MeshCentral: An Open-Source RMM Platform That Doesn't Sell You Out

The case for running your own RMM platform got considerably stronger in early 2024, when a critical vulnerability in ConnectWise’s RMM made every customer’s managed network reachable from the internet for anyone with the exploit. RMM platforms are concentrated targets: one breach gets you remote access to thousands of customer networks at once. When that platform is a closed-source commercial product running in someone else’s cloud, the blast radius of any incident is everyone who uses it.

MeshCentral is the open-source alternative I default to. It’s a self-hosted RMM platform: web-based dashboard, agents for Windows / Linux / macOS, remote desktop, scripting, software inventory, alerting. Free, MIT-licensed, and you operate the server yourself. The blast radius of an incident on a MeshCentral install is exactly the install. No more.

What MeshCentral actually does

MeshCentral is a complete RMM platform. From the manager’s seat, you get:

• A web dashboard showing every agent: hostname, IP, OS, last contact, agent version, custom tags.
• Remote desktop sessions to any agent (over the same TLS tunnel, no VPN needed).
• Remote shell for scripted operations on Linux, macOS, and Windows.
• File transfer to and from agents through the web UI.
• Software inventory per agent.
• Wake-on-LAN through the agent.
• Two-factor auth on admin accounts (TOTP, hardware keys).
• Multi-tenant support if you’re an MSP managing multiple client environments from one server.

The agent is a small binary, maybe 20MB on Windows, less on Linux. It connects out to the MeshCentral server through HTTPS, which means it works through firewalls and NAT without special configuration.

Why open-source matters for RMM specifically

The threat model for RMM is unusually concentrated. A normal SaaS breach exposes the SaaS’s data: customer records, transaction history, whatever. An RMM breach exposes your customers’ networks. Anyone with admin access to the RMM has root-level remote control over every endpoint that’s running an agent.

Three reasons that changes the math:

• Concentrated risk. A commercial RMM vendor with 10,000 customers means an attacker who breaks the vendor breaks 10,000 networks. That’s why ransomware crews target RMM vendors specifically.
• Air-gap impossible in commercial RMM. You can’t put a SaaS RMM “inside” your network; the whole point is the vendor talks to your endpoints from their cloud. With MeshCentral, you can put the management plane on a private network, allow only your own admin IPs, and remove it from public discovery entirely.
• Audit cost. When a closed-source vendor says “we’re secure”, you have their word for it. With MeshCentral, you can read the source. That doesn’t make it bug-free, but it makes “is the vendor lying about how this thing works” a tractable question instead of a leap of faith.

How I deploy MeshCentral

The deployment pattern I default to for client environments:

• Self-hosted on a small VPS (2 vCPU, 4GB RAM handles a few hundred agents comfortably).
• TLS via Let’s Encrypt, automated through Caddy or Nginx in front of MeshCentral.
• Admin web UI bound to a private IP or behind a reverse proxy with IP whitelisting. The agent port (443) is the only public thing.
• 2FA mandatory on every admin account. Hardware key (YubiKey) preferred over TOTP for the actual sysadmins.
• Daily Borg backups of the MeshCentral database and config to an off-site repository (see my Borg Backups writeup for that pattern).
• Patches applied within 48 hours of release. RMM platforms are first-class targets; you don’t get to be slow about updates.

For the production-grade deployment pattern (Docker stack, Nginx Proxy Manager in front, agent-token rules per device group), see my MeshCentral self-hosted remote management writeup. The walkthrough video above covers the basics; the deployment post covers the parts that matter once it’s running for real clients.

When MeshCentral fits

The right tool when:

• You manage 10-1,000 endpoints across Windows, Linux, and macOS.
• You want full control over where the management plane lives and who can reach it.
• You have (or can afford to develop) the operational discipline to patch and monitor an RMM properly.
• You’d rather sponsor open-source than pay a recurring subscription that funds vendor sales teams.

The wrong tool when:

• You manage 5 endpoints. SSH and a password manager handle that volume; an RMM is overkill.
• You need polished agent-side workflows (auto-remediation playbooks, white-labeled customer portals, ticket-system integrations) out of the box. Commercial RMMs ship more of that. MeshCentral has the building blocks; you assemble them.
• You’re a one-person IT team that doesn’t want to operate another server. A managed RMM service trading sovereignty for less operational tax is a defensible choice at small scales.

Closing the loop

MeshCentral is the RMM I’d run for a 50-person agency that takes its data seriously. Free, open-source, fully self-hosted, with a maintainer team that’s been around for almost a decade. The recent incidents at commercial RMM vendors haven’t made me nervous about MeshCentral; they’ve made me more comfortable defaulting to it.

If running an RMM in production sounds like one more thing your team shouldn’t have to babysit, the Cloud Infrastructure Audit & Hardening engagement covers MeshCentral deployment and the ongoing security posture as part of the managed setup. For more open-source tooling I run for clients, the open-source solutions category has the rest.