Inbound VPN

Access your server privately from anywhere in the world using a VPN. Only authorized devices can reach your server and its installed services.

Think of your server’s gateway as a defense perimeter with hundreds of locked doors, each door leading to a unique service interface. One door might say “Vaultwarden UI”, another “Bitcoin RPC”, and another “Bitcoin P2P”. An inbound VPN gives authorized devices a key to the doors they need — without opening them to the public Internet.

LAN IP and Private Domains over VPN

Once connected to your VPN, you can reach your server and its services using your server’s LAN IP address. The StartOS dashboard is available at the base IP, while each service interface is available on a different port of that same IP.

Note

Most VPN clients do not support mDNS, so your server’s .local address will typically not work over VPN. Use the LAN IP address instead, or set up private domains for friendlier names that work reliably over VPN.

Option 1: Router

Most modern routers include a VPN server feature. If so, it is usually the preferred method for private, remote access to your server.

Warning

If your ISP uses CGNAT, your router cannot accept inbound connections, so a router-based VPN will not work. Use Option 2: StartTunnel instead.

If you haven’t already, assign a static IP address to your server on the LAN. Refer to your router’s user manual for detailed instructions.
Since home IP addresses can change without warning, we highly recommend setting up dynamic DNS. Many routers offer this as a built-in feature. If not, third-party services are available. Without dynamic DNS, a change to your home IP will disconnect all VPN clients until you re-download configuration files for each one.
Enable your router’s VPN server. Refer to your router’s user manual for detailed instructions.

Option 2: StartTunnel

By default, StartTunnel exports wireguard config files that are configured for split tunneling, allowing you to use your StartTunnel VPN to access your StartOS server and installed services while also preventing it from being automatically used for all Internet traffic.

There are three reasons to select this option:

Your router does not offer a VPN server.
Your router’s VPN server is not automatically configured for split tunneling.
You are already using StartTunnel for clearnet hosting, so most of the work is already done.

To use StartTunnel for private, remote VPN access, see StartTunnel.

Connecting Clients (WireGuard)

Once you have successfully enabled a VPN server on your router or added a StartTunnel gateway, follow the instructions below.

Obtain a WireGuard config file for your device.
- StartTunnel: Follow instructions here
- Router: Follow your router’s instructions.
Install WireGuard and import your config file:

Install WireGuard from the App Store.
Open the WireGuard app, click “Import tunnel(s) from file”, and select the config file.
MacOS will inform you that WireGuard wants to set up a VPN connection. Click “Allow”.
Your VPN tunnel will have been created and visible in both your Mac’s system settings and in the WireGuard app where you can click to activate it.

Tip

You may need to edit your newly created tunnel and enable “On-demand” for either ethernet, wifi, or both.

Install wireguard and wireguard-tools:
- Debian / Ubuntu: sudo apt update && sudo apt install wireguard
- Fedora / RHEL: sudo dnf update && sudo dnf install wireguard-tools
- Arch / Manjaro: sudo pacman -Syu && sudo pacman -S wireguard-tools wireguard
Copy the config file to /etc/wireguard/wg0.conf:
```
sudo mv myconf.conf /etc/wireguard/wg0.conf
```
Replace myconf.conf with the name of the file you downloaded.
Set the correct permissions:
```
sudo chmod 600 /etc/wireguard/wg0.conf
```
Bring the interface up:
```
sudo wg-quick up wg0
```
Verify it worked:
```
sudo wg
```
(Optional) Enable on boot:
```
sudo systemctl enable wg-quick@wg0
```

Tip

To disconnect: sudo wg-quick down wg0

Connecting Clients (OpenVPN)

Note

OpenVPN is only available when using a router-based VPN server. StartTunnel uses WireGuard.

Download the configuration file from your router’s OpenVPN server.
Install OpenVPN and import your config file:

Install the OpenVPN Connect client from the official website.
If asked to do so, allow the OpenVPN client to run in the background.
Import the configuration file and enter the necessary authentication settings you chose or were default on your OpenVPN server on your router.
Depending on how you’ve configured your OpenVPN server, you may need to add a username and password before you hit Connect.
Once set up, click on the name of the profile to connect and disconnect. You can edit the profile from the icon to its right.

Install openvpn:
- Debian / Ubuntu: sudo apt update && sudo apt install openvpn
- Fedora / RHEL: sudo dnf update && sudo dnf install openvpn
- Arch / Manjaro: sudo pacman -Syu && sudo pacman -S openvpn
Copy the config file to /etc/openvpn/client.conf:
```
sudo mv myconf.ovpn /etc/openvpn/client.conf
```
Replace myconf.ovpn with the name of the file you downloaded.

Set the correct permissions:

sudo chmod 600 /etc/openvpn/client.conf

Start OpenVPN, entering your username and password when requested:
```
sudo systemctl start openvpn@client
```
Verify it worked:
```
sudo systemctl status openvpn@client
```
(Optional) Enable on boot:
```
sudo systemctl enable openvpn@client
```

Tip

To disconnect: sudo systemctl stop openvpn@client