Troubleshooting
Common issues and solutions for MESH deployments.
Connection issues
Can't Connect to Control plane
Symptoms:
meshcli upfails with connection error- "Unable to reach control plane" message
- Timeout errors
Solutions:
- Verify control plane URL
- Check DNS resolution
- Check firewall
# Test HTTPS connectivity
telnet mesh.yourdomain.com 443
# Check if port is open
nc -zv mesh.yourdomain.com 443
- Verify control plane is running
- Check reverse proxy
- Try different network
- Switch from WiFi to mobile data (or vice versa)
- Some networks block VPN traffic
Daemon Won't Start
Symptoms:
tailscaled-amneziafails to start- Socket errors
- Permission denied errors
Solutions:
- Check if already running
- Check socket permissions
- Check state directory
- Run with verbose logging
sudo tailscaled-amnezia \
--socket=/var/run/mesh/tailscaled.sock \
--state=/var/lib/mesh/tailscaled.state \
--statedir=/var/lib/mesh \
--verbose=2
- Check systemd service (if using)
Authentication Fails
Symptoms:
- "Invalid auth key" error
- "Auth key expired" error
- Login prompt doesn't appear
Solutions:
- Verify pre-auth key
- Generate new key
- Check key expiration
- Pre-auth keys expire after the specified time
-
Generate a new key if expired
-
Try interactive authentication
# Without --authkey
sudo meshcli up --login-server=https://mesh.yourdomain.com
# Follow the URL to authenticate
No Mesh IP Assigned
Symptoms:
meshcli statusdoesn't show a mesh IP address- Node appears offline
- Can't communicate with other nodes
Solutions:
- Verify pre-auth key is valid
# On control plane, check if key is valid and not expired
docker exec headscale headscale preauthkeys list
- Check control plane logs
- Ensure user exists
# List users
docker exec headscale headscale users list
# Create user if missing
docker exec headscale headscale users create default
- Try reconnecting
- Check node registration
# On control plane
docker exec headscale headscale nodes list
# Verify your node appears in the list
Connectivity issues
No Peer-to-Peer Connection (Using DERP Relay)
Symptoms:
meshcli statusshows DERP address inCurAddr- Slow connection speeds
- High latency
Solutions:
- Check NAT type
- Check UDP connectivity
- Check firewall rules
# Linux
sudo iptables -L -n -v
sudo ufw status
# Allow WireGuard port (usually random high port)
sudo ufw allow 41641/udp
- Enable UPnP/NAT-PMP on router
- Check router settings
-
Enable UPnP or NAT-PMP for automatic port forwarding
-
Try different network
- Some networks (corporate, public WiFi) block UDP
-
Try mobile data or different WiFi network
-
Force direct connection
Peers Not Visible
Symptoms:
meshcli status --peersshows no peers- Devices don't appear in mesh
- Can't ping peers
Solutions:
- Verify both devices are connected
- Check ACLs
- Verify same control plane
-
Ensure all devices connect to the same control plane URL
-
Check user assignment
- Restart daemon
Connection Drops Frequently
Symptoms:
- Intermittent connectivity
- Frequent reconnections
- "Peer offline" messages
Solutions:
- Check network stability
- Disable power saving (mobile)
- Android: Settings > Battery > Optimize battery usage > MESH > Don't optimize
-
Disable "Adaptive battery" for MESH app
-
Increase keepalive
- Check DERP relay stability
- Monitor logs
ADB Issues
ADB Connection Fails
Symptoms:
adb connectfails- "Connection refused" error
- "Unable to connect" error
Solutions:
- Verify device is online
- Check ADB port
- Enable ADB-over-WiFi
- Restart ADB
- Check firewall on Android
- Some security apps block ADB
-
Temporarily disable and test
-
Verify ADB is enabled in MESH app
- Open MESH app
- Settings > ADB-over-WiFi > Enabled
ADB Disconnects Frequently
Symptoms:
- ADB connection drops during operations
- "device offline" errors
- Need to reconnect frequently
Solutions:
- Disable power saving
-
Settings > Battery > MESH > Don't optimize
-
Keep MESH app in foreground
-
