Meshify Overview and Architecture

Introduction

It’s not every day you get to design in a green field, where anything is possible. Meshify was written in a green field, with no regard for legacy products such as OpenVPN or IPSec. This makes Meshify a unique and compelling product. It was built from the ground up to create and manage WireGuard™ networks. Why? Because there is no built-in management. There is no simple mechanism for synchronizing changing network configurations on the fly. Well, not until now.

Meshify is built on these technologies:

  • WireGuard for networking
  • OAuth2 for authentication
  • MongoDB for the database
  • Golang for the microservices
  • NodeJS for the front-end
  • Docker for the containerization

We built our own cloud using these providers:

  • Microsoft Azure
  • Amazon Web Services
  • Google Cloud Platform
  • Oracle Cloud Infrastructure

They are all connected together with Meshify, of course.

Logs and Privacy

We are 100% open source. But we are not in any way a “no logs” company. Frankly, it’s hard to believe anyone can claim to have such a policy. In our case, we wrote the code. It has logging in it. It’s not customer sensitive. We use it to diagnose problems and manage the service. The logs, if available, reside on your network. They are for you. It would be irresponsible to not provide them.

We also take a pragmatic approach towards privacy. Our service is not for dissidents trying to speak out. For starters, we use OAuth2 to identify you and those you invite to your meshes. This is not a design flaw – you clearly want to authenticate the people with access to your network, and we provide a simple and elegant solution. Besides, it’s easy to create a disposable email address.

Our services also span all the major cloud providers. If a government wants to know an IP, our upstream providers are more than capable in assisting them with no help from us. This is something true of almost every other VPN provider as well. But make no mistake, your privacy is important to us, and you will likely appreciate us not spamming you on a weekly or monthly basis.

Security

Private keys can be generated on the agent and never leave the device. Meshify also uses WireGuard pre-shared keys to double encrypt the traffic. OAuth2 is used to validate users based on their email address. In our tunnel and relay services, containers are used to isolate customers.

Performance

We do not have any formal metrics to share at the moment, but we’re fast. You can say that’s the benefit of being in the cloud. Not only do we have solid, jitter-free bandwidth, but we’re also in the locations where companies host their websites and services, so there’s minimal additional latency. Our back of the napkin numbers show reliable 100Mbps per-flow streaming from speedtest.net, but the numbers go much higher than that, to the point you’ll be throttled by your wireless connection to your router, or from your ISP, before being throttled on our end.

Architecture

We have a distributed, reactive architecture that is stateful and eventually consistent. It is a polling architecture, where, on a regular basis, the Meshify Agent will query for configuration changes from the Meshify Service over HTTPS. Most of the time this returns immediately with a 304 NOT MODIFIED response, but if not, it will receive the new configuration, compare it with the old configuration, and make whatever adjustments are needed.

When looking to implement our relay and tunnel services, we doubled down on this architecture. Our service hosts are Linux servers running the Meshify Agent, but in addition to polling for their Meshify VPN configuration, they also poll for their Service Host configuration. When you configure your relay or tunnel service, the Meshify Agent running on a given service host will see the update, and launch a container image with the specifics of your service. You can run this image yourself, it’s on Docker Hub.

The container provides real security, real customer isolation. I’m sorry to say most of our competition fails on this point. How can you tell a flawed architecture? When they have a big flat IP space and you’re given a random IP address out of it. Or double tunnels. What is that? We use cloud principles.

Meshes

When you create a mesh you define the name and subnet. Every single Meshify customer can specify the same name for their mesh, the same subnet for their mesh, and it has no impact on other customers. That is real isolation.

A mesh also contains a template for creating new hosts. When a new host joins a mesh, it gets an IP address out of the subnet along with the rest of its configuration (DNS, etc.). It creates a network interface with this configuration and traffic flows based on it.

Because a mesh is a group of hosts with similar configuration, they can all share the relay or tunnel container, which acts just like another host in the network. You can also invite friends or coworkers to join a mesh. This leads to much different VPN story than the monolithic OpenVPN implementations. Meshes are small, nimble, and compartmentalized. An organization should have multiple meshes organized however makes sense for them. They could have dev, test, and production meshes. They could have marketing, sales, and product meshes. It could be regional. Per project. The possibilities are endless.

DNS

We implemented DNS as a microservice in the Meshify Agent. The agent will listen on the DNS port (53) of the interface for which it has been enabled. The microservice reads the configuration of the mesh and creates a simple lookup table for forward and reverse DNS entries. It also registers the DNS with the host so that it receives queries. In fact, it receives all queries. It will respond authoritatively for those hosts that match the hostnames in the mesh. It will respond with SERVFAIL for all other queries, which causes the OS to try the next DNS server in the list.

In addition to the microservice for resolving hosts in the mesh, you can also specify whatever DNS servers you want in the mesh configuration. This might be your internal resolvers, or maybe a global DNS provider if you’re using our tunnel service. We offer maximum flexibility and expose as much WireGuard functionality as possible.

UPnP

Activating UPnP enables several functions. First, it automates the configuration of port forwarding. In addition, we query the gateway for the external IP address, and update the host’s endpoint if it changes. This enables a variety of scenarios for laptops and road warriors. It also eliminates the need for a DDNS provider. UPnP is an optional feature and can be turned on individually per host. It is not necessary to use the service. While some have security concerns with UPnP, in our opinion its security concerns while justified, are overblown.

Topology

The screen grabs below are from our admin console. With Meshify you can visually see the network as you are making it.

Traditional VPNs offer only a ‘hub and spoke’ architecture, restricting remote user’s tunneling capabilities to any off-site resources by requiring validation and traffic throughput limited via a central hub.

hub and spoke
fully connected mesh

We provide a hub-and-spoke VPN architecture on demand with our relay service. It has some advantages in terms of supporting coworkers or accessing cloud resources through a bastion. But we also offer a point-to-point method of tunneling resources across a mesh framework, so regardless of physical location or status of a central hub, you are able to traverse resources with superior speed and significantly less frailty.  Simple mesh-centric IP management combined with a public/private key sharing service, as well as our DNS microservice, provides you an elastic fabric for connecting resources wherever they may be. 

WireGuard™ 

WireGuard has the seal of approval of Linus Torvalds, and is embedded in the latest Linux kernels. It is open-source technology, offering best-in-class cryptography. It aims to be fastersimpler, leaner, and more useful than IPsec, and is considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded devices and super computers, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployed. It is still in active development, and is regarded as the most secure as well as fastest VPN solution in the industry. Ours meshes simplify what would otherwise be significant overhead in managing WireGuard VPNs, securely.

OAuth2

We offer users single-sign-on using OAuth2 providers including Google and Microsoft, as well as our own. This includes any multi-factor authentication enabled for your account. If Google is your identity provider, you can login seamlessly with our service using your custom domain. We can also do this with Microsoft based Azure Active Directory domains for enterprise customers. If you’ve outsourced your identity management that’s fine too, so do we. We can integrate with many services through the OAuth2 and OIDC standards.

Open Source

Meshify is 100% open source. We do not expect you to believe us when we say we’re secure. We just are. With 35 years of experience building software at scale, we have nothing to hide, and use standards-based technologies.

Next Steps

Check out this brief tutorial to familiarize yourself with your new VPN service.

Support

If you need support you can send us an email at [email protected], or for general questions we are also available via [email protected]. Of course, the easiest way is to just click the Chat button at the bottom of the page.

Thanks for giving us a look, we look forward to building a strong relationship with all our clients, so feel free to reach out anytime with feedback, information or general support 24 hours a day, 7 days a week.

  • The Meshify.app Team