Clearnet
Make your services publicly reachable on the Internet using standard domains (.com, .net, etc.). This requires gateway selection, a domain name, DNS configuration, and port forwarding.
Use Case
This connection method permits hosting a service interface on the public Internet.
Choosing a Gateway
When hosting services on the clearnet, anyone who connects will know the IP address of the gateway used. Knowing a gateway’s IP address reveals its approximate geographic location:
| Geographic Location | Detection Accuracy |
|---|---|
| Country | 99% |
| State / Region | 95-99% |
| City (large metro) | 60–80% |
| Zip Code / Neighborhood | 30–50% |
| Exact Street Address | Requires ISP subpoena |
If your gateway is your home router, you are revealing the approximate location of your home. If your gateway is a VPS running StartTunnel, you are revealing the approximate location of the VPS, not your home.
| Router | StartTunnel | |
|---|---|---|
| Cost | Free | VPS rental (~$5–10/mo) |
| IP stability | Home IP can change without warning, breaking all your domains until DNS is updated. Dynamic DNS is highly recommended, but support varies by router and may cost money. | Static IP from the VPS provider. No dynamic DNS needed. |
| Privacy | Exposes your home’s approximate location | Exposes the VPS location, not your home |
| CGNAT compatible | No. If your ISP uses CGNAT (e.g. Starlink), you cannot use your router as a gateway. | Yes |
| Port forwarding | Configured in router admin panel | Configured in StartTunnel |
Adding a Public Domain
-
On the service interface page, locate your preferred gateway and click “Add Domain”, then select “Public Domain”.
-
Enter the fully qualified domain name. For example, if you control
domain.com, you could enterdomain.comorpublic.domain.comornextcloud.public.domain.com, etc. -
Select a Certificate Authority to sign the certificate for this domain.
- Let’s Encrypt: Ideal for public access. All devices trust Let’s Encrypt certificates by default.
- Local Root CA: Ok for personal access. Bad for public access. Only devices that have downloaded and trusted your server’s Root CA will be able to access the domain without issue.
-
Click “Save”.
-
StartOS will automatically test your DNS record and port forwarding. If both pass, the domain is ready to use. If either test fails, a setup modal will appear showing the failing tests with instructions to remedy and the ability to re-test.
Configuring DNS
StartOS tests DNS automatically when you add or enable a public domain, and will guide you through the setup if the test fails. For reference, here is what is needed:
-
Access your domain’s DNS settings, usually in the registrar where you originally leased the domain.
-
Create a DNS record that points your domain to your gateway’s public IP address. If you use subdomains, consider using a wildcard (
*) for that host so that all future subdomains work without needed additional records.Tip
It can take up to a few hours for DNS changes to propagate. You can check propagation using https://dnschecker.org.
Port Forwarding
To expose a public domain to the Internet, the appropriate port must be forwarded in the corresponding gateway. StartOS tests port forwarding automatically when you add or enable a public domain, and will guide you through the setup if the test fails.
Tip
Most websites and APIs on the Internet are hosted on port
443. Port443is so common, in fact, that apps and browsers infer its presence. The absence of a port means the port is443. With rare exceptions, domains on StartOS also use port443, and that is why your domains usually do not display a port. The port forwarding rule needed for these standard domains is always the same, which means you only have to do it once!
How you create a port forwarding rule depends on the type of gateway.
-
Routers: Port forwarding is supported by all routers and easy to do. Refer to your router’s manual for instructions.
-
StartTunnel: Refer to the StartTunnel Port Forwarding guide.