Private network

A private network turns your scattered VPS fleet — different providers, different public IPs — into one flat, encrypted internal network (mesh IPs like 10.66.0.x). Use it for database replication, internal APIs, monitoring, and cross-server backups without exposing a single port to the Internet. Laptops, phones, and CI runners can VPN in to reach the same internal services.

The private network lives at app.mzpanel.com/network and is gated to Pro+.

WireGuard mesh (Pro)

MZPanel builds a hubless full-mesh: every peer opens a tunnel directly to every other peer. Data travels straight A↔B — the control plane coordinates config but never sits on the data path, so MZPanel cannot see or relay your traffic.

• Server ↔ server connects directly. Each VPS has a static public IP and the agent opens UDP 51820 inbound for you (it already manages the firewall) — no hub, no NAT punching.
• Devices dial out to a server’s public endpoint; WireGuard learns the endpoint from the first handshake and PersistentKeepalive holds the path open through NAT.

Each account gets a /24 subnet (10.66.0.0/24, ~253 peers) — far more than any tier’s VPS quota needs.

Note

The WireGuard engine itself installs per-server from the Extensions catalog. Installing the engine is just an apt install; joining and managing the mesh is what’s gated to Pro+.

Add a peer

From the Network page, add a server (pick one of your connected VPS) or a device (laptop, phone, CI). MZPanel assigns the next free mesh IP and pushes the updated peer set to every online server in the mesh.

Changes apply without dropping live tunnels: the agent rewrites the WireGuard config and runs wg syncconf on the running interface, so existing connections keep their handshakes and only the added or removed peers change. A new peer shows as handshake pending, then flips to online once the real handshake lands.

Removing a peer pushes the revocation to every remaining peer immediately, so a removed box loses access the moment any peer drops its public key.

Keys stay on your device

You never see or handle a WireGuard key. The UI shows only the peer name and mesh IP — keys are generated automatically at the edge and stay there.

Peer type	Where the private key is generated	What the control plane stores
Server	The agent runs wg genkey on the box; the private key stays in wg0.conf	The public key only
Device	Your browser generates the keypair locally; the config + QR render client-side, shown once	The public key only

The control plane database holds no mesh secret of any kind — only public keys (~32 bytes each) and metadata. Even a full database compromise can’t decrypt your traffic or impersonate a peer, because every private key was generated at the edge and never left it.

Mobile peers

When you add a device, MZPanel renders the WireGuard config as a QR code you scan straight into the WireGuard mobile app. The config is shown once — generate a new peer if you lose it.

See also

• Connect a server to add VPS to your fleet first.
• Security model for how keys and secrets are handled.