{"id":33916477,"url":"https://github.com/boringcache/messhy","last_synced_at":"2026-01-13T22:01:40.541Z","repository":{"id":325989075,"uuid":"1103305817","full_name":"boringcache/messhy","owner":"boringcache","description":"WireGuard VPN mesh for secure private networking. Simple, fast, zero-config.","archived":false,"fork":false,"pushed_at":"2025-11-24T17:51:11.000Z","size":32,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-12-13T12:45:58.710Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/boringcache.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-11-24T17:38:45.000Z","updated_at":"2025-11-24T17:51:15.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/boringcache/messhy","commit_stats":null,"previous_names":["boringcache/messhy"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/boringcache/messhy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/boringcache%2Fmesshy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/boringcache%2Fmesshy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/boringcache%2Fmesshy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/boringcache%2Fmesshy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/boringcache","download_url":"https://codeload.github.com/boringcache/messhy/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/boringcache%2Fmesshy/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28400397,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-13T14:36:09.778Z","status":"ssl_error","status_checked_at":"2026-01-13T14:35:19.697Z","response_time":56,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-12-12T07:21:17.912Z","updated_at":"2026-01-13T22:01:40.533Z","avatar_url":"https://github.com/boringcache.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"# messhy\n\n\u003e WireGuard VPN mesh for secure private networking. Simple, fast, zero-config.\n\nA Ruby gem that sets up a full WireGuard VPN mesh across any VMs. Every node connects directly to every other node, creating a secure private network.\n\n## Why messhy?\n\n### Problems It Solves\n\n❌ **Without messhy:**\n- Database replication over public IPs (insecure)\n- Complex VPN configurations\n- NAT traversal issues\n- Manual key management\n- Cloud-specific networking (VPC, subnet, security groups)\n\n✅ **With messhy:**\n- Secure encrypted connections (WireGuard)\n- Automatic key generation and distribution\n- Works across any cloud/datacenter\n- Zero application changes (just use 10.8.0.x IPs)\n- Simple configuration\n\n## Installation\n\n```bash\ngem install messhy\n```\n\nOr add to your Gemfile:\n\n```ruby\ngem 'messhy'\n```\n\n## Quick Start\n\n1. **Create config file**:\n\n```yaml\n# config/mesh.yml\nproduction:\n  network: 10.8.0.0/24\n  user: ubuntu\n  ssh_key: ~/.ssh/id_rsa\n  verify_host_key: true\n  \n  nodes:\n    db-primary:\n      host: 34.12.234.81\n      private_ip: 10.8.0.10\n\n    db-standby:\n      host: 52.23.45.67\n      private_ip: 10.8.0.11\n\n    app-1:\n      host: 18.156.78.90\n      private_ip: 10.8.0.20\n```\n\n2. **Setup mesh**:\n\n```bash\nmesshy setup --environment=production\n```\n\n3. **Verify**:\n\n```bash\nmesshy status\n```\n\n## Secret Management\n\n`messhy setup` stores generated WireGuard key pairs inside `.secrets/wireguard/*.yml` with `0600` permissions. Each node gets its own YAML file (`.secrets/wireguard/\u003cnode\u003e.yml`) and all peer pre‑shared keys live in `.secrets/wireguard/psks.yml`. The directory is gitignored by default, and the Rails generator ensures the ignore rules are present in your application. After provisioning, copy the YAML files into 1Password (or another vault) and remove them from disk if you do not want long‑lived local copies.\n\nIf you want to pre-generate keys before rolling out configs, run:\n\n```bash\nmesshy keygen --environment=production\n```\n\n## Trusting SSH Host Keys\n\nBefore running `messhy setup`, fetch each server's SSH fingerprint and add it to your local `known_hosts` file:\n\n```bash\n# Adds Ed25519/ECDSA/RSA host keys for every node defined in config/mesh.yml\nbundle exec messhy trust-hosts --environment=production\n```\n\nIf a server rotated keys or you resized an instance, clear the old entry as part of the same command:\n\n```bash\nbundle exec messhy trust-hosts --environment=production --force\n```\n\nThis command uses `ssh-keyscan` under the hood and skips entries that already exist. If a host cannot be scanned (firewall / DNS issue), it will be listed at the end so you can add it manually. You can also call the Rails task `rails messhy:trust_hosts`.