GitHunt
BA

BARGHEST-ngo/MESH

MESH Forensics enables remote mobile forensics & network monitoring over an encrypted, censorship-resistant peer-to-peer mesh network.

blue-teamcyber-investigationcybersecuritydfirforensicsforensics-toolsmesh-networksmobilemobile-forensicsnat-traversalp2pspyware-detection

MESH


Important

Public Alpha: MESH is currently in public alpha and under active development. It is not production-ready. A full penetration test is in progress. Until it is complete, do not use this project in production environments. Things may change and breaking changes should be expected. It currently requires some level of technical expertise. Please report bugs or security concerns via GitHub Issues.

MESH Forensics enables remote mobile forensics & network monitoring over an encrypted, censorship-resistant peer-to-peer mesh network.

Mobile devices are often placed behind carrier-grade NAT (CGNAT), firewalls, or restrictive mobile networks that prevent direct inbound access. Traditional remote forensics typically requires centralized VPN servers or risky port-forwarding.

MESH Forensics solves this by creating an encrypted peer-to-peer overlay and assigning each node a CGNAT-range address via a virtual TUN interface. Devices appear as if they are on the same local subnet — even when geographically distant or behind multiple NAT layers.

This enables remote mobile forensics using ADB Wireless Debugging and libimobiledevice, allowing tools such as WARD, MVT, and AndroidQF to operate remotely without exposing devices to the public internet.

The mesh can also be used for remote network monitoring, including PCAP capture and Suricata-based intrusion detection over the encrypted overlay. Allowing for both immediate forensics capture and network capture.

MESH is designed specifically for civil society forensics & hardened for hostile/censored networks:

  • Direct peer-to-peer WireGuard transport when available
  • Optional AmneziaWG to obfuscate WireGuard fingerprints to evade national firewalls or DPI inspection
  • Automatic fallback to end-to-end encrypted HTTPS relays when UDP is blocked

Meshes are ephemeral and analyst-controlled: bring devices online, collect evidence, and tear the network down immediately afterward. No complicated hub-and-spoke configurations.

Architecture summary

MESH is a heavily modified fork of the Tailscale protocol but does not require Tailscale infrastructure.

Enhancements include, though not limited to:

  • Self-hostable coordination server with UI for forensics operations
  • Automatic WireGuard key distribution
  • Optional AmneziaWG transport obfuscation
  • Encrypted HTTPS relay fallback

The control plane handles peer discovery and key exchange only.
Forensic traffic flows directly between endpoints whenever possible.

Key capabilities

  • Peer-to-peer encrypted forensic subnets
  • Automatic WireGuard / AmneziaWG key management
  • Self-hostable control plane with ACL enforcement
  • CGNAT-assigned virtual TUN interfaces
  • ADB-over-WiFi & libimobiledevice compatibility
  • AndroidQF + MVT integration
  • Secure transfer of forensic artifacts
  • Optional kill-switch containment
  • Rapid mesh creation and teardown
1 2 3

Why not a VPN?

Traditional VPN and hub-and-spoke architectures introduce:

  • Persistent infrastructure risk
  • Centralized traffic analysis points
  • Single points of failure
  • Increased operational exposure

MESH separates coordination from data transport:

  • The control plane does not carry forensic traffic
  • Peer connections are direct whenever possible
  • Relays are transport fallbacks, not architectural hubs
  • Meshes are disposable and task-scoped

MESH is optimized for transient, high-risk environments rather than permanent enterprise networking.

Getting started

For full documentation:
https://docs.meshforensics.org/

1. Clone the repository

git clone https://github.com/BARGHEST-ngo/mesh.git
cd mesh/control-plane

2. Start control plane

docker-compose up -d

4. Access web UI

Local:  https://localhost:3000/login
Remote: https://your-domain:8443/login

The Web UI uses a self-signed certificate by default.

5. Create API key

docker exec headscale headscale apikeys create --expiration 90d

Use the generated key to authenticate in the Web UI.

Important

The default ACL allows nodes in each network talk to each other.
Production deployments should use restrictive policies. Modify these via the ACL tab.

image

Your MESH network is now ready to accept nodes.
See the documentation for node enrollment and forensic workflows.

Repository structure

  • android-client — Android endpoint APK
  • control-plane — Coordination server
  • analyst — Analyst CLI client

Developer notes

Workflow:

  • Development happens on branches and is merged via PRs.
  • Releases are cut as versioned tags.
  • GitHub Actions mirrors tagged releases to mesh-analyst-client.
  • External Go projects should depend on explicit version tags, not main.

License

MESH is licensed under the GNU Affero General Public License v3.0 or later (AGPL-3.0-or-later).

Portions of this software are a derivative work of Tailscale, which is licensed under the BSD 3-Clause License. The original Tailscale copyright and license are preserved in accordance with the BSD-3-Clause requirements. AmneziaWG/Wireguard code is licensed under MIT license. See .licenses/ for details.

All modifications and additions by BARGHEST are Copyright (c) BARGHEST and licensed under AGPL-3.0-or-later.

WireGuard is a registered trademark of Jason A. Donenfeld.

Languages

Kotlin67.3%TypeScript14.3%Go13.4%Makefile1.6%Java1.5%Dockerfile0.9%CSS0.5%Shell0.4%HTML0.1%JavaScript0.0%
GNU Affero General Public License v3.0
Created October 27, 2025
Updated March 18, 2026
BARGHEST-ngo/MESH | GitHunt