MeshCentral: Remote Access Without the Vendor Tax
Kristina ShkriabinaMeshCentral is a free, self-hosted remote access platform that handles thousands of endpoints without per-tech fees. Here's the deployment guide, security setup, and how it stacks up against ConnectWise Control and Splashtop.
A 50-tech IT shop running ConnectWise Control pays roughly $25,000 a year for remote access. That same shop running MeshCentral on a $40-per-month VPS pays $480. The features overlap on most daily workflows. The math is hard to argue with, and that's why MeshCentral has become a serious option for MSPs and internal IT teams tired of seat-based pricing.
This guide walks through everything you need to evaluate MeshCentral: what it does, how to deploy it on Docker or bare metal, the security posture, and a feature-by-feature comparison against ConnectWise Control and Splashtop. By the end, you'll know whether it's a fit for your stack.
What MeshCentral Is and Why It Matters
MeshCentral is a self-hosted remote access platform written by Ylian Saint-Hilaire, a former Intel engineer who's been the primary maintainer since 2014. It runs as a Node.js server, supports Windows, macOS, and Linux endpoints, and gives you remote desktop, file transfer, terminal access, and Wake-on-LAN over a single web console.
The licensing is Apache 2.0. There's no enterprise tier, no per-seat fee, no telemetry sent back to a vendor. You install it on hardware you control and keep every byte of session data in-house. For MSPs that have watched their PSA or RMM vendor jack up prices three years running, that alone is the headline.
The catch: there's no commercial support contract you can buy. You're either comfortable reading docs and skimming GitHub issues, or you're not. The community on r/MeshCentral and the Lawrence Systems forum is active, and Ylian still answers questions personally on the issue tracker. But it's not a phone-a-vendor situation.
For shops that already self-host things like Bitwarden, Nextcloud, or Snipe-IT for asset management, MeshCentral fits the same operational pattern. For shops that want a vendor on the hook when something breaks, it doesn't.
Core Features That Matter for IT Teams
Strip the marketing language away and MeshCentral does five things well.
Remote desktop is the headline. The agent installs on Windows, macOS, Linux, and FreeBSD, and the web console gives you mouse, keyboard, and clipboard access through a browser. No client to install on the technician side. Performance is comparable to ConnectWise Control on LAN and slightly slower on high-latency WAN, mostly because MeshCentral doesn't have the same bandwidth compression that the commercial vendors have invested in.
File transfer works in both directions, drag-and-drop in the browser. There's no size cap aside from what your server disk and memory can handle. For pushing patches or pulling logs off a misbehaving endpoint, it's identical to what ScreenConnect gives you.
Terminal access is full bash, PowerShell, or cmd, depending on the OS. The terminal is logged server-side if you turn audit logging on, and you can replay sessions later for compliance or training.
Wake-on-LAN works through any agent on the same broadcast domain as the target machine. So if you have one always-on box per site, you can wake the rest. No magic, just standard WoL packets relayed through the agent network.
Device groups, user roles, and permissions are granular enough to build a real least-privilege model. You can scope a junior tech to view-only on production servers, give a senior tech full control on workstations, and restrict file transfer entirely for clients who require it. Permission inheritance is one of the cleaner implementations in the open-source remote access space.
What it doesn't do natively: ticketing, billing, scripting libraries, patch deployment automation. Those belong in a proper RMM or PSA stack, not a remote access tool.
Deployment Options: Docker vs Bare Metal
You have two reasonable paths for getting MeshCentral running. Both work, both are documented, and the choice usually comes down to how the rest of your infrastructure is organized.
Docker is the faster setup. A docker-compose file with the MeshCentral image, a MongoDB container, and a reverse proxy (Caddy or Nginx) gets you to a working install in under an hour. The community-maintained image at ylianst/meshcentral on Docker Hub stays current with upstream releases, usually within a few days of a tagged version. Persistent volumes for the meshcentral-data, meshcentral-files, and meshcentral-backups directories handle state, and you can tear the whole thing down and rebuild from those volumes if a config change breaks something.
The downsides of Docker: WebRTC peer-to-peer connections require host networking mode on Linux, which complicates running MeshCentral alongside other services on the same host. Some folks work around it by giving MeshCentral its own VPS. At $5 to $40 a month for a DigitalOcean or Hetzner box, that's not a budget breaker.
Bare metal install uses Node.js and npm directly on Ubuntu, Debian, or Rocky Linux. The official docs walk through installing Node 18 LTS, MongoDB 6 or 7, and the meshcentral package itself. Total time is similar to Docker once you've done it twice, but the first attempt usually takes longer because you're touching system services directly. The benefit is no container abstraction layer, no networking quirks, and slightly lower memory overhead, somewhere around 200MB of RAM instead of 400MB for the Docker stack.