\n\n## Rails Integration\n\n1. Add the gem to your Rails application and run `bundle install`.\n2. Generate the config stub and gitignore entries:\n\n   ```bash\n   rails generate messhy:install\n   ```\n\n3. Use the provided rake tasks from your app (they automatically use `RAILS_ENV`/`MESSHY_ENVIRONMENT`):\n\n   ```bash\n   rails messhy:trust_hosts   # ssh-keyscan every node\n   rails messhy:setup         # deploy WireGuard configs\n   rails messhy:status        # show current mesh status\n   rails messhy:keygen        # pre-generate keys only\n   ```\n\nThis keeps Rails + SSHKit conventions intact: tasks shell out to the Thor CLI, SSH host key verification is enforced by default, and WireGuard secrets stay outside of Git.\n\n## CLI Commands\n\n### Setup\n\n```bash\n# Initial setup (all nodes)\nmesshy setup\nmesshy setup --environment=production\n\n# Setup with options\nmesshy setup --dry-run                    # Show what would be done\nmesshy setup --skip-node=app-1            # Skip specific node\nmesshy setup --only-node=db-primary       # Setup single node\n```\n\n### Status \u0026 Monitoring\n\n```bash\n# Show all connections\nmesshy status\n\n# Ping specific node\nmesshy ping app-1\nmesshy ping 10.8.0.20\n\n# Test connectivity\nmesshy test-connectivity\n\n# Show traffic statistics\nmesshy stats\nmesshy stats --node=db-primary\n```\n\n### Key \u0026 Access Management\n\n```bash\n# Generate WireGuard keys without touching configs\nmesshy keygen --environment=production\nmesshy keygen --skip-node=app-1\n\n# Trust SSH host keys (uses ssh-keyscan)\nmesshy trust-hosts\nmesshy trust-hosts --force        # replace existing entries\nmesshy trust-hosts --known-hosts=/tmp/known_hosts\n```\n\n### Info\n\n```bash\n# List all nodes\nmesshy list\n\n# Show node details\nmesshy show db-primary\n```\n\n## Configuration\n\nSee `config/mesh.example.yml` for a complete example.\n\n### Basic Options\n\n- `network`: CIDR network for VPN (default: `10.8.0.0/24`)\n- `user`: SSH user (default: `ubuntu`)\n- `ssh_key`: Path to SSH private key\n- `mtu`: MTU size (default: `1280` for reliability)\n- `listen_port`: WireGuard port (default: `51820`)\n- `keepalive`: Keepalive interval in seconds (default: `25`)\n\n### Node Configuration\n\nEach node requires:\n- `host`: Public IP or hostname\n- `private_ip`: Private VPN IP (must be within network range)\n\nOptional per-node overrides:\n- `ssh_user` / `ssh_port`: Override SSH access details (defaults to top-level `user` and port 22)\n- `ssh_key`: Override SSH key for a specific node\n- `listen_port`: WireGuard UDP port (defaults to top-level `listen_port`)\n- `region`: Documentation / metadata field\n\n## Firewall Requirements\n\nOnly one port needs to be opened on each node:\n\n```bash\n# UFW\nufw allow 51820/udp\n\n# iptables\niptables -A INPUT -p udp --dport 51820 -j ACCEPT\n```\n\n## Architecture\n\n### Full Mesh Topology\n\n```\n         Node A\n        /   |   \\\n       /    |    \\\n      /     |     \\\n   Node B - + - Node C\n      \\     |     /\n       \\    |    /\n        \\   |   /\n         Node D\n```\n\n**Every node connects directly to every other node:**\n- No central point of failure\n- Optimal routing (direct connections)\n- Scales to ~50 nodes\n\n## Performance\n\n### Benchmarks (compared to no VPN)\n\n| Metric | No VPN | WireGuard | Overhead |\n|--------|--------|-----------|----------|\n| Throughput | 1000 Mbps | 950 Mbps | 5% |\n| Latency | 10ms | 10.5ms | +0.5ms |\n| CPU usage | 2% | 3% | +1% |\n\n**WireGuard is FAST!** Negligible overhead for most workloads.\n\n## Troubleshooting\n\n### Node can't connect\n\n```bash\n# Check WireGuard is running\nsystemctl status wg-quick@wg0\n\n# Check interface\nwg show wg0\n\n# Check firewall\nufw status | grep 51820\n\n# Test connectivity\nping 10.8.0.x\n\n# Check logs\njournalctl -u wg-quick@wg0 -f\n```\n\n### High latency\n\n```bash\n# Try lower MTU (in mesh.yml)\nmtu: 1280  # instead of 1420\n\n# Redeploy\nmesshy setup\n```\n\n## Requirements\n\n- Ruby 3.0+\n- WireGuard tools (`wg` command)\n- Target servers with Linux kernel 5.6+ (WireGuard built-in)\n- SSH key-based authentication\n\n## Contributing\n\nBug reports and pull requests are welcome on GitHub.\n\n## License\n\nThe gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).\n\n---\n\nBuilt with ❤️ for the Rails community by [Gaurav](https://github.com/yourusername)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fboringcache%2Fmesshy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fboringcache%2Fmesshy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fboringcache%2Fmesshy/lists"}