Don't minimize the app during ADB operations
-
Use persistent connection
- Check network stability
- Ensure stable WiFi/mobile connection
- Avoid switching networks during operation
Performance issues
Slow Transfer Speeds
Symptoms:
- Slow file transfers
- High latency
- Timeouts during large operations
Solutions:
- Check connection type
sudo meshcli status --json | jq '.Peer[] | {name: .HostName, addr: .CurAddr}'
# Direct connection is faster than DERP relay
- Disable AmneziaWG obfuscation
# If not needed for censorship resistance
sudo rm /etc/mesh/amneziawg.conf
sudo systemctl restart mesh
- Use lighter obfuscation
- Switch from Heavy to Balanced or Light preset
-
Check network bandwidth
- Compress data
# Compress before transfer
adb shell tar -czf /sdcard/data.tar.gz /data/local/tmp/
adb pull /sdcard/data.tar.gz
High CPU Usage
Symptoms:
- High CPU usage by tailscaled-amnezia
- Device heating up
- Battery drain (mobile)
Solutions:
- Disable obfuscation
- AmneziaWG adds CPU overhead
-
Disable if not needed
-
Reduce connection checks
- Limit peer count
- Use ACLs to limit visible peers
-
Only connect to necessary devices
-
Check for loops
Control plane Issues
Headscale Won't Start
Symptoms:
- Docker container exits immediately
- "Address already in use" errors
- Database errors
Solutions:
- Check logs
- Check port conflicts
- Verify config syntax
- Check database
- Reset database (WARNING: deletes all data)
Nodes Not Registering
Symptoms:
- Nodes don't appear in
headscale nodes list - Authentication succeeds but node not visible
- "Node not found" errors
Solutions:
- Check node list
- Check user exists
- Create user if missing
- Check ACLs
- Register manually
# Get node key from client logs
docker exec headscale headscale nodes register --user analyst1 --key nodekey:abc123
DERP Relay Not Working
Symptoms:
- Peers can't connect even via relay
- "No DERP home" errors
- All connections fail
Solutions:
- Check STUN port
- Test STUN
- Check DERP config
- Verify DERP is enabled
- Check firewall
Android App Issues
App Crashes
Symptoms:
- App closes unexpectedly
- "MESH has stopped" error
- Can't open app
Solutions:
- Clear app data
- Settings > Apps > MESH > Storage > Clear Data
-
Reconnect to mesh
-
Reinstall app
- Check logs
- Check Android version
- MESH requires Android 8.0+
- Update Android if possible
VPN Permission Denied
Symptoms:
- "VPN permission required" error
- Can't connect to mesh
- Permission dialogue doesn't appear
Solutions:
- Grant permission manually
- Settings > Apps > MESH > Permissions
-
Enable VPN permission
-
Check for conflicting VPN
- Disconnect other VPN apps
-
Only one VPN can be active at a time
-
Reinstall app
- Uninstall and reinstall to reset permissions
Diagnostic commands
Collect Logs
# Analyst client logs
sudo journalctl -u mesh --since "1 hour ago" > mesh-logs.txt
# Control plane logs
docker logs headscale > headscale-logs.txt
# Android logs
adb logcat -d > android-logs.txt
Generate Bug Report
# Analyst client
sudo meshcli bugreport --diagnose > mesh-bugreport.txt
# Android
adb bugreport bugreport.zip
Network Diagnostics
# Check NAT type and DERP latencies
sudo meshcli netcheck
# Trace route to peer
sudo meshcli ping 100.64.X.X --verbose
# Check WireGuard interface
ip addr show tun0
sudo wg show
Connection Diagnostics
# Detailed status
sudo meshcli status --json | jq
# Check peer connectivity
for peer in $(sudo meshcli status --json | jq -r '.Peer[].TailscaleIPs[0]'); do
echo "Pinging $peer..."
sudo meshcli ping $peer --c 3
done
# Monitor connection changes
watch -n 1 'sudo meshcli status --peers'
Getting Help
If you can't resolve your issue:
- Check GitHub Issues: github.com/BARGHEST-ngo/mesh/issues
- Create Bug Report: Include logs, config, and steps to reproduce
- Contact BARGHEST: barghest.asia
Next steps
- User guide - Learn forensic workflows
- CLI reference - Complete command documentation
- Architecture - Understand how MESH works