50
ssh user@192.168.1.100
curl http://192.168.1.200:8080

Common Use Cases

🏠 Remote Home Access

Access your home network from anywhere. Reach your NAS, smart home, or development servers without opening ports.

# From coffee shop
ssh 192.168.1.100
# Direct to home server!

🔐 Secure Development

Connect to staging databases, Redis, or internal APIs as if they were local.

# Connect to staging DB
psql -h 10.77.0.50 -U app

# Redis via mesh
redis-cli -h 10.77.0.51

☁️ Multi-Cloud Networking

Connect VPS instances across different providers into one network.

# Vultr + Hetzner + DO
# All in 10.77.0.0/16
curl http://10.77.0.40/api

🔄 CI/CD Self-Hosted

Let GitHub Actions runners access internal services securely.

# Runner in mesh can reach
# internal deployment targets
ssh deploy@10.77.0.30

Step 5: Persist Configuration

Linux (systemd)

# wgmesh creates wg-quick config automatically
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

# Check status
sudo systemctl status wg-quick@wg0

macOS

# Create LaunchDaemon for auto-start
sudo tee /Library/LaunchDaemons/com.wireguard.wg0.plist <<'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.wireguard.wg0</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/local/bin/wg-quick</string>
        <string>up</string>
        <string>/usr/local/etc/wireguard/wg0.conf</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
</dict>
</plist>
EOF

sudo launchctl load /Library/LaunchDaemons/com.wireguard.wg0.plist

Troubleshooting

❌ "Permission denied" or "Operation not permitted"

Run with sudo on Linux/macOS. WireGuard requires root to create network interfaces.

❌ Peers not connecting

Check firewall allows UDP on listen port (default 51820)
NAT nodes need --keepalive (auto-configured by wgmesh)
Verify secret is identical on all nodes

sudo wg show
# Look for "endpoint" and "latest handshake"

❌ Routes not working

Verify IP forwarding is enabled on gateway nodes
Check routes exist: ip route show dev wg0
Home LAN devices need gateway as default route, or static routes back

❌ macOS: "utun0: error"

macOS may have existing utun interfaces. Try a different interface name:

sudo wgmesh join --secret "..." --interface wg1

Security Considerations

⚠️ Important: The mesh secret is a shared key. Anyone with it can join your network. Keep it secure!

Consideration	Recommendation
Mesh Secret	Use strong, random secrets. Rotate periodically.
State File	Use `--encrypt` flag. Store encrypted state in vault.
Firewall	Allow UDP 51820. Block all other inbound on mesh interface.
Access Control	Each node has unique keys. Compromised node = remove its key.

Quick Reference

# Generate secret
wgmesh init --secret

# Join mesh
sudo wgmesh join --secret "wgmesh://v1/SECRET"

# Join with routes
sudo wgmesh join --secret "wgmesh://v1/SECRET" --advertise-routes "192.168.1.0/24"

# Check status
sudo wgmesh status --secret "wgmesh://v1/SECRET"
sudo wg show

# Manual peer test
wgmesh test-peer --secret "wgmesh://v1/SECRET" --peer 192.168.1.100:51820

# Leave mesh
sudo wg-quick down wg0

That's it!

Your Mac, Linux machines, and servers are now on the same private network.
Access any service from anywhere, securely.

github.com/atvirokodosprendimai/wgmesh →