Documentation
Quick start
Three commands to get connected:
# 1. Install curl -fsSL https://get.veldmesh.io/install.sh | sh # 2. Authenticate veld login # 3. Bring up the interface veld up --network <your-network-id>
The install script detects your OS and architecture. Supports Linux (x86_64, arm64, MIPS), macOS (arm64, x86_64), and Windows.
Static config mode
You can run Veld without any coord server using a static TOML config. Useful for fully air-gapped environments or two-machine setups where you control both peers.
# /etc/veld/config.toml [node] private_key = "base64-encoded-ed25519-private-key" listen_port = 51820 [[peers]] public_key = "base64-encoded-peer-public-key" endpoint = "203.0.113.42:51820" allowed_ips = ["10.0.0.2/32"]
Run with veld up --config /etc/veld/config.toml. No login required.
Self-hosting the coord server
The CE coordination server is a single static binary. It stores state in embedded SQLite (or Postgres via DATABASE_URL).
# Docker docker run -d \ -p 50051:50051 \ -v veld-data:/data \ veld/coord # Point the daemon at your server veld login --server grpc://your-coord:50051
Self-hosted installs operate under Free-tier limits (5 machines, 1 network). Upgrade by connecting to the managed cloud or running the managed coord server.
NAT traversal
Veld uses UDP hole-punching coordinated through the coord server. The coord server tells each peer the other's discovered public endpoint; both peers simultaneously send UDP packets to open the NAT pinholes. This succeeds for ~85% of real-world NATs.
For the remaining ~15% (symmetric NAT behind symmetric NAT), traffic is relayed through a chosen mesh peer — never through the coord server. The relaying peer can see packet sizes and timing but not content (all traffic is Noise IK encrypted end-to-end).
Subnet routing
A machine with subnet routing enabled can advertise a CIDR prefix to the network. All other peers route traffic for that prefix through the advertising machine. Requires Teams plan or above.
# On the gateway machine veld routes advertise 192.168.1.0/24 # All other peers can now reach the LAN ping 192.168.1.100
CLI reference
| Command | Description |
|---|---|
| veld login | Authenticate with the coord server |
| veld up | Bring up the VPN interface |
| veld down | Bring down the VPN interface |
| veld status | Show peer list and connection status |
| veld peers | List all peers with latency and last-seen |
| veld routes advertise <prefix> | Advertise a subnet route |
| veld routes withdraw <prefix> | Withdraw a subnet route |
| veld network create <name> | Create a new network (managed) |
| veld network join <token> | Join a network with an invite token |
| veld version | Print daemon and protocol versions |