For shops with one or two technicians who want minimum maintenance, Docker wins. For shops with a Linux-savvy admin who already runs Nginx and MongoDB elsewhere, bare metal is fine and possibly preferable.
A third option, AWS or Azure marketplace, exists but it's more expensive than self-managing on a $20 VPS, and you don't gain much aside from the cloud provider's billing integration. Most production deployments end up on Hetzner, Linode, or a colocation server in the office.
Sizing guidance from the field: a 4GB RAM, 2-vCPU box handles 200 concurrent agents comfortably. Above 500 agents, jump to 8GB and split MongoDB onto its own node. Above 2,000 agents, consider clustering MeshCentral with multiple frontend nodes behind a load balancer and a replicated MongoDB.
Security: TLS, 2FA, Agent Pinning, and Audit Logs
Self-hosted means you're the security team. MeshCentral gives you the controls; whether you turn them on is on you.
TLS is mandatory for any production deployment. The default config ships with self-signed certs, which works for testing but breaks browser trust and triggers warnings. Use Let's Encrypt via the built-in ACME integration or terminate TLS at a Caddy or Nginx reverse proxy. The reverse proxy approach is what most production sites end up doing because it lets you run other services on the same domain and handle cert rotation centrally.
Two-factor authentication is built in and supports TOTP apps (Authy, 1Password, Google Authenticator) and hardware keys via WebAuthn. Turn it on for all admin accounts before you put the install on the public internet. There's a config flag, "2factor": "required", that forces 2FA on every user. Use it.
Agent pinning is the security feature most operators miss. By default, MeshCentral agents will reconnect to any server with a valid TLS cert that matches the hostname they were configured with. If an attacker hijacks DNS or compromises your reverse proxy cert, agents reconnect to the attacker's server. The fix is "agentCertHash" pinning, which embeds the SHA-384 fingerprint of your server cert into the agent installer. Agents refuse to talk to any server with a different cert, period. Set this before you mass-deploy agents.
Audit logging captures user logins, session starts and stops, file transfers, and terminal commands. The logs go to a JSON file by default, but MeshCentral can ship them to syslog or a SIEM if you wire up the integration. For shops in regulated environments, the terminal session replay feature is the missing piece most commercial tools lack and charge extra for.
Network exposure: MeshCentral wants port 443 open inbound from the internet for the web console and agent traffic. Nothing else. No agent-to-agent traffic, no peer-to-peer over arbitrary ports unless you explicitly enable WebRTC for performance. Lock down everything else with a host firewall and you've cut the attack surface to one well-understood port.
CVE history is short. There have been three reported security issues since 2020, all patched within days of disclosure, none with active exploitation in the wild. That's a better track record than several commercial competitors with dedicated security teams.
MeshCentral vs ConnectWise Control vs Splashtop
The closest commercial peers to MeshCentral are ConnectWise Control (formerly ScreenConnect) and Splashtop SOS. Here's how they stack up on the dimensions that matter for IT teams making a buy-versus-host decision.
| Feature | MeshCentral | ConnectWise Control | Splashtop SOS |
|---|---|---|---|
| Hosting model | Self-hosted | Self-hosted or cloud | Cloud only |
| Pricing (50 techs) | ~$480/yr (VPS) | ~$25,000/yr | ~$15,000/yr |
| Per-endpoint fee | None | None (unlimited) | None (unattended add-on) |
| Remote desktop performance | Good | Strongest | Strongest |
| File transfer | Yes | Yes | Yes |
| Wake-on-LAN | Yes | Yes (paid add-on) | Yes |
| Session recording | Yes (built-in) | Yes (Premium tier) | Yes (Premium tier) |
| Mobile app | Yes (Android, iOS) | Yes | Yes |
| Active Directory / SSO | LDAP, SAML, OIDC | SAML, AD | SAML, AD, OIDC |
| Scripting / automation | Limited (extensions) | Yes (Toolbox) | Limited |
| Vendor support contract | None | 24/7 phone | 24/7 phone |
| Audit logging | Yes | Yes | Yes |
| Setup time | 1-3 hours | 30 minutes (cloud) | 15 minutes |
MeshCentral wins on cost and data sovereignty by an order of magnitude. ConnectWise Control wins on raw remote desktop performance, especially on bad connections, where their proprietary protocol is genuinely faster. Splashtop wins on time-to-first-session for shops that don't want to manage a server.
Where the comparison gets nuanced: ConnectWise Control's pricing has gone up roughly 15-20% per year for the past three cycles. Splashtop has been more stable but has been moving features into higher tiers. If you're building a 5-year cost model, the gap between MeshCentral and the commercial options widens significantly. The IT teams that have switched usually cite this trajectory more than the absolute number.
Where MeshCentral Falls Short
MeshCentral isn't the right answer for every team. Three places where it loses to commercial options.
