Infrastructure

Run your own relay server.

VaultMesh relay helps trusted devices reach each other across networks while forwarding encrypted payloads only.

Relay Packages All Downloads

What the Relay Does

VaultMesh devices sync directly on local network whenever possible. When devices are on different networks, relay provides rendezvous and forwarding for encrypted sync traffic.

Privacy model: relay transport is untrusted. Clients enforce protocol compatibility with header X-VaultMesh-Protocol: 3. Relay operators cannot decrypt vault plaintext.

Download Relay Packages

Official Relay Builds
Hosted from this website
Linux x64
.tar.gz binary package
Download
macOS Universal
.tar.gz binary package - arm64 + x64
Download
Windows x64
.zip binary package
Download

Quick Start (Binary)

# Linux or macOS example
tar -xzf vaultmesh-relay-v1.1.9-linux-x64.tar.gz
cd vaultmesh-relay-v1.1.9-linux-x64
chmod +x vaultmesh-relay

# Start relay on port 3030
./vaultmesh-relay --listen 0.0.0.0:3030 --db relay.db

# For production, put TLS in front with nginx, Caddy, or another reverse proxy.
# VaultMesh clients should use the public https:// relay URL.

System Requirements

ComponentRequirement
OSLinux (x86_64 or arm64), macOS, or Windows Server
RAM64 MB minimum
DiskLess than 30 MB for binary and logs
NetworkPublic domain or static IP with inbound TCP port
TLSTerminate HTTPS with a reverse proxy for production deployments

Configuration Reference

Configure relay using CLI flags.

FlagDefaultDescription
--listen0.0.0.0:3030HTTP API listen address
--dbrelay.dbSQLite database path for persistent storage
--modestore-and-forwardRelay mode: persistent store-and-forward or stateless
--ttl-hours72Message TTL in hours
--max-buffer10485760Maximum buffer size per vault in bytes
--p2p-port4001libp2p Circuit Relay listen port; use 0 to disable

Connect VaultMesh Clients

  1. Open Settings - Sync - Relay in VaultMesh client.
  2. Enter relay URL, for example https://relay.yourdomain.com.
  3. Save and use the same relay URL on all trusted devices in the vault.

Important: Production deployments should use https:// with TLS. Plain http:// is for localhost testing only.

Systemd Service (Linux)

# /etc/systemd/system/vaultmesh-relay.service
[Unit]
Description=VaultMesh Relay Server
After=network.target

[Service]
Type=simple
User=vaultmesh-relay
ExecStart=/usr/local/bin/vaultmesh-relay --listen 0.0.0.0:3030 --db /var/lib/vaultmesh-relay/relay.db
Restart=on-failure
RestartSec=5
NoNewPrivileges=true
PrivateTmp=true

[Install]
WantedBy=multi-user.target
sudo systemctl daemon-reload
sudo systemctl enable --now vaultmesh-relay
sudo systemctl status vaultmesh-relay

Health Check

GET /health

{
  "status": "ok",
  "protocol": "vaultmesh-relay-3",
  "mode": "store-and-forward",
  "buffering": "enabled"
}

Note: Relay is a sync transport component, not a VPN or generic proxy. Keep deployment access controls aligned with your policy.

Support

For deployment help, contact vaultmesh.support@gmail.com. Include relay version, command flags, and log snippets.