StartOS

A Linux-based operating system purpose-built for running a personal server. Install, configure, and manage self-hosted services through a simple graphical interface — no command line required.

App store experience — discover and install services from a marketplace with one click
Built-in networking — LAN, Tor, VPN, and clearnet access managed through the UI
Encrypted backups — back up and restore services to physical drives or network shares
No accounts, no cloud — your server, your data, no third parties

Getting Started

Installing StartOS — Flash StartOS to your hardware
Initial Setup — Create your server and set a master password
Trusting Your Root CA — Enable secure HTTPS over LAN
Installing Services — Browse and install from the marketplace

User Manual

Private Access — Connect over LAN, VPN, Tor, or Holesail
Public Access — Expose services to the public internet
Gateways — Configure WireGuard tunnels for outbound and inbound traffic
Creating Backups — Back up your services and system
Restoring Backups — Restore from a previous backup
SSH — Access StartOS from the command line
Updating StartOS — Install the latest version

Learn More

Architecture — How StartOS is designed and how its components fit together
FAQ — Common issues and solutions
Service Packaging — Build and publish services for StartOS
Source Code — StartOS is fully open source
Contact Support — Get help from the Start9 team

Installing StartOS

This guide is for flashing StartOS to a USB drive, then installing it onto a desktop, laptop, or mini PC. For an up-to-date list of known-good hardware, please check out this forum post.

Download

Visit the Github release page to find the latest version of StartOS.
Under “ISO Downloads”, select the ISO for your architecture. StartOS is available in x86_64 (AMD64), aarch64 (ARM64), and RISC-V (RVA23). For x86_64 and aarch64, two variants are available:
- Standard: Includes proprietary firmware and drivers for broader hardware compatibility, including display and wireless. Recommended for most users.
- Slim (FOSS-only): 100% open source, containing no proprietary firmware or drivers. Only compatible with certain hardware, such as the Start9 Server Pure.
Verify the SHA256 checksum against the one listed on GitHub (optional but recommended).
- Mac. Open a terminal and run:
```
openssl dgst -sha256 <filename>.iso
```
- Linux. Open a terminal and run:
```
sha256sum <filename>.iso
```
- Windows. Open PowerShell and run:
```
Get-FileHash <filename>.iso
```

Flash

Download and install balenaEtcher onto your Linux, Mac, or Windows computer.
Insert your USB drive into your computer.
Open balenaEtcher.
Click “Select Image” and select the .iso image you just downloaded.
Click “Select Target” and select your microSD card.

Warning

BE ABSOLUTELY CERTAIN you have selected the correct target USB flash drive. Whatever target you select will be COMPLETELY ERASED!!
Click “Flash!”. You may be asked to approve the unusually large disk target and/or enter your password. Both are normal.

Install

Remove the newly-flashed USB drive from your computer and plug it into your server. Choose the fastest available USB 3.0+ port - typically this is blue or labeled “SS” (SuperSpeed).
Power on your server, booting from USB.

Tip

Occasionally, you may need to make some changes in your BIOS, such as turning off Secure Boot, or allowing USB boot for install. See the Community Hub for guides or to get help.
The StartOS install wizard will now be available at http://start.local. You can also use a monitor, keyboard, and mouse. This is known as “Kiosk Mode”.
Choose “Re-Install” to preserve existing StartOS data, or “Factory Reset” to start fresh. After install is complete, you will be prompted to remove the USB drive and refresh the page.

User Manual

This section covers everything from initial setup and certificate trust to network access methods (LAN, VPN, Tor, Holesail, clearnet), service installation, backups, and system administration.

Initial Setup
Trusting Your Root CA
Private Access
- LAN
- VPN
- Tor
- Holesail
Public Access
- Clearnet
- Tor
Installing Services
Gateways
Creating Backups
Restoring Backups
SMTP
SSH
WiFi
Updating StartOS
Resetting Your Password

Initial Setup

Connect your server to power and Ethernet.
From a computer connected to the same Local Area Network (LAN) as your server, open a browser and visit http://start.local.
Select a setup option:
- Start fresh: Select this option if you are setting up a new server.
- Restore from Backup: Select this option only if your existing StartOS data drive has been lost or corrupted. This is for disaster recovery only.
- Transfer: Select this option if you are transferring your existing data from one drive to another.
Set a strong master password. Make it good. Write it down. Resetting your password is non-trivial, but your data will be preserved.
Set your server name. Your server’s unique .local hostname is derived from this name. You can change your server name later in System Settings.
Following successful initialization, you will be prompted to download a StartOS-info.html. This file contains your server’s permanent .local URL and Root Certificate Authority (Root CA). It is recommended to save this file for future reference.
Click “Continue to Login” and follow instructions for Trusting your Root CA

Trusting Your Root CA

In order to establish a secure (HTTPS) connection with your server on the local network, it is necessary to download and trust your server’s Root Certificate Authority (Root CA).

Note

You must repeat this guide for each device you want to connect to the server locally or using a VPN. This guide is not necessary for devices that will connect using Tor, Holesail, or clearnet.

Step 1 - Download

There are multiple ways to download your server’s Root CA.

Option 1: StartOS-info.html

Following initial setup, you were required to download a StartOS-info.html file. Your Root CA can be downloaded from this file.
Option 2: HTTP LAN

Visit your server’s HTTP (not HTTPS) .local address (http://your-server-name.local) or LAN IP address (http://192.168...).
Option 3: StartOS Dashboard

If you are logged into your server, click the “System” tab or the “Start Menu” (upper right corner), then click “About this Server”.
Option 4: Yourself

If you already have the Root CA on one device, you can send it to yourself using email or other messaging channel.

Step 2 - Trust

Select your platform:

Locate your Root CA and double click it. Keychain Access will launch. You will be prompted for your Mac credentials. Select “Modify Keychain”.
Press Command + Spacebar to launch a program, type in Keychain Access and select the resulting Keychain Access program to open it.
Your server’s CA certificate will be displayed among the imported certificates in Keychain Access. Right-click on the imported CA cert and select Get Info:
The details of your CA certificate will be displayed in a new dialog window. Click the “Trust” heading, then select “Always Trust” on Secure Sockets Layer (SSL) and X.509 Basic Policy.

Click the red (x) button at the top left of the Local Root CA dialog window.
You will then be prompted again for your Mac credentials. Click Update Settings:
You will see your server’s CA certificate as trusted now, signified by a blue (+) sign and the CA cert information will now say “This certificate is marked as trusted for all users” in Keychain Access:
If using Firefox, Thunderbird, or Librewolf, complete this final step.

This should work for most Debian-based systems, such as Debian, Ubuntu, Mint, PopOS etc.

Open a terminal and run:

sudo apt update
sudo apt install -y ca-certificates p11-kit

Move into the directory where you downloaded your Root CA (usually ~/Downloads), for example:
```
cd ~/Downloads
```

Add your Root CA to your OS trust store. Be certain to replace your-server-name with your server’s unique hostname:

sudo mkdir -p /usr/share/ca-certificates/start9
sudo cp "your-server-name.crt" /usr/share/ca-certificates/start9/
sudo bash -c "echo 'start9/your-server-name.crt' >> /etc/ca-certificates.conf"
sudo update-ca-certificates

If successful, you will see the output 1 added.

If using Firefox, Thunderbird, or Librewolf, complete this final step.

Move into the directory where you downloaded your Root CA (usually ~/Downloads), for example:
```
cd ~/Downloads
```
Add your Root CA to your OS trust store. Be certain to replace your-server-name with your server’s unique hostname in the second command:
```
sudo pacman -S ca-certificates
sudo cp "your-server-name.crt" /etc/ca-certificates/trust-source/anchors/
sudo update-ca-trust
```
Despite no output from the last command, you can test your app right away.