First, polish. The web UI works but it's clearly a project built by engineers for engineers. Some workflows take an extra click compared to ConnectWise Control. Reports are limited. The mobile app is functional but not as smooth as Splashtop's. If your technicians are used to consumer-grade software, the rough edges show.
Second, support. There's no 24/7 phone line. There's no SLA. If MongoDB corrupts itself at 2 AM during a client emergency, you're on your own with backups and Stack Overflow. For shops with a strong sysadmin on staff, that's fine. For shops that need someone to call, it's a problem. A few MSPs solve this by paying a third-party for retainer support on the underlying stack (Node.js, MongoDB, Linux), but that adds back some of the cost MeshCentral was meant to remove.
Third, integration breadth. ConnectWise Control plugs into the rest of the ConnectWise stack. Splashtop plugs into Datto and Atera. MeshCentral plugs into whatever you're willing to script against its API. The API is solid, REST and WebSocket, but you'll write the glue code yourself. For most teams, that's an afternoon project per integration. For teams that want everything to work out of the box, it's friction.
The gaps don't make MeshCentral wrong. They just make it different. It's a tool that rewards operators who want control and don't mind doing some plumbing.
When MeshCentral Makes Sense (and When It Doesn't)
MeshCentral makes sense for IT teams that already self-host other infrastructure, have at least one engineer comfortable with Linux and MongoDB, and have a clear budget pressure that makes the savings meaningful. It also makes sense for teams in regulated environments where data sovereignty isn't a nice-to-have. Healthcare, defense, education, and government IT shops have been the heaviest adopters for exactly this reason.
It doesn't make sense for one-person IT shops where every hour of admin time is more expensive than a SaaS license. It doesn't make sense if your remote access volume is tiny, like 10 endpoints once a quarter. And it doesn't make sense if your team is already maxed out on infrastructure work and the last thing they need is one more service to maintain.
For teams looking to reduce IT spend without compromising tooling quality, MeshCentral is one of the cleanest single-line cost cuts available. Replace one $20K commercial license with $500 of VPS, keep functional parity on most daily workflows, and reinvest the difference somewhere it matters more.
For teams that want a no-lock-in MSP platform that bundles remote access with PSA, ticketing, and asset management in one package, OpenFrame is worth a look. It's not free like MeshCentral, but it's affordable and it ships with native PSA, so you don't end up stitching three vendors together to get a working stack.
Frequently Asked Questions
Is MeshCentral really free?
Yes. MeshCentral is licensed under Apache 2.0, which means free for commercial use, modification, and redistribution. There's no paid tier, no upsell. Your only costs are server hosting (typically $20 to $100 per month for most deployments) and your own time to install and maintain the system.
Can MeshCentral handle thousands of agents?
Yes, with appropriate hardware. A single MeshCentral server on 8GB RAM and 4 vCPUs handles roughly 1,500 agents in production. For larger deployments, MeshCentral supports clustering with multiple frontend nodes and a replicated MongoDB backend. The largest known deployments run 10,000+ agents across clustered setups.
How Does MeshCentral Compare to Tactical RMM?
Tactical RMM is a more complete RMM platform that includes patching, scripting, and monitoring. It uses MeshCentral as its remote access component under the hood. If you need RMM features beyond remote access, Tactical RMM is the better fit. If you only need remote access, MeshCentral alone is lighter and cheaper to run.
Does MeshCentral Work Without Internet Access?
Yes, on internal networks. MeshCentral can run entirely on a private network with agents connecting over LAN or VPN. Some shops deploy it air-gapped for highly sensitive environments. The only requirement is that agents can reach the MeshCentral server on port 443 over whatever network you use.
What Happens if Ylian Stops Maintaining MeshCentral?
The code is Apache 2.0 and hosted on GitHub with thousands of stars and active forks. If primary maintenance ever stopped, the community would almost certainly fork it. That's the structural advantage of open-source tools over commercial alternatives where a single acquisition or shutdown ends product development.
Is MeshCentral Safe to Expose to the Public Internet?
Yes, with proper hardening. Enable TLS via Let's Encrypt, require 2FA for all users, pin agent certificates with agentCertHash, and keep the server patched. These four steps put MeshCentral's security posture on par with commercial cloud-hosted alternatives. Skip them and you're running an open relay.
The Bottom Line
MeshCentral isn't the prettiest remote access tool, and it isn't the easiest to operate. What it is, is the cheapest functional alternative to ConnectWise Control and Splashtop by an order of magnitude, with a security model that holds up to scrutiny and a license that no vendor can ever yank. For IT teams willing to trade some convenience for control, that trade keeps getting more attractive every time the commercial vendors send out their annual price hike emails.
Kristina Shkriabina
Kristina runs content, SEO, and community at Flamingo and OpenMSP. She spent years as a correspondent for Ukraine's Public Broadcasting Company before making the jump to tech. Now she covers MSP stack decisions and strategy. You can connect with her in the OpenMSP community or on LinkedIn.