MeshDash is a free, open-source (GPL-3.0), self-hosted web dashboard for Meshtastic mesh radio networks. It connects to your Meshtastic radio via Serial, TCP, BLE, MQTT, or Web Serial and provides real-time monitoring, messaging, packet analysis, GPS mapping, telemetry analytics, and task automation — all running on your own hardware with zero cloud dependency.

Yes, MeshDash is free and open-source under the GPL-3.0 license. No account, no cloud, no subscription. Download and run it on your own hardware.

Does MeshDash need the internet?

No. MeshDash runs entirely on your local network. Data never leaves your hardware unless you explicitly enable optional community features or C2 remote access.

What hardware do I need to run MeshDash?

MeshDash runs on a Raspberry Pi 3B+ or newer, any Linux server, or Windows via WSL2. Minimum 512MB RAM, recommended 1GB+. You also need a Meshtastic radio (T-Beam, Heltec, RAK4631, etc.) connected via USB, TCP, BLE, or Web Serial.

MeshDash uses JWT authentication with bcrypt-hashed passwords, HttpOnly session cookies, CSRF double-submit protection, and optional TOTP 2FA. Remote access (C2) uses HMAC-signed 5-tier rate-limited connections with no port forwarding required.

Security

Authentication & Access Control

MeshDash takes security seriously. Your dashboard is not an open relay — it's a locked-down, authenticated service that never exposes a port to the internet, even when you're accessing it remotely.

Security Layers

Network Layer

No inbound ports. No port forwarding. No dynamic DNS. No VPN. Remote access uses outbound-only polling.

Authentication

JWT tokens with bcrypt-hashed passwords. HttpOnly + SameSite session cookies. No credentials in URLs or localStorage.

Transport Security

HMAC-signed request verification. CSRF double-submit cookie pattern on all state-changing requests.

Access Tiers

Five remote access tiers — from heartbeat-only to full operator control. You decide exactly what the outside world can do.

Password Security

Passwords are hashed with bcrypt — the industry-standard adaptive hashing algorithm. No plaintext passwords are ever stored. The bcrypt work factor is tuned to make brute-force attacks impractical while keeping login fast.

bcrypt with automatic salt generation
No reversible encryption — passwords cannot be decrypted
Adaptive work factor resistant to GPU brute-force

JWT Session Tokens

After login, MeshDash issues a JSON Web Token (JWT) stored in an HttpOnly, SameSite session cookie — not in localStorage where XSS can steal it. Tokens expire on a configurable schedule (default: 7 days).

HttpOnly cookies — invisible to JavaScript
SameSite=Lax — blocks cross-site request forgery by default
Cryptographically signed with a per-instance secret key
Configurable expiry (AUTH_TOKEN_EXPIRE_MINUTES)

CSRF Protection

Every state-changing request (POST, PUT, DELETE) is protected by a double-submit cookie CSRF token. The server generates a 256-bit cryptographically random token, sets it as a cookie, and requires the same token in the request body. Mismatches are rejected with a 403.

256-bit random CSRF tokens (secrets.token_urlsafe(32))
Double-submit cookie pattern — no server-side state needed
All POST/PUT/DELETE endpoints validated
GET requests are CSRF-exempt (idempotent by design)

Remote Access

Zero Inbound Attack Surface

The most common way dashboards get compromised is through an open port. MeshDash's remote access architecture eliminates that entirely.

❌ Traditional Remote Access

Open a port on your router (port forwarding)
Set up dynamic DNS or a static IP
Configure a reverse proxy with TLS certificates
Manage certificate renewals
Hope your firewall rules are correct
Exposed to port scanners and brute-force attacks

✓ MeshDash Remote Access

No inbound ports — your server makes outbound HTTPS calls only
No dynamic DNS — your server polls meshdash.co.uk
No TLS certificates to manage — relay handles termination
HMAC-signed requests — relay cannot forge commands
Rate-limited polling — configurable interval, default 15 seconds
Five access tiers — from heartbeat-only to full operator

Access Tiers

Granular Remote Control

Not all remote access is equal. MeshDash gives you five distinct permission tiers so you can expose exactly the level of control you're comfortable with — and nothing more.

Tier	Can Read	Can Write	Use Case
off	—	—	No remote access at all. Local network only.
heartbeat	Status, version, uptime	—	Community map ping — your node appears on the public MeshDash map.
monitor	All node data, channels, neighbours	—	Let others see your mesh without controlling it.
read	Packets, messages, metrics, traceroutes, waypoints	—	Full read access for monitoring dashboards and log aggregation.
operator	All read access	Send messages, alerts, trigger extraction	Remote control without destructive operations.
full	All read access	All writes: messages, console, restart, updates, tasks, auto-reply	Complete remote administration.

Two-Factor Authentication (TOTP)

MeshDash supports TOTP-based two-factor authentication using any authenticator app (Google Authenticator, Authy, 1Password, etc.). When TOTP is enabled, login requires both your password and a time-based one-time code.

RFC 6238 compliant — works with every major authenticator app
1-window clock drift tolerance — no sync issues
Optional — enable when you need it, skip when you don't
Requires pyotp package (auto-installed if available)

Configuration

Security Settings Reference

All security-related configuration lives in .env. These are the keys that control authentication, session handling, and access.

Key	Values	Default	Description
Authentication
AUTH_SECRET_KEY	64-char hex	auto-generated	Signs JWT tokens. Auto-generated on first boot. Change to invalidate all active sessions.
AUTH_TOKEN_EXPIRE_MINUTES	integer	10080 (7 days)	Session token lifetime. Lower for stricter security.
PUBLIC_MODE	true\|false	true until setup	When true, auth is bypassed and databases run in-memory. For public demos only.
Remote Access
C2_ACCESS_LEVEL	off\|heartbeat\|monitor\|read\|operator\|full	read	Maximum remote access tier. See tier table above.
C2_SYNC_INTERVAL_SECONDS	integer	15	How often (seconds) the server polls the relay for queued commands.
C2_MAX_REQUESTS_PER_SYNC	integer	10	Maximum proxy requests processed per sync cycle.
C2_MAX_RESPONSE_KB	integer	512	Maximum size (KB) of any single proxied response.
C2_BLOCKED_ENDPOINTS	pipe-separated	—	Endpoints always blocked from remote access, overriding tier.

Ready to run MeshDash with proper authentication?

Install MeshDash →