Move into the directory where you downloaded your Root CA (usually ~/Downloads), for example:
```
cd ~/Downloads
```
Add your Root CA to your OS trust store. Be certain to replace your-server-name with your server’s unique hostname in the second command:
```
sudo dnf install ca-certificates
sudo cp "your-server-name.crt" /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust
```
There will be no output if the update-ca-trust command completes successfully.

3. Mozilla Apps (Firefox, Thunderbird, Librewolf)

Mozilla apps use their own certificate store and need extra configuration to trust your Root CA. Complete the steps above for your OS first, then follow the steps below.

For more background, see Mozilla’s blog post on why they maintain their own root certificate store.

Open the app and enter about:config in the URL bar. Accept any warnings that appear.
Search for security.enterprise_roots.enabled and set the value to “true”.
Restart the app.

Private Access

Private access means only you and people you explicitly authorize can reach your server. There are four methods available, each with different use cases and tradeoffs.

LAN. Same local network. The fastest connection method. Uses mDNS or IP address.
VPN. Fast, private, personal access from anywhere in the world using a VPN server running on your router or VPS.
Tor. Anonymous .onion addresses on the private Internet. Requires installing the Tor service from the marketplace.
Holesail. Direct, encrypted peer-to-peer tunnels with no port forwarding or static IP required. Requires installing the Holesail service from the marketplace.

LAN

Connect to your server over your local network using its .local mDNS address or direct IP address. This is the fastest connection method, as traffic stays on your LAN and never reaches the Internet.

Use Case

Local connections are the fastest possible, as they do not reach out to the Internet. You must be connected to the same Local Area Network (LAN) as your server.

Watch the Video

Option 1: Local domain

During initial setup, you choose a server name, and your .local domain is derived from it. For example, a server named “My Cool Server” gets the domain my-cool-server.local. This domain uses Multicast DNS (mDNS) to serve as an alias for your server’s LAN IP address. You can change your server name at any time in System Settings.

Tip

The local domain is useful because, by default, your router will sometimes change your server’s IP address on the LAN. If your server’s LAN IP address changes, the local domain will continue to work, even if you move or get a new router!

Option 2: IP Address

Your router automatically assigns your server an IP address on the LAN. The address can be found (1) in your StartOS dashboard at System -> StartOS UI, (2) in your router dashboard, or (3) by pinging your server’s .local domain from the command line of a computer on the same network.

Important

Your router may unexpectedly change your server’s IP address on the LAN. To avoid this, we highly recommend assigning a static IP address. This becomes necessary if you intend to access your server via VPN or clearnet. It also makes the local domain unnecessary. All routers support setting a static IP address for devices on the LAN. Refer to your router’s user manual for detailed instructions.

Private Domains

A private domain is similar to your server’s local domain, except it also works for VPN connectivity, and it can be anything. It can be a real domain you control, a made up domain, or even a domain controlled by someone else.

Similar to your local domain, private domains can only be accessed when connected to the same LAN as your server, either physically or via VPN, and they require trusting your server’s Root CA.

Adding a Private Domain

If you haven’t already, assign a static IP address to your server on the LAN. Refer to your router’s user manual for detailed instructions.
On the service interface page, click “Add Domain” on the desired gateway table and select “Private Domain”.
Enter a fully qualified domain name. It can be anything. For example: domain.com, private.domain.internal, nextcloud.private, nextcloud.fake-tld, or facebook.com.
Click “Save”.
StartOS will automatically test your DNS configuration. If the test passes, the domain is ready to use. If it fails, a setup modal will appear with instructions to configure your DNS server and the ability to re-test.

DNS for Private Domains

Private domains require your gateway to use StartOS for DNS. StartOS will test this automatically when you add a private domain and guide you through the setup if needed. For more details, see DNS.

VPN

Access your server privately from anywhere in the world by routing traffic through a VPN server on your router or a cloud VPS. Only authorized devices with the VPN configuration can reach your server.

Use Case

This connection method is ideal for fast, private, personal access from anywhere in the world using a VPN server running on your router or VPS. Only authorized devices have access to your server and installed services.

Tip

Private domains also work over VPN — see Private Domains.

Option 1: Router

Most modern routers include a VPN server feature. If so, it is usually the preferred method for private, remote access to your server.

If you haven’t already, assign a static IP address to your server on the LAN. Refer to your router’s user manual for detailed instructions.
Since home IP addresses can change without warning, we highly recommend setting up dynamic DNS. Many routers offer this as a built-in feature. If not, third-party services are available. Without dynamic DNS, a change to your home IP will disconnect all VPN clients until you re-download configuration files for each one.
Enable your router’s VPN server. Refer to your router’s user manual for detailed instructions.

Option 2: StartTunnel

By default, StartTunnel exports wireguard config files that are configured for split tunneling, allowing you to use your StartTunnel VPN to access your StartOS server and installed services while also preventing it from being automatically used for all Internet traffic.

There are three reasons to select this option:

Your router does not offer a VPN server.
Your router’s VPN server is not automatically configured for split tunneling.
You are already using StartTunnel for clearnet hosting, so most of the work is already done.

To use StartTunnel for private, remote VPN access, see StartTunnel.

Connecting Clients (WireGuard)

Once you have successfully enabled a VPN server on your router or added a StartTunnel gateway, follow the instructions below.

Obtain a WireGuard config file for your device.
- StartTunnel: Follow instructions here
- Router: Follow your router’s instructions.
Install WireGuard and import your config file:

Install WireGuard from the App Store.
Open the WireGuard app, click “Import tunnel(s) from file”, and select the config file.
MacOS will inform you that WireGuard wants to set up a VPN connection. Click “Allow”.
Your VPN tunnel will have been created and visible in both your Mac’s system settings and in the WireGuard app where you can click to activate it.

Tip

You may need to edit your newly created tunnel and enable “On-demand” for either ethernet, wifi, or both.

Install wireguard and wireguard-tools:
- Debian / Ubuntu: sudo apt update && sudo apt install wireguard
- Fedora / RHEL: sudo dnf update && sudo dnf install wireguard-tools
- Arch / Manjaro: sudo pacman -Syu && sudo pacman -S wireguard-tools wireguard
Copy the config file to /etc/wireguard/wg0.conf:
```
sudo mv myconf.conf /etc/wireguard/wg0.conf
```
Replace myconf.conf with the name of the file you downloaded.
Set the correct permissions:
```
sudo chmod 600 /etc/wireguard/wg0.conf
```
Bring the interface up:
```
sudo wg-quick up wg0
```
Verify it worked:
```
sudo wg
```
(Optional) Enable on boot:
```
sudo systemctl enable wg-quick@wg0
```

Tip

To disconnect: sudo wg-quick down wg0

Connecting Clients (OpenVPN)

Note

OpenVPN is only available when using a router-based VPN server. StartTunnel uses WireGuard.

Download the configuration file from your router’s OpenVPN server.
Install OpenVPN and import your config file:

Install the OpenVPN Connect client from the official website.
If asked to do so, allow the OpenVPN client to run in the background.
Import the configuration file and enter the necessary authentication settings you chose or were default on your OpenVPN server on your router.
Depending on how you’ve configured your OpenVPN server, you may need to add a username and password before you hit Connect.
Once set up, click on the name of the profile to connect and disconnect. You can edit the profile from the icon to its right.

Install openvpn:
- Debian / Ubuntu: sudo apt update && sudo apt install openvpn
- Fedora / RHEL: sudo dnf update && sudo dnf install openvpn
- Arch / Manjaro: sudo pacman -Syu && sudo pacman -S openvpn
Copy the config file to /etc/openvpn/client.conf:
```
sudo mv myconf.ovpn /etc/openvpn/client.conf
```
Replace myconf.ovpn with the name of the file you downloaded.

