MeshDash Docs
R2.0
/
Docs Downloads
Home API Reference Remote Access (C2)

Remote Access (C2)

API Reference remote c2 access proxy community map heartbeat tier access level api key security
Access your dashboard from anywhere via meshdash.co.uk without port forwarding. Tier-based access control.

MeshDash's C2 (Command & Control) system lets you access your local dashboard from anywhere — without opening ports, setting up a VPN, or exposing your device to the internet. Your node polls the meshdash.co.uk server at regular intervals for queued requests and proxies them back.

How It Works

[Your Remote Browser]
         |
         | HTTPS
         v
[meshdash.co.uk proxy server]
         |
         | Long-poll / request queuing
         v
[Your MeshDash device] — polls every C2_SYNC_INTERVAL_SECONDS
         |
         v
[Your Meshtastic Radio]

Your device initiates all outbound connections. Nothing listens on a public port. The C2 worker sends a signed heartbeat JSON payload to the community server on each sync cycle, along with a response to any queued proxy requests.

Enabling Remote Access

Set the following in .mesh-dash_config (or configure via the Setup Wizard / Settings UI):

COMMUNITY_API=true
COMMUNITY_API_KEY=YOUR_KEY_FROM_WIZARD
C2_ACCESS_LEVEL=operator
C2_SYNC_INTERVAL_SECONDS=15
HEARTBEAT_INTERVAL_MINUTES=1
Treat your API key like a password. It authenticates all C2 traffic. The key is embedded in remote access URLs. If compromised, contact MeshDash support for rotation.

Access Levels

The C2_ACCESS_LEVEL setting defines what can be accessed remotely. System config, login, and setup endpoints are always blocked regardless of level.

LevelValueGET Endpoints AvailablePOST Endpoints Available
L0 off Remote access completely disabled
L1 heartbeat /api/status, /api/stats, /api/system/version-status None
L2 monitor L1 + nodes, channels, neighbors, local node None
L3 read L2 + packets, messages, metrics, traceroutes, waypoints, hardware logs, connection history None
L4 ★ operator Same as L3 /api/messages, /api/alert, /api/monitor, /extract
L5 full Same as L3 L4 + console, restart, update, tasks, auto_reply
Operator is the recommended level for most users. It provides full visibility and the ability to send messages without exposing system administration endpoints.

Absolute Blacklist

The following endpoints are permanently blocked remotely at every access level — they cannot be added to C2_EXTRA_ENDPOINTS:

  • /api/system/config
  • /api/system/config/update
  • /api/system/config/initial-setup
  • /login, /logout, /setup
  • /sse, /sse-debug

Custom Endpoint Overrides

Fine-tune which endpoints are accessible beyond the tier defaults:

# Allow extra GET endpoints not in the tier
C2_EXTRA_ENDPOINTS=/api/custom/sensor|/api/my_plugin/data

# Explicitly block endpoints even if in the tier
C2_BLOCKED_ENDPOINTS=/api/traceroutes|/api/waypoints

Rate Limiting & Protection

The C2 bridge applies several protections automatically:

Path sanitisation
Path traversal (.., //) is blocked. Paths with unusual characters are rejected.
Method restriction
Only GET and POST are allowed. Other methods return 405.
Request cap
C2_MAX_REQUESTS_PER_SYNC (default 10) — maximum proxy requests processed per sync cycle.
Response cap
C2_MAX_RESPONSE_KB (default 512 KB) — responses larger than this are rejected with 413.
Parameter clamping
limit parameters are capped to 10,000 max, preventing large data dumps.
Internal token
Each proxied request uses a short-lived (30 s) internal JWT — not your real session token.
HMAC signature
Heartbeat payload is signed with your API key using HMAC-SHA256 for integrity verification.
Exponential backoff
On consecutive errors, sync interval backs off exponentially up to 300 s.

Community Map

When COMMUNITY_API=true, your node appears on the public MeshDash community map. Location sharing is controlled by three config keys:

SEND_LOCAL_NODE_LOCATION
Share your own GPS position on the map.
SEND_OTHER_NODES_LOCATION
Share positions of other nodes your radio hears.
LOCATION_OFFSET_ENABLED + LOCATION_OFFSET_METERS
Add a random offset to all reported positions. Useful for privacy when sharing your home node's location.

Monitoring C2 Activity

GET /api/c2/status   (Auth Required)

{
  "stats": {
    "heartbeats_sent": 1440,
    "heartbeat_failures": 0,
    "proxy_requests_received": 87,
    "proxy_responses_sent": 87,
    "outbox_messages_forwarded": 5,
    "admin_commands_received": 2,
    "last_contact": 1705329000.0,
    "last_error": null
  },
  "logs": [...]
}

The full audit log (including blocked requests and their reasons) is also viewable via the C2 Status page at /c2_status.

Radio Connection Task Scheduler