MeshCentral Remote Management Installation
MeshCentral is a free, open-source remote device management platform that provides remote terminal, file transfer, remote desktop (RDP-like), and monitoring capabilities through a web interface. Running MeshCentral on your own Linux server lets you manage agents deployed across hundreds of machines without sending traffic through third-party services, making it suitable for enterprise IT environments and managed service providers.
Prerequisites
- Ubuntu 20.04+, Debian 11+, or CentOS/Rocky 8+
- Node.js 14+ (LTS recommended)
- Root or sudo access
- A domain name (required for valid TLS certificates)
- Open ports: TCP 80, 443 (and optionally 4433 for MeshCentral's built-in TLS)
Installing MeshCentral
Install Node.js:
# Ubuntu/Debian - install Node.js via NodeSource
curl -fsSL https://deb.nodesource.com/setup_20.x | sudo bash -
sudo apt install -y nodejs
# CentOS/Rocky
sudo dnf module install -y nodejs:20
# Verify installation
node --version
npm --version
Install MeshCentral:
# Create a dedicated user and directory
sudo useradd -r -m -d /opt/meshcentral -s /bin/bash meshcentral
sudo su - meshcentral
# Install MeshCentral via npm
mkdir meshcentral-data meshcentral-files meshcentral-backups
npm install meshcentral
# Return to your regular user
exit
Create a systemd service:
sudo tee /etc/systemd/system/meshcentral.service <<'EOF'
[Unit]
Description=MeshCentral Remote Management
After=network.target
[Service]
Type=simple
User=meshcentral
WorkingDirectory=/opt/meshcentral
ExecStart=/usr/bin/node /opt/meshcentral/node_modules/meshcentral
Restart=always
RestartSec=5
Environment=NODE_ENV=production
[Install]
WantedBy=multi-user.target
EOF
sudo systemctl daemon-reload
sudo systemctl enable meshcentral
Initial Configuration
MeshCentral generates a default config on first run. Customize it:
# Start once to generate the default config
sudo systemctl start meshcentral
# View generated config
sudo cat /opt/meshcentral/meshcentral-data/config.json
# Edit the configuration
sudo nano /opt/meshcentral/meshcentral-data/config.json
Minimal production config:
{
"settings": {
"cert": "meshcentral.example.com",
"port": 4430,
"aliasPort": 443,
"redirPort": 80,
"mongoDb": "mongodb://localhost:27017/meshcentral",
"allowLoginToken": true,
"allowFraming": false,
"webrtc": false
},
"domains": {
"": {
"title": "My MeshCentral Server",
"title2": "Remote Management",
"loginNote": "Authorized access only",
"newAccounts": false,
"certUrl": "https://meshcentral.example.com",
"agentConfig": ["webSocketMaskOverride=1"]
}
}
}
# Restart to apply configuration
sudo systemctl restart meshcentral
# Check startup logs
sudo journalctl -u meshcentral -f
TLS and Reverse Proxy Setup
MeshCentral can handle TLS itself, or you can front it with Nginx.
Option 1: MeshCentral built-in TLS with Let's Encrypt:
{
"settings": {
"cert": "meshcentral.example.com",
"port": 443,
"redirPort": 80,
"letsEncrypt": {
"email": "[email protected]",
"names": "meshcentral.example.com",
"skipChallengeVerification": false
}
}
}
Option 2: Nginx reverse proxy:
# /etc/nginx/sites-available/meshcentral
server {
listen 80;
server_name meshcentral.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name meshcentral.example.com;
ssl_certificate /etc/letsencrypt/live/meshcentral.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/meshcentral.example.com/privkey.pem;
location / {
proxy_pass https://127.0.0.1:4430;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_read_timeout 330s;
}
}
sudo ln -s /etc/nginx/sites-available/meshcentral /etc/nginx/sites-enabled/
sudo nginx -t && sudo systemctl reload nginx
Deploying Agents
MeshCentral agents communicate back to the server and provide remote management capabilities.
Generate agent installers from the web interface:
- Log into
https://meshcentral.example.comas admin - Create a Device Group (click the + button)
- Click the group, then Add Agent
- Select the target OS and download the installer
Linux agent deployment:
# Download and install the agent (URL from MeshCentral web UI)
curl -LO "https://meshcentral.example.com/meshagents?id=6&meshid=<MESH_ID>&tag=v2&type=linux64"
chmod +x meshagent_linux_x86-64
sudo ./meshagent_linux_x86-64 -install
# The agent installs as a service
sudo systemctl status meshagent
# Verify agent appears in MeshCentral web interface
Mass deployment with a script:
#!/bin/bash
# deploy-meshagent.sh - run on each target machine
MESH_URL="https://meshcentral.example.com"
MESH_ID="your-mesh-id"
curl -LO "${MESH_URL}/meshagents?id=6&meshid=${MESH_ID}&tag=v2&type=linux64" \
-o /tmp/meshagent
chmod +x /tmp/meshagent
sudo /tmp/meshagent -install
sudo systemctl start meshagent
Device Groups and Multi-User Access
Create device groups for organization:
- In the web UI, click My Devices > Add Device Group
- Set a name and optional description
- Choose Agent-based for managed devices or Intel AMT for hardware control
Add users with role-based access:
# Via the web UI: Admin > Users > Add User
# Set roles per device group:
# - Full Admin: complete control
# - Operator: remote control without config changes
# - Viewer: read-only access
Configure two-factor authentication (2FA):
{
"domains": {
"": {
"auth": "sspi",
"twoFactorCookieDurationDays": 30
}
}
}
Remote Terminal and File Transfer
Remote terminal access:
- Click a device in the web interface
- Select Terminal (Linux/macOS) or Commands (Windows)
- A web-based terminal opens with full shell access
File transfer via the web interface:
- Select a device and click Files
- Browse, upload, or download files through the browser
- Right-click files for rename, delete, or download options
API-based file operations:
# MeshCentral provides a REST API and WebSocket API
# Authenticate and get a session token
TOKEN=$(curl -s -X POST https://meshcentral.example.com/api/v1/login \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":"yourpassword"}' | jq -r '.token')
# List devices via API
curl -s -H "x-meshcentral-token: ${TOKEN}" \
"https://meshcentral.example.com/api/v1/devices"
Troubleshooting
Agent not connecting to server:
# Check agent service on the managed machine
sudo systemctl status meshagent
sudo journalctl -u meshagent -n 30
# Verify the server is reachable from the agent
curl -k https://meshcentral.example.com/meshrelay.ashx
# Check agent configuration
cat /usr/local/mesh/meshagent.msh
Web interface not loading:
# Check MeshCentral service status
sudo systemctl status meshcentral
sudo journalctl -u meshcentral -n 50
# Verify port is listening
sudo ss -tlnp | grep 4430
# Test with curl (skip cert verification for self-signed)
curl -k https://localhost:4430/
Certificate errors in browser:
# Regenerate server certificates
sudo systemctl stop meshcentral
sudo rm /opt/meshcentral/meshcentral-data/*.key \
/opt/meshcentral/meshcentral-data/*.crt
sudo systemctl start meshcentral
# MeshCentral generates new certs on startup
Conclusion
MeshCentral provides a comprehensive self-hosted remote management platform that rivals commercial solutions, with web-based terminal access, file transfer, remote desktop, and granular multi-user access control all running on your own infrastructure. By combining agent-based management with device groups and role-based permissions, it scales from managing a handful of servers to enterprise fleets of hundreds of devices without per-seat licensing or external data exposure.