Set the correct permissions:

sudo chmod 600 /etc/openvpn/client.conf

Start OpenVPN, entering your username and password when requested:
```
sudo systemctl start openvpn@client
```
Verify it worked:
```
sudo systemctl status openvpn@client
```
(Optional) Enable on boot:
```
sudo systemctl enable openvpn@client
```

Tip

To disconnect: sudo systemctl stop openvpn@client

Tor

Access your server over the Tor network using .onion addresses. This method provides anonymous, censorship-resistant connections and requires installing the Tor service from the StartOS marketplace.

Use Case

This connection method permits hosting services on the private Internet (aka the “Darknet”) as anonymous (.onion) domains.

There are three reasons you might want this:

Unless you share/leak a Tor address, it is totally private and anonymous. Nobody knows it exists, and nobody knows it belongs to you. It is your secure, secret tunnel to the underlying website/API.
If you share/leak a Tor address without associating it to your identity (not easy to do), it is anonymous but not private. People know it exists, but nobody knows it belongs to you. By this method, you can anonymously host a censorship-resistant website/API on the private web.
If you share/leak a Tor address and also associate it with your identity, it is neither private nor anonymous. People know it exists, and they know it belongs to you. This is useful for hosting an identified yet still censorship-resistant website/API on the private web, or for sharing access to the websites/API with select friends and family.

Warning

It is normal for Tor connections to be slow or unreliable at times.

Tip

Tor can also be used for public access by publishing your .onion addresses.

Setting Up Tor

Tor is not included in StartOS by default. To use Tor, you must install the Tor service from the marketplace.

Go to the Marketplace and install the Tor service.
Start the Tor service and wait for it to become healthy.

Managing Onion Services

Once Tor is installed and running, you can create .onion addresses for specific service interfaces on your server.

Open the Tor service and go to Actions > Manage Onion Services.
Select a service interface to create an onion address for.
To view your onion addresses, go to Actions > View Onion Addresses.

Tip

When creating an onion service, you can upload a private key to use a vanity address. For instructions on generating a vanity address, see here.

Note

Each onion domain produces two addresses: HTTP and HTTPS. Because Tor is a secure protocol, it is perfectly safe to use the HTTP address. It is also preferable, because it does not require anyone to trust your server’s Root CA. Some applications may require HTTPS, in which case the certificate is signed by your server’s Root CA.

Connecting over Tor

Using a Tor Browser

You can connect to your server and installed services from anywhere in the world, privately and anonymously, by visiting their unique http://....onion URLs from any Tor-enabled browser.

Tip

Recommended Browsers

Mac, Linux, Windows, Android/Graphene: Tor Browser

iOS: Onion Browser

Running Tor in the Background on your Phone/Laptop

By running Tor in the background on your phone or laptop, certain apps can connect over Tor, even if the apps themselves do not natively support Tor.

For instructions specific to your device’s operating system, use a search engine or AI. This capability is well documented.

Holesail

Access your server remotely using Holesail’s peer-to-peer tunneling. This method creates direct encrypted connections without port forwarding, static IPs, or centralized servers, and requires installing the Holesail service from the StartOS marketplace.

Use Case

Holesail creates direct, encrypted peer-to-peer tunnels between your devices and your server. No port forwarding, static IP, or centralized servers are required. Traffic flows directly between peers as if they were on the same local network.

This is a good option when:

You want fast, private remote access without the complexity of setting up a VPN server.
You don’t have control over your network (e.g. work, school, shared housing) and cannot configure port forwarding.
You want a simple, zero-configuration alternative to Tor that offers better performance.

Setting Up Holesail

Holesail is not included in StartOS by default. To use Holesail, you must install the Holesail service from the marketplace.

Go to the Marketplace and install the Holesail service.
Start the Holesail service and wait for it to become healthy.

Managing Tunnels

Once Holesail is installed and running, you can create tunnels for specific service interfaces on your server.

Open the Holesail service and go to Actions > Manage Tunnels.
Select a service interface to create a tunnel for. Each tunnel produces a unique connection key.
To view your tunnel connection keys, go to Actions > View Tunnels.

Note

Anyone with the connection key can access the tunnel. Treat connection keys like passwords — only share them with trusted devices.

Connecting over Holesail

To connect to a Holesail tunnel from a client device, install the Holesail client and use the connection key provided by your server.

For client installation and usage instructions, see the Holesail documentation.

Public Access

Public access means making your services reachable by anyone on the Internet.

Clearnet. Host services on the public Internet using standard (.com, .net, etc) domains or public IP addresses.
Tor. Host services as .onion addresses for censorship resistance and optional anonymity.

Clearnet

Make your services publicly reachable on the Internet using standard domains (.com, .net, etc.) or public IP addresses. This requires a gateway, a domain name, and DNS configuration.

Use Case

This connection method permits hosting a service interface on the public Internet.

Choosing a Gateway

When hosting services on the clearnet, anyone who connects will know the IP address of the gateway used. Knowing a gateway’s IP address reveals its approximate geographic location:

Geographic Location	Detection Accuracy
Country	99%
State / Region	95-99%
City (large metro)	60–80%
Zip Code / Neighborhood	30–50%
Exact Street Address	Requires ISP subpoena

If your gateway is your home router, you are revealing the approximate location of your home. If your gateway is a VPS running StartTunnel, you are revealing the approximate location of the VPS, not your home.

Which gateway you select will depend on your threat model and budget:

Router: If you have no issue revealing your approximate location, use your router as your clearnet gateway (free). Since home IP addresses can change without warning, we highly recommend setting up dynamic DNS. Many routers offer this as a built-in feature. If not, third-party services are available. Without dynamic DNS, a change to your home IP will make your domains unreachable until you update their DNS records.

Warning

If your Internet Service Provider (ISP) uses Carrier-grade NAT (CGNAT), such as Starlink, it means you share an IP address with other customers. It is not possible to use your router as a clearnet gateway. You must use StartTunnel instead.
StartTunnel: If you want to obfuscate your home IP address, or your ISP uses CGNAT, you can use a StartTunnel gateway. Refer to the StartTunnel guide.

Adding a Public Domain

With few exceptions, you should add a domain to your service interface so that you and others can access it seamlessly, just like any other website or API.

On the service interface page, click “Add Domain” on the desired gateway’s table and select “Public Domain”.

Warning

CGNAT gateways, such as Starlink, cannot be used for clearnet hosting. You must use a StartTunnel gateway. Refer to the StartTunnel guide.
Enter the fully qualified domain name. For example, if you control domain.com, you could enter domain.com or public.domain.com or nextcloud.public.domain.com, etc.
Select a Certificate Authority to sign the certificate for this domain.
- Local Root CA: Good for personal access. Only devices that have downloaded and trusted your server’s Root CA will be able to access the domain without issue.
- Let’s Encrypt: Good for public access. All devices trust Let’s Encrypt certificates by default.
Click “Save”.
StartOS will automatically test your DNS record and port forwarding. If both pass, the domain is ready to use. If either test fails, a setup modal will appear showing the failing tests with instructions to remedy and the ability to re-test.

Configuring DNS

StartOS tests DNS automatically when you add or enable a public domain, and will guide you through the setup if the test fails. For reference, here is what is needed:

Access your domain’s DNS settings, usually in the registrar where you originally leased the domain.
Create a DNS record that points your domain to your gateway’s public IP address. If you use subdomains, consider creating a wildcard record (e.g., *.domain.com) so that future subdomains work without additional records.

Tip

It might take a few minutes for DNS changes to propagate. You can check propagation using https://dnschecker.org.

Port Forwarding

To expose a public domain or public IP address to the Internet, the appropriate port must be forwarded in the corresponding gateway. StartOS tests port forwarding automatically when you add or enable a public address, and will guide you through the setup if the test fails.

