What is MeshConnect

MeshConnect is a robust mesh networking and Zero Trust Network Access (ZTNA) solution built on the Wireguard protocol, offered by UTunnel Secure Access. It enables you to establish a reliable mesh networking infrastructure, securely connecting multiple networks and setting up controlled policy-based remote access to network resources. This solution was developed to primarily simplify resource-sharing and enable secure remote access across diverse resource sites.

In brief, MeshConnect enables you to interconnect networks (e.g., your on-premise network with multiple VPCs) while allowing your remote users to access all the networks, selected networks, or specific resources within a network.

The overall working principles and various MeshConnect components are explained here.


The network serves as the foundational structure, and the process of setting up a MeshConnect environment begins with the creation of a network. This network is a virtual space encompassing MeshConnect Agents and user devices (when remote access is enabled to the network). Later in this article, we will delve into the MeshConnect Agent’s and User device’s role in the network.

From a technical standpoint, upon creating a network, a /22 subnet is assigned to it for leasing IP addresses to Site Agents and User devices. The default subnet used is, and currently, it is not configurable. If you wish to use a non-default subnet, please reach out to support after creating the network and before adding any sites or users to it.

A Network comprises key components such as Site, Agent, Site Link, User, Access Policy, etc. We’ll explore each of these components one by one.

Follow this guide to learn about how to create a MeshConnect Network.


A Site within the MeshConnect Network represents the location of your resources. These resources could be Virtual Private Clouds (VPCs), corporate networks, or even standalone servers or IoT devices.

To establish a tunnel between two networks, the initial step is to create two Sites. If you aim to establish a secure tunnel between two standalone servers, these servers would be on two different MeshConnect Sites. Similarly, if you want to create a secure tunnel linking IoT devices deployed in 30 different locations to an IoT Controller application in a VPC, you might need to deploy a MeshConnect Network with 31 Sites. For the sites to function as a part of the MeshConnect network, a MeshConnect Agent has to be deployed on each site.

Follow this guide to configure sites on a MeshConnect network.

MeshConnect Agent

The MeshConnect agent is a small helper deployed on every Site to execute instructions from the MeshConnect coordinator service. Presently, the Agent program is available for all active Debian and Ubuntu versions (our team is actively developing builds for other Operating Systems). The MeshConnect agent remains consistently in sync with the UTunnel MeshConnect coordinator service, ensuring that the Agent is always prepared to carry out instructions.

When establishing a tunnel between networks, installing the MeshConnect Agent application on a dedicated host is advisable. In this scenario, the Agent installed host will function as a router, forwarding packets to and fro. Unexpected issues may occur if the Agent is installed on a shared host.

If you are creating a tunnel between two standalone servers, the agent application can be side-loaded. Further details on tunnel construction can be found in the SiteLink section.

MeshConnect Agent behind NAT

If the agent is deployed on a host placed behind NAT, it is recommended to set up a port-forwarding rule directing traffic from port UDP:51820 on the NAT gateway to the agent-installed host for seamless traffic flow. The port-forwarding configuration steps may differ across devices, you may need to consult your NAT gateway's user guide for guidance on setting up port-forwarding.

If the port-forwarding is configured on the NAT gateway, the port-forwarding enabled option must be checked on the agent configuration page.

MeshConnect Agent Functioning as Router

The MeshConnect agent installed host must be configured as a router to forward network traffic through it. It is recommended to keep this setting enabled in all cases, except when side-loading the agent application on a standalone server.

Follow this guide to learn about how to register a MeshConnect Agent on a Site.

Site Resources

Site resources are any network, IP address, or port on a host available on a site and to which access needs to be granted via the Site Link or Access Policies (for roaming users). Once the MeshConnect agent is deployed, the IP addresses available on the agent-installed host and associated subnets will be automatically discovered and labeled as local resources. The local resources will be updated with every MeshConnect service restart on the agent-installed host. Local resources cannot be removed, while non-local resources can be added or deleted at any time and incorporated into Site Link or Access Policy configurations.

Follow this guide to learn about how to manage resources on a MeshConnect Site.

Site Link

Site Link enables you to establish an encrypted tunnel between two or multiple sites (networks), culminating in the formation of a mesh network. To establish a tunnel, you must choose two sites and specify the resources associated with both sites. If no resources are defined, the tunnel will be established, and only the MeshConnect agent-installed hosts will be accessible to each other via the MeshConnect IP address (the IP address assigned to each agent in a network).

Technically, the tunnel is constructed between the MeshConnect agents. That means, if the MeshConnect agent is side-loaded on a set of standalone servers, and Site Links are configured among all the servers, it will create a mesh network of standalone servers.

To create a tunnel between multiple sites (networks), the MeshConnect agent must be configured to function as a router.

Follow this guide to configure a Site Link on a MeshConnect network.

Secure Remote Access with MeshConnect

MeshConnect can handle secure remote access use cases, apart from creating secure tunnels between the networks. It works on the principle of Zero Trust Network Access (ZTNA) granting segmented remote access to only specific resources on a network. It transcends traditional VPN solutions with its granular access controls, simultaneous connections to multiple sites, and enhanced performance (since it uses WireGuard protocol to build the tunnel!).

Remote access has two essential components: access policies and users. An access policy outlines the access boundaries for a user. With the access policy, you can provide access to all sites, a single site, or a specific resource within a site. Once the access policy is defined, it can be linked to a user. When a user connects to a MeshConnect network using the UTunnel client application, their access to the network is determined by the controls specified in the access policy.

Popular Support Articles

What is your Logging Policy

What is UTunnel Secure Access

What is a UTunnel Account

External DNS Server

What is Split Routing

Supported VPN Protocols