Decentralized private networking for users, servers, and AI agents. Connect anything to anything via WireGuard tunnels routed through DCDN's global node network.
π Built on WireGuard β open standard, audited cryptography, cross-platform. No proprietary VPN clients needed.
DCDN Mesh creates encrypted private networks between your devices, servers, and AI agents:
All traffic is relayed through DCDN's 8 multi-region nodes. Node operators earn revenue from relay traffic.
curl -fsSL https://dcdncloud.com/cli/install-mesh.sh | bashdcdn-mesh login YOUR_API_KEY
dcdn-mesh init my-networksudo dcdn-mesh up# On your server:
sudo dcdn-mesh up --connector
dcdn-mesh expose 192.168.1.0/24dcdn-mesh status
dcdn-mesh peers| Command | Description |
|---|---|
dcdn-mesh login <key> | Authenticate with API key |
dcdn-mesh init [name] | Create a mesh network |
dcdn-mesh up | Connect to mesh (client mode) |
dcdn-mesh up --connector | Connect as network connector |
dcdn-mesh down | Disconnect |
dcdn-mesh status | Connection status + traffic |
dcdn-mesh peers | List connected peers |
dcdn-mesh ping <ip|name> | Ping a peer over mesh |
dcdn-mesh expose <CIDR> | Expose a local subnet |
dcdn-mesh routes | List exposed routes |
dcdn-mesh networks | List your networks |
POST /api/v1/mesh/networks β Create network
GET /api/v1/mesh/networks β List my networks
DELETE /api/v1/mesh/networks/{id} β Delete network
POST /api/v1/mesh/peers β Register peer (returns WireGuard config)
{
"network_id": "net-abc123",
"name": "my-laptop",
"type": "client", // client, connector, agent, sandbox
"public_key": "WG_PUBLIC_KEY",
"os": "macos"
}Response includes assigned mesh IP, relay info, and ready-to-use WireGuard config.
GET /api/v1/mesh/peers?network_id=... β List peers
DELETE /api/v1/mesh/peers/{id} β Remove peer
POST /api/v1/mesh/peers/{id}/heartbeat β Peer heartbeat
GET /api/v1/mesh/config/{peer_id} β Full WireGuard config + peer list
POST /api/v1/mesh/routes β Expose a subnet
{ "peer_id": "peer-xyz", "cidr": "192.168.1.0/24", "description": "Home network" }GET /api/v1/mesh/routes?network_id=... β List routes
DELETE /api/v1/mesh/routes/{id} β Remove route
POST /api/v1/mesh/policies β Create access rule
{
"network_id": "net-abc123",
"name": "Block sandbox SSH",
"priority": 10,
"source_peer_type": "sandbox",
"dest_ports": "22",
"action": "deny"
}GET /api/v1/mesh/policies?network_id=... β List policies
PATCH /api/v1/mesh/policies/{id} β Update policy
DELETE /api/v1/mesh/policies/{id} β Delete policy
POST /api/v1/mesh/policies/templates/{name}?network_id=...
| Template | Description |
|---|---|
sandbox-restricted | Block SSH + admin ports from sandboxes, log all |
agent-readonly | Allow HTTP + DB read, block SSH, log all |
log-everything | Log all traffic (no blocks) |
deny-all-agents | Block all agent + sandbox traffic |
GET /api/v1/mesh/access-log?network_id=... β Audit trail
POST /api/v1/mesh/dns β Create private DNS record
{ "network_id": "net-abc123", "name": "staging-db", "type": "A", "value": "10.200.42.3" }
// Auto-suffixed to staging-db.mesh.localGET /api/v1/mesh/dns?network_id=... β List records
GET /api/v1/mesh/dns/resolve/{name}?network_id=... β Resolve name (split DNS)
Peer names auto-resolve: my-laptop.mesh.local β peer's mesh IP.
POST /api/v1/mesh/services β Register service
{ "peer_id": "peer-xyz", "name": "postgres", "port": 5432 }
// Auto-creates DNS: postgres.mesh.local β peer IPGET /api/v1/mesh/services?network_id=... β Discover services
POST /api/v1/mesh/ha β Create HA group
{ "network_id": "net-abc123", "name": "db-ha", "route_cidr": "192.168.1.0/24" }POST /api/v1/mesh/ha/{id}/members β Add connector to HA group
GET /api/v1/mesh/ha?network_id=... β List HA groups + members
Automatic failover: if active connector fails health check, standby takes over.
GET /api/v1/mesh/vpc-bridge/config?network_id=...&cloud=aws|gcp|azure
Returns setup instructions and Terraform snippets for connecting cloud VPCs to your mesh.
GET /api/v1/mesh/public/stats Public
Attach a sandbox to your mesh network at creation time:
POST /api/v1/sandbox
{
"name": "my-sandbox",
"size": "basic",
"mesh_network_id": "net-abc123" // β attach to mesh
}The sandbox gets a WireGuard interface and can reach all peers + exposed routes in your network. Apply policies to control what sandboxes can access.
Grant a marketplace agent scoped access to your mesh:
POST /api/v1/marketplace/call/my-agent
{
"message": "Query staging database",
"mesh_access": {
"network_id": "net-abc123",
"allowed_hosts": ["10.200.42.3:5432"] // scoped!
}
}β οΈ Security tip: Always apply the sandbox-restricted or agent-readonly policy template before granting mesh access to agents or sandboxes.
ββββββββββββββ WireGuard ββββββββββββββ WireGuard ββββββββββββββ
β Device βββββββββββββββββββΊβ DCDN Node βββββββββββββββββββΊβ Server β
β (Client) β encrypted β (Relay) β encrypted β(Connector) β
ββββββββββββββ βββββββ¬βββββββ ββββββββββββββ
β
βββββββΌβββββββ
βCoordinator β Policy, Auth,
β (Control) β Key Exchange,
ββββββββββββββ Route Table| Tier | Peers | Traffic | Price |
|---|---|---|---|
| Free | 5 | 1 GB/mo | $0 |
| Starter | 25 | 50 GB/mo | $5/mo |
| Pro | 100 | 500 GB/mo | $15/mo |
| Business | Unlimited | Unlimited | $49/mo |
Pay-per-use also available via marketplace USD balance ($0.01/GB).
| Feature | CF Mesh | DCDN Mesh |
|---|---|---|
| Protocol | WARP (proprietary) | WireGuard (open) |
| Decentralized | β | β Node operators earn revenue |
| Agent integration | Workers VPC only | Sandbox + Marketplace + MCP |
| Zero Trust | CF One ($$) | Built-in policy engine |
| Service Discovery | β | β Auto DNS |
| Free tier | 50 nodes | 5 peers |