Tip

Most websites and APIs on the Internet are hosted on port 443. Port 443 is so common, in fact, that apps and browsers infer its presence. The absence of a port means the port is 443. With rare exceptions, domains on StartOS also use port 443, and that is why your domains usually do not display a port. The port forwarding rule needed for these standard domains is always the same, which means you only have to do it once!

How you create a port forwarding rule depends on the type of gateway.

Routers: Port forwarding is supported by all routers and easy to do. Refer to your router’s manual for instructions.
StartTunnel: Refer to the StartTunnel Port Forwarding guide.

Tor

Tor onion addresses (.onion) can be used for public hosting. Unlike clearnet domains, onion addresses do not require purchasing a domain, configuring DNS, or opening ports. Anyone with a Tor-enabled browser can reach them.

Why Use Tor for Public Hosting

Censorship resistance. Onion services cannot be taken down by domain registrars, DNS providers, or ISPs. As long as your server is running, the address is reachable.
Anonymity (if done carefully). If you publish an onion address without associating it with your identity, observers can access your service but cannot determine who operates it. Achieving true anonymity requires careful operational security — for example, never linking the address to your real identity, and not leaking metadata that could be correlated.
No infrastructure dependencies. You do not need a static IP, a domain name, or port forwarding. Tor handles routing entirely through its overlay network.

Setup

Tor public hosting uses the same Tor service as private access. Follow that guide to install Tor from the marketplace, create onion services, and view your onion addresses.

The difference is simply in how you use the addresses: keeping them secret (private access) vs. sharing them publicly (public access).

Note

Each onion domain produces two addresses: HTTP and HTTPS. Because Tor is a secure protocol, it is perfectly safe to use the HTTP address. It is also preferable, because it does not require visitors to trust your server’s Root CA.

System Settings

General system settings for your StartOS server. Navigate to System > General Settings in the StartOS dashboard.

Software Update

View your current StartOS version and check for updates.

If an update is available, click Update to begin the update process.
After updating, click Restart to apply to reboot your server with the new version.
If no update is available, click Check for updates to query the latest release.

Server Name

Your server name is displayed along with its derived .local hostname. The hostname is created by lowercasing the server name, removing non-alphanumeric characters, and replacing spaces with hyphens. For example, “My Cool Server” becomes my-cool-server.local.

Click Change to open the server name dialog. After saving a new name, your .local address will update accordingly.

Warning

If you are currently connected via your .local address, changing the hostname will require you to switch to the new .local address. You will be prompted with the new address after saving.

Language

Change the display language of the StartOS interface. Select a language from the dropdown to apply it immediately.

Kiosk Mode

Kiosk Mode enables a display output for connecting a monitor directly to your server. This is useful for setup or troubleshooting without a separate client device.

Enable: If no keyboard layout has been set, you will be prompted to select one first. A restart is required to apply the change.
Disable: Click Disable, then restart when prompted.
Change Keyboard Layout: When Kiosk Mode is enabled, your current keyboard layout is displayed. Click the edit icon to select a different layout.

Note

Kiosk Mode may be unavailable on certain hardware.

Installing Services

StartOS services are installed from the Marketplace, which consists of curated registries. You can also sideload packages directly from .s9pk files.

From the Marketplace

The Marketplace is made up of multiple “registries”. A registry is a curated list of services that can be downloaded and installed onto StartOS. You can think of a registry as just one “store” or “booth” inside a broader marketplace.

StartOS comes preloaded with two default registries: (1) The Start9 Registry and (2) the Community Registry.

Services in the Start9 Registry are vouched for, recommended, supported, and maintained by Start9. Services in the Community Registry are not. For a more detailed explanation of the Registry framework, check out this short blog post.

To install a service from the marketplace, simply visit the Marketplace, select a service, and click “Install”.

Switching Registries

To switch between registries or add a custom registry, simply click arrows underneath the current Registry title.

Sideloading

Sideloading is useful if you are testing a service that does not yet exist on a registry, or if you prefer to eliminate the Marketplace as a point of trust. An s9pk can be obtained from anywhere or even built from source code.

To sideload a service, go to Sideload and upload the appropriate .s9pk file.

Gateways

A gateway is what connects your server to the Internet. There are two types of gateways: outbound only and inbound/outbound.

Inbound/Outbound Gateways

An inbound/outbound gateway handles traffic in both directions — it routes outbound traffic and accepts inbound connections from the Internet. Your router is an inbound/outbound gateway. StartTunnel is also an inbound/outbound gateway.

Think of the inbound side as a defense perimeter with hundreds of locked doors, each door leading to a unique service interface. For example, one door might say “Vaultwarden UI”, another might say “Bitcoin RPC”, and yet another might say “Bitcoin P2P”.

If you want to let a specific person through a particular door, you give them a key. This is the equivalent of giving someone private VPN access to a specific service interface. If you want to let everyone through a particular door, you remove the lock altogether. This is the equivalent of forwarding a port in your gateway, thereby exposing a particular service interface or domain to the public Internet.

Note

If you are running StartOS on a VPS with a public IP address, there is no local network. Your gateway is inherently public and open to the Internet.

For guidance on choosing a gateway for clearnet hosting, see Clearnet.

Outbound Only Gateways

An outbound only gateway (or outbound VPN) routes traffic from your server to the Internet but does not accept inbound connections. A common example is a commercial VPN provider such as Mullvad or ProtonVPN. When you add a gateway to StartOS using a standard WireGuard configuration file, StartOS automatically detects it as an outbound only gateway.

You might want an outbound only gateway to hide your server’s real IP address from external services, protect against your ISP monitoring or logging your traffic, or route sensitive services through a trusted VPN provider for added privacy.

Adding a Gateway

Navigate to System > Gateways and click “Add”.
Upload or paste the WireGuard configuration file from your VPN provider or StartTunnel instance.

StartOS will automatically detect the gateway type:
- StartTunnel config files are recognized and marked as inbound-outbound gateways, capable of both receiving inbound connections and routing outbound traffic.
- All other WireGuard configs (e.g. Mullvad, ProtonVPN, or any standard WireGuard provider) are marked as outbound-only gateways.

Outbound Traffic

By default, StartOS dynamically selects which gateway to use for outbound traffic for maximum performance. You can override this behavior using the select dropdown in the “Outbound Traffic” section underneath the “Gateways” table. This forces all outbound traffic for everything on the server through the selected gateway.

Per Service Overrides

You can further override this on a per-service basis by navigating to a service and going to Actions > Set Outbound Gateway. This is useful for routing sensitive services through a commercial VPN while leaving other services on the default.

DNS

StartOS runs its own DNS server to resolve private domains for services on your server. This page covers how DNS works on StartOS and when you might need to change it.

How It Works

By default, StartOS obtains its DNS servers from your router via DHCP. For most users, the default settings require no changes. When you add a private domain, StartOS automatically creates a DNS record on its internal DNS server.

For private domains to work, the gateway they are assigned to must use StartOS for DNS. StartOS will test this automatically and guide you through the setup if needed. The details depend on your gateway type:

Router: Set StartOS as your router’s primary DNS server. All routers support this feature. Refer to your router’s user manual for detailed instructions.

Warning

It is possible that StartOS is already using your router for DNS. In this case, you cannot instruct your router to use StartOS for DNS, as this would be circular. If StartOS detects a potential circular DNS situation, it will warn you. To resolve this, switch to static DNS servers so StartOS no longer relies on your router.
StartTunnel: SSH into your StartTunnel VPS and run the following command:
```
start-tunnel dns defer
```

Tip

If your private domain is a real domain that you control, you can alternatively configure its DNS record at your registrar to resolve to your server’s LAN IP address. In this case, the StartOS DNS server is not needed.

Static DNS Servers

To view or change the DNS servers StartOS uses, navigate to System > DNS. To override the defaults, select “Static” and provide up to three DNS servers in order of preference.

Note

If you want to use a specific DNS provider (such as Cloudflare or Quad9), it is generally better to configure it in your router so that all devices on your network benefit, not just your server.

Creating Backups

Important

Creating backups is an essential responsibility of self-hosting. If you do not make backups, you will eventually lose your data.

Watch The Video

What You Need to Know

You can create backups to a physical drive plugged directly into your server, or over-the-air to another device on the same LAN (a network folder).
Backups are encrypted using your master password. If you change your password prior backups retain the original password.
Services may choose to exclude certain files or folders from the backup. For example, Bitcoin excludes the blockchain, since it can be recovered by re-syncing.
Backups can take minutes or hours to complete, depending on your hardware and quantity of data.
A service cannot be used while it is backing up. You may, however, continue to use your server and other services.
Upon completion, StartOS issues a backup report, indicating which services were backed up, as well as any errors.
Backups taken from a specific system architecture (x86, ARM, RISC-V) are backed up for just that architecture. If restored to another architecture, they will likely need to be reinstalled to run efficiently.

Best Practices

Even with proper backups the risk of data corruption is always non-zero. Therefore it is recommended to take additional care when backing up highly valuable or irreplaceable data like a lightning node:

High quality SSDs should be favored over HDDs as a backup target.
Backup to multiple targets.
If backing up to multiple targets make sure all backups are up to date.

Physical Drive

EXT4 is the recommended format of your backup drive. fat32 and exFAT are not recommended and may not work.

Warning

Backing up to USB thumb drives or SD card media is not recommended unless you are using high-endurance, high-quality storage. Low-quality flash memory is prone to corruption and failure over time.

If you are using a Raspberry Pi, backup drive must be self-powered, or be connected via a powered USB hub, to prevent possible data corruption.

Network Folder

A network folder backup sends your encrypted backup over the LAN to a shared folder on another device. First, create a shared folder on the target device, then connect to it from StartOS.

Step 1. Create a Shared Folder

Identify or create a folder to store your server backups.

Tip

This folder can be located on an external drive connected to your Mac.
Go to System Settings > General > Sharing and click the “info” icon.
Click the toggle to enable file sharing, then click the “plus” icon and select your backups folder.
Click “Options”.
Select the user who owns the folder.

Tip

You can find the hostname at the top of the sharing window. The hostname will be an address beginning with smb://. To use as hostname, disregard the smb:// and simply enter the IP address that follows it. Alternatively, you can use the computer hostname (open Terminal and type hostname). Either method will work.

Install Samba if not already:

sudo apt install samba && sudo systemctl enable smbd
Add your user to samba, replacing $USER with your Linux username.
```
sudo smbpasswd -a $USER
```
You will be prompted for your linux password. Then, you must create a new SMB password for the user with permission to write to your new backup share. Keep the password somewhere safe, such as Vaultwarden.
Identify or create a folder to store your server backups.

Tip

This folder can be located on an external drive connected to your Linux machine.
Right click the folder and click “Properties”.
Click “Local Network Share”.
Select “Share this folder” and give the folder a Share name. Remember the name, you will need it later. Then click “Create Share”.
If your installation of Ubuntu is running a firewall by default or due to your own custom configuration, enter this command to allow connections to Samba. If it generates an error, you can safely ignore it:

sudo ufw allow Samba

Install Samba if not already:

sudo apt install samba && sudo systemctl enable smbd
Add your user to samba, replacing $USER with your Linux username.
```
sudo usermod -a -G sambashare $USER
sudo smbpasswd -a $USER
```
You will be prompted for your linux password. Then, you must create a new SMB password for the user with permission to write to your new backup share. Keep the password somewhere safe, such as Vaultwarden.
Identify or create a folder to store your server backups.

Tip

This folder can be located on an external drive connected to your Linux machine.
Right click the folder and click “Sharing Options”.
Select “Share this folder” and give the folder a Share name (maximum 12 characters). Remember the name, you will need it later. Click “Create Share”.
If your installation of Mint is running a firewall by default or due to your own custom configuration, enter this command to allow connections to Samba. If it generates an error, you can safely ignore it:

sudo ufw allow Samba

Install Samba if it is not already installed.

Arch:
```
sudo pacman -S samba
```
Debian and Debian-based:
```
sudo apt install samba
```
CentOS/Redhat
```
sudo yum install samba
```
Fedora
```
sudo dnf install samba
```

Identify or create a folder to store your server backups. Make a note of the directory path. For example:
```
mkdir -p /home/$USER/start9-backup
```
replacing $USER with your Linux username and “start9-backup” with whatever you want the folder to be named.

Tip

This folder can be located on an external drive connected to your Linux machine.
Warning

If you are on Fedora 38+, you need to do an extra step to allow the Samba share in SELinux:
```
sudo semanage fcontext --add --type "samba_share_t" "/home/$USER/start9-backup(/.*)?"
sudo restorecon -R /home/$USER/start9-backup
```
Configure Samba by adding the following to the end of your /etc/samba/smb.conf file:
```
[backup-share]
    path = "/home/$USER/start9-backup"
    create mask = 0600
    directory mask = 0700
    read only = no
    guest ok = no
```
Where:
- [backup-share] can be replaced with whatever you want (must remain inside brackets). This is your Share Name. Remember the name, you will need it later.
- path is the directory path to the share folder from above.
Open a terminal and enter the following command, replacing $USER with your Linux username:
```
sudo smbpasswd -a $USER
```
This creates a password for the Local Network Share. Keep it somewhere safe, such as Vaultwarden.
If your Linux system has a firewall enabled by default or due to custom configuration, you may need to allow connections to Samba. The command varies depending on the firewall in use:
- For systems using UFW (commonly found on Debian-based distros):
```
sudo ufw allow Samba
```
- For systems using firewalld (common on RHEL-based distros):
```
sudo firewall-cmd --permanent --add-service=samba
sudo firewall-cmd --reload
```

Step 2. Connect from StartOS

In StartOS, go to System > Create Backup.
Click “Open New”.
Complete the form:

Hostname: The hostname or IP address of your Mac (see the tip in the section above).
Path: The name of your shared folder, not the full directory path.
Username: Your Mac user who owns the shared folder.
Password: Your password for the above user.

Warning

If you receive Filesystem I/O Error mount error(13): Permission denied, ensure you have entered the correct values. The hostname can be particularly tricky.

Restoring Backups

Restore previously created backups to recover individual services or your entire server. This is for disaster recovery when a service is accidentally uninstalled or when your data drive is lost or corrupted.

Restoring Individual Services

This option should only be necessary if you accidentally uninstall a service.

Go to System -> Restore from Backup
Select your backup drive.
Decrypt the backup drive by entering the password that was used to create it.
Select the service(s) you want to restore and click “Restore Selected”.

Tip

If you’re restoring a backup taken from a different system architecture (x86, ARM, RISC-V) to the one you’re restoring to, you may need to reinstall services (not uninstall, since you will lose your data) from the marketplace after the restore completes to avoid running them more slowly in emulation.

Restoring an Entire Server

If your StartOS data drive is lost or corrupted and you need to restore your entire server, follow instructions here.

SMTP

Warning

This guide is not for using StartOS as an email server. It is for granting StartOS the simple ability to send emails through a 3rd party SMTP server.

Use Case

Adding SMTP credentials to StartOS makes it possible for certain services to send email notifications. Many services, such as NextCloud, Vaultwarden, Gitea, and others expect to send emails and require SMTP credentials to send them.

Getting SMTP Credentials

The guides below are for using Gmail, Amazon SES, or Proton Mail for SMTP, but you may also use another third party provider of your choice.

Access your Google 2-step verification settings: https://myaccount.google.com/signinoptions/two-step-verification.
Enable 2-Step verification if not already.
Under “App Passwords” (bottom), add a new App Password.
Choose a name for the new App Password. You may call it anything, such as “SMTP”, then click “Create”.
A random 16-character password will be created and shown to you. This is your app password. Save it somewhere secure, such as your Vaultwarden password manager, then click “Done”.
Now you can use this SMTP account for any service that has the capability to send an email. The table below shows all the details you may need:

Parameter Value

Host smtp.gmail.com

Port 587

Encryption TLS

Username your-username@gmail.com

Password your App Password (from above)

Parameter	Value
Host	smtp.gmail.com
Port	587
Encryption	TLS
Username	your-username@gmail.com
Password	your App Password (from above)

Configuring StartOS

Navigate to System > SMTP
Enter your SMTP credentials and hit “Save”.
On the same page, send yourself a test email. Remember to check your spam folder. If the email goes to spam, mark it as not spam.
For each service you want to use the credentials to send emails, go to the dashboard of that service, click “Actions”, and locate the relevant action.

SSH

Like other Linux distributions, StartOS allows you to go “under-the-hood” via Secure Shell Protocol (SSH).

Warning

Accessing your server via SSH is considered advanced. Please use caution, you can cause permanent damage to your server, potentially resulting in loss of data.

Using your StartOS Master Password

Open a terminal on your client device and enter:
```
ssh start9@SERVER-HOSTNAME
```
Replace SERVER-HOSTNAME with your server’s your-server-name.local address.

The first time you connect, you will see something like this:

The authenticity of host 'your-server-name.local (192.168.1.175)' can't be established.
ED25519 key fingerprint is SHA256:BgYhzyIDbshm3annI1cfySd8C4/lh6Gfk2Oi3FdIVAa.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

Type yes and hit Enter to start trusting the server’s SSH public key.

Enter your StartOS master password.

Using SSH Keys

In the StartOS UI, go to System > SSH
Click Add Key, paste in your key and click Save
Open a terminal on your client device and enter:
```
ssh start9@SERVER-HOSTNAME
```
Replace SERVER-HOSTNAME with your server’s your-server-name.local address.
Enter your key’s passphrase (if any)

Connecting via PuTTY on Windows

For Windows, following the command above will work. But if you prefer a GUI tool, BrewsBitcoin has created a guide for connecting via SSH using PuTTY on Windows

WiFi

Warning

A wired Ethernet connection provides significantly better reliability, throughput, and latency. WiFi is prone to intermittent drops that can interrupt backups, corrupt data transfers, and degrade service performance. Only use WiFi if Ethernet is truly not an option.

Requirements

Your server must have a compatible wireless interface. If no wireless hardware is detected, the WiFi page will display “No wireless interface detected” and no controls will be available.

Note

Servers sold by Start9 do not come with wireless networking cards, but a wireless card can be added to any of the servers we sell.

Enabling WiFi

WiFi is managed from System > WiFi. Use the toggle at the top of the page to enable or disable the wireless radio. When disabled, no networks will be scanned or connected.

Connecting to a network

Once WiFi is enabled, two lists are displayed:

Known Networks - Networks you have previously saved. Tap one to reconnect. Use the trash icon to forget a saved network.
Other Networks - Available networks detected nearby. Tap one to connect. If the network is secured, you will be prompted for the password.

Signal strength is indicated by the WiFi icon color: green (strong), yellow (moderate), or red (weak). A lock icon means the network requires a password.

Adding a hidden network

To connect to a network that does not broadcast its SSID, tap the Add button. Enter the network SSID and password, then choose:

Save for later - Saves the credentials without connecting immediately.
Save and connect - Saves the credentials and connects right away.

Troubleshooting

If a connection attempt fails, you will see a “Failed to connect” warning. Double-check the password and try again. The system retries several times before reporting failure, so the process may take a moment.

Updating StartOS

Note

There are no automatic updates in StartOS. Updating the operating system and service always requires explicit action. That said, we highly recommended keeping StartOS up to date for the latest security and performance patches, as well as to take advantage of new features.

Update through the UI

When a new version of StartOS is available, a rocket badge will appear on the “System” tab.
Go to System -> General -> Software Update.
Read the release notes and click “Begin Update”.

Warning

Ensure you have a stable Internet connection before beginning an OS update, and do not unplug your server while StartOS is downloading.
While the new version of StartOS is downloading, you may continue to use your device as usual.
Once the download is complete, you will be prompted to restart your server to complete the update.

Warning

Updates can take up to an hour to complete. During this time, there is no indication of progress and your StartOS UI will be unreachable. DO NOT UNPLUG YOUR SERVER DURING THIS TIME!

Update by Re-flashing

If you are updating to an unreleased version of StartOS, or something went wrong with a UI update (very rare), it may be necessary to update StartOS by re-flashing. Follow the guide for Installing StartOS.

Resetting Your Password

This guide should only be used if you have lost or forgotten your StartOS master password. If you are just wanting to change your password, that can be done through the main UI System > Change Password.

Download and flash the latest version of StartOS, using the appropriate installation guide for your hardware.
Visit http://start.local
When selecting your data drive, be sure to select “Keep my data”.
Create a new password and complete setup. All your previous addresses and data will be preserved.

CLI Reference

StartOS can be fully managed from the command line using start-cli. Connect via SSH and run:

start-cli --help

Authentication

start-cli auth login
start-cli auth logout
start-cli auth reset-password
start-cli auth session list
start-cli auth session kill

Server

Restart, shutdown, update, and configure the server.

start-cli server restart
start-cli server shutdown
start-cli server update
start-cli server logs
start-cli server kernel-logs
start-cli server metrics
start-cli server time
start-cli server update-firmware
start-cli server set-smtp
start-cli server test-smtp
start-cli server clear-smtp
start-cli server set-language
start-cli server set-keyboard
start-cli server set-ifconfig-url
start-cli server experimental governor
start-cli server experimental zram

Packages

Install, manage, and monitor services.

start-cli package list
start-cli package install
start-cli package start <PACKAGE>
start-cli package stop <PACKAGE>
start-cli package restart <PACKAGE>
start-cli package uninstall <PACKAGE>
start-cli package logs <PACKAGE>
start-cli package action run <PACKAGE> <ACTION>
start-cli package rebuild <PACKAGE>
start-cli package set-outbound-gateway <PACKAGE>

Backups

Create backups and manage backup targets (network shares).

start-cli backup create
start-cli backup target list
start-cli backup target cifs
start-cli backup target mount <TARGET>
start-cli backup target umount <TARGET>
start-cli package backup restore

Networking

Manage gateways, DNS, ACME certificates, and tunnels.

# Gateways
start-cli net gateway list
start-cli net gateway set-name <GATEWAY> <NAME>
start-cli net gateway set-default-outbound <GATEWAY>
start-cli net gateway check-dns <GATEWAY>
start-cli net gateway check-port <GATEWAY>
start-cli net gateway forget <GATEWAY>

# DNS
start-cli net dns set-static
start-cli net dns query <DOMAIN>

# ACME (Let's Encrypt)
start-cli net acme init
start-cli net acme remove

# Tunnels
start-cli net tunnel add
start-cli net tunnel remove

SSH

Manage authorized SSH keys.

start-cli ssh add
start-cli ssh list
start-cli ssh remove

WiFi

Connect to and manage wireless networks.

start-cli wifi add
start-cli wifi connect
start-cli wifi remove
start-cli wifi get
start-cli wifi available
start-cli wifi country
start-cli wifi set-enabled

Notifications

View and manage system notifications.

start-cli notification list
start-cli notification mark-seen
start-cli notification remove

Kiosk

Enable or disable kiosk mode for the local display.

start-cli kiosk enable
start-cli kiosk disable

Disk

List disks and repair filesystem issues.

start-cli disk list
start-cli disk repair

Diagnostics

Troubleshoot issues with logs and container rebuilds.

start-cli diagnostic logs
start-cli diagnostic kernel-logs
start-cli diagnostic error
start-cli diagnostic restart
start-cli diagnostic rebuild

Architecture

StartOS is a Linux distribution purpose-built for running a personal server. Unlike general-purpose operating systems designed for desktops and laptops, StartOS provides a graphical interface for discovering, installing, configuring, and managing self-hosted services — no command line required.

This page describes how StartOS is designed and how its components fit together. For implementation details, see the start-os repository.

Components

StartOS is composed of four major components:

Core — A Rust backend that manages system state, service lifecycles, networking, storage, and the API. It compiles into a single binary (startbox) that is symlinked to serve as the system daemon (startd), the CLI (start-cli), and other utilities.
Web UI — An Angular frontend that provides the admin interface, setup wizard, and marketplace. It communicates with the backend over JSON-RPC and WebSocket.
Container Runtime — A Node.js process that runs inside each service’s LXC container, loading the package’s JavaScript and managing subcontainers, health checks, and effects callbacks.
SDK — A TypeScript library that package developers use to define service metadata, daemons, actions, interfaces, and other behaviors. The SDK compiles into the JavaScript bundle shipped inside each package.

Service Model

Every service on StartOS runs inside its own isolated LXC container. This provides process isolation, filesystem isolation, and network namespacing without the overhead of full virtual machines.

S9PK Package Format

Services are distributed as .s9pk files — a custom archive format built on a merkle tree. An S9PK contains:

manifest.json — Package metadata: ID, title, version, license, descriptions, alerts, dependency declarations, and image definitions.
icon — The package icon displayed in the marketplace and UI.
LICENSE.md — The applicable license.
javascript.squashfs — The compiled SDK code that defines the service’s behavior on StartOS (daemons, actions, health checks, interfaces, etc.).
images/ — Container root filesystem images (squashfs), organized by CPU architecture (x86_64, aarch64, riscv64).
assets.squashfs — Optional static assets mounted read-only into the container.

The merkle archive format enables partial downloads, integrity verification of subsets, efficient updates (only changed portions need re-downloading), and size limit enforcement before completing a download.

S9PK files are cryptographically signed (Ed25519) so that users and registries can verify package authenticity.

Service Lifecycle

A service moves through several lifecycle stages, each of which can trigger package-defined code:

Install — The S9PK is unpacked, container images are extracted, volumes are created, and the package’s setupOnInit function runs with kind: 'install'. This is where packages generate initial secrets, create default configuration, and prompt the user for required setup via tasks.
Actions — Actions are operations defined by the package that appear as buttons in the UI. They can display information (e.g., show admin credentials), accept user input (e.g., configure SMTP), or modify the service’s state. Actions can run whether the service is started, stopped, or both.
Tasks — Tasks are notifications that prompt the user to run a specific action. Packages create tasks during initialization or at runtime to guide the user through required setup steps. Tasks have a severity level: critical tasks block the service from starting until completed, while lower-severity tasks are informational.
Start — The package’s setupMain function runs, which defines daemons (long-running processes), oneshots (startup tasks like migrations), and health checks. Daemons run inside subcontainers created from the package’s images.
Update — When a new version is installed, the package’s version migration code runs, transforming stored data as needed. The setupOnInit function runs again with kind: 'install'.
Backup — StartOS creates an encrypted backup of the service’s designated volumes. Services can exclude data that is recoverable by other means (e.g., Bitcoin excludes the blockchain).
Restore — A backup is decrypted and restored. The setupOnInit function runs with kind: 'restore', allowing the package to re-register triggers or re-prompt the user.
Uninstall — The container and its volumes are removed.

Container Architecture

When a service starts, the container runtime loads the package’s JavaScript and uses it to create subcontainers from the package’s images. The relationship looks like this:

LXC Container (managed by StartOS)
└── Container Runtime (Node.js)
    └── Package JavaScript (from s9pk)
        ├── SubContainer A (e.g., the main application)
        ├── SubContainer B (e.g., a database)
        └── Health Checks

The container runtime communicates with the StartOS host via JSON-RPC over a Unix socket. This is how packages invoke “effects” — host-level operations like reading configuration, resolving hostnames, accessing the network, or creating user-facing tasks.

Volumes

Each service has one or more named volumes for persistent data. Volumes survive container restarts, updates, and restores. They are id-mapped to the container’s user namespace for security. Packages declare which volumes to include in backups.

Networking

StartOS provides multiple ways to access services, all managed through the UI.

LAN Access

Services are accessible over the local network using mDNS hostnames (your-server-name.local). StartOS runs its own DNS resolver and issues TLS certificates from a local Certificate Authority (CA). Users trust this CA on their client devices to get HTTPS connections over LAN without browser warnings.

Tor

Tor is available as a marketplace service. Once installed, users can enable onion addresses for any service through the Tor service’s actions. Tor provides access from anywhere without port forwarding or exposing your IP address.

Clearnet

Services can be exposed to the public internet using a domain name. This requires a clearnet gateway — a WireGuard-based tunnel to a server with a public IP and domain. StartTunnel is one such gateway, but any WireGuard configuration can be used for outbound traffic.

Gateways

A gateway is a WireGuard tunnel that routes traffic between a StartOS server and the outside world. Gateways can be:

Inbound + Outbound — Routes both incoming and outgoing traffic (e.g., StartTunnel). This enables clearnet access to services.
Outbound only — Routes only outgoing traffic through the tunnel (e.g., a commercial VPN). This masks your server’s IP for outbound connections.

StartOS auto-detects the gateway type from the WireGuard configuration file. A system-wide default gateway can be set, and individual services can override it.

Holesail

Holesail is available as a marketplace service for peer-to-peer tunneling using the Hyperswarm DHT. It provides an alternative to Tor for remote access without port forwarding.

State Management

StartOS uses Patch-DB, a custom diff-based database, to manage system state. The key property of Patch-DB is reactive synchronization: when the backend mutates state, the frontend receives only the diff (patch) over a WebSocket connection. This means the UI always reflects the current system state without polling.

The database has two layers:

Public model — Synced to the frontend. Contains everything the UI needs: service status, installed packages, system settings, network configuration, notifications.
Private model — Backend-only. Contains internal state like cryptographic keys, session tokens, and operational data that should never leave the server.

Security

Container Isolation

Each service runs in its own LXC container with:

Separate filesystem (id-mapped volumes)
Network namespace isolation
Resource limits
No direct access to host resources except through the effects API

Encrypted Backups

All backups are encrypted using the user’s master password. Backups can be stored on physical drives or network shares (SMB/CIFS). Each service’s backup retains the password that was active when the backup was created.

Authentication

The web UI is protected by password authentication with session cookies. The API uses JSON-RPC with session-based auth. SSH access is available for advanced users but is not required for normal operation.

Package Signing

S9PK files are signed with Ed25519 keys. The registry and StartOS verify signatures before installing packages, ensuring that packages have not been tampered with.

Tech Stack

Component	Technology
Backend	Rust (async Tokio, Axum)
Frontend	Angular, TypeScript, Taiga UI
Container Runtime	Node.js, TypeScript
Containers	LXC
Database	Patch-DB (custom, diff-based)
API	JSON-RPC
Package Format	S9PK (merkle archive, Ed25519 signed)
Networking	WireGuard, Tor (Arti), mDNS, ACME
Supported Archs	x86_64, aarch64, riscv64

Source Code

StartOS is fully open source. The main repository is Start9Labs/start-os on GitHub. See the repository’s CONTRIBUTING.md for build instructions and development setup.

Flashing Firmware

These guides are for updating the BIOS/firmware on Start9-branded server hardware. They are not needed for DIY builds or for installing/updating StartOS itself.

Server Pure
Server One (2023)

Flashing Firmware - Server Pure

This page is for the Server Pure only. It will not work on other devices.

Generally, you do not need to manually flash your device using this guide, as the firmware is now automatically updated on supported devices. Please only use this method if directed by a Start9 Support Technician. If you were told to “flash your device”, you are looking for the StartOS flashing guides instead.

You Will Need

A monitor and keyboard.
A USB stick, formatted FAT32.

Instructions

Power down your server if not already.
Connect a monitor and keyboard to your server using two of the USB3 (blue) ports.
Download the right firmware:
- Models without WiFi - Download Standard
- Models with WiFi - Download Standard | Download Jailed WiFi
Note

The Jailed WiFi variation deactivates WiFi at the firmware level so it can never be turned on
Copy or move the zip file to the USB stick.
Eject the USB stick and insert it into your server using a USB3 (blue) slot.
Turn on the server while pressing the ESC key on the keyboard repeatedly until you see the PureBoot Basic Boot Menu screen. Select “Options –>”.
Select “Flash/Update the BIOS”.
Select “Flash the firmware with a new ROM, erase settings”.
The system will ask if you want to proceed flashing the BIOS with a new ROM, select “Yes”.
Choose the file that we downloaded and copied to the USB stick.
Confirm you want to proceed with the flash by selecting “Yes”.
The BIOS will be re-flashed with the new firmware. This may take a few minutes. When complete, remove the firmware USB, then select “OK” to complete the process.

Flashing Firmware - Server One (2023)

Start9’s 2023 Server One was the Intel NUC11ATKC4, whose BIOS was refered to as “ATJSLCPX” by Intel, and whose latest release was AT0043.cap before they officially discontinued support for the product line.

You Will Need

A monitor and keyboard.
A USB stick, formatted FAT32.

Instructions

Download Intel_ATJSLCPX-AT0043.cap to the USB stick

Tip

If you wish to confirm the integrity of your download before you flash it, here is the sha256sum:

e72c356cdefa90486c031b7bd3d616cfd4e34e76dffb9f3ba72928355db3185b Intel_ATJSLCPX-AT0043.cap
Insert the power cable, video cable, keyboard, mouse, and USB stick with the ATJSLCPX BIOS into the Server One.
Power the unit on and continually press F7 on your keyboard to launch the BIOS update screen.
Press enter 3 times to update the BIOS by selecting and confirming your intention to flash Intel_ATJSLCPX-AT0043.cap from the USB stick.
Power the unit off when it reboots, and remove the BIOS USB stick.
Power the unit on and continually press F2 to enter the bios settings.
Arrow up, then right to the Power menu (near the top right).
Arrow to Secondary Power Settings at the bottom.
Arrow down to After Power Failure and set the value to “Power On”.
Arrow to Wake on LAN from S4/S5 and set the value to “Stay Off”.
Arrow up, then over to the Boot menu (top right).
Arrow down to Boot Priority.
Set all 4 UEFI PXE & HTTP Network boot options to “Disabled”.
Arrow down to Boot USB Devices First and enable (check) it.
Hit F10 to save changes and exit, followed by “Yes”.

FAQ

Common issues encountered during setup and daily use of StartOS, including network connectivity problems, diagnostic mode, clock sync failures, and service-specific troubleshooting.

I do not have access to Ethernet

Ethernet is strongly recommended. Servers are always-on, critical devices and should use a wired connection. However, if you do not have access to a router, such as in a work or school environment, there are two options:

Server has a WiFi card (DIY builds only — Start9 servers do not ship with one): Connect a monitor and keyboard to your server (kiosk mode). If no Ethernet interface is detected, you will be prompted to connect to a WiFi network. See WiFi for more details.
Server does not have a WiFi card: Use a WiFi extender to bridge the local WiFi network to Ethernet, then connect your server to the extender. The extender below has been tested with StartOS, but others should also work.
- TP-Link AC750 WiFi Range Extender

StartOS boots into “Diagnostic Mode”

If you encounter Diagnostic Mode, your best bet is stop clicking and contact support.

During initial setup, I am unable to connect to “start.local”.

Confirm that the server is plugged into power and Ethernet
Confirm that your phone/computer is connected to the same network as the server.
Confirm your phone/computer is not connected to a “Guest” network
Confirm you are not using the Tor Browser.
Confirm your phone/computer is not using a VPN, or that if you are, that it allows LAN connections, such as the examples below:
- Mullvad - Go to Settings -> VPN Settings -> Local Network Sharing
- ProtonVPN - Go to Preferences -> Connection -> Allow LAN Connections
Very rarely, your firewall settings may block mDNS. In this case:
- From your browser, navigate to your router configuration settings. This is usually an IP address such as 192.168.1.1. A simple web search will usually reveal how to access the router configuration settings for a particular brand.
- Once in the router config settings, find the section that lists the devices on your network. You should see a device labeled start. Take note of the associated IP address and enter it into your browser’s URL field to enter the setup.
Log into your router (the directions for which can be found with a simple web search for your router model and ‘how to log in’). Once you are in your router, find the device labeled “start”, and visit its associated IP address, which will look something like: 192.168.1.9

I am unable to connect to my server’s “custom-address.local” URL

First, try :ref:these step <setup-troubleshoot>. In none resolve the issue, continue below.
Hard refresh the browser:
- Linux/Windows: ctrl+shift+R
- macOS Firefox: cmd+shift+R
- macOS Safari: cmd+option+E, then cmd+R
Make sure you have successfully followed the :ref:connecting-lan instructions for your device.
If you are using Windows, the problem is almost certainly with Bonjour. Follow the :ref:directions to reinstall <connecting-lan-windows>, even if you have already done so.
If using Firefox from Mac, Windows or Android, ensure you have set security.enterprise_roots.enable to true in about:config per the :ref:instructions<ca-ff>
Try connecting using your server’s IP address. If this works, it means your issue is specific to .local. Try clearing your browser cache and/or restarting your phone/laptop/router. If all fails, try restarting your server.
Try connecting using a different browser on the same device. If this works, it means you need to clear cache on your current browser.
Try connecting using a different device. If this works, it means you need to clear cache on your current browser and/or restart your current device.
Try visiting start.local. Your server may be in diagnostic mode.
Try restarting your router.
Try restarting your server. Be patient and give it plenty of time to come back online.

I am unable to connect to my server’s “xxxxxxxxxxxxxxxxxx.onion” URL

Tor can be slow and unreliable. Often, the solution to poor connectivity is just to wait an hour and try again.
Confirm that the Tor service is installed and running on your server.
Confirm that you have created an onion service for the interface you are trying to reach. See Tor.
Try connecting using the official Tor Browser. If this works, it means the issue is with your current browser or the Tor daemon running on your phone/laptop. Try clearing cache and restarting things.
Try connecting to your server using its .local URL or IP address. If this works, the issue is specific to Tor. Try restarting the Tor service on your server.

Request Error

This means your client device failed to connect to the server. This can happen for a variety of reasons. The best course of action is:

Check your local Internet connection.
Hard refresh the browser.
Clear the browser cache/history.
Try using a different address for your server. For example, if you are using your .local address, try your IP address instead, or vice versa.
Try from another client device. If the second client works, then you know the issue is with your first client. If the seconds client does not work, then you know the issue is either with your clients’ network or with your server.
If after completing the steps above, you still cannot connect using any address from any client, then you will likely need to manually power cycle the server.
If power cycling the server does not resolve the issue, please contact support.

Clock Sync Failure

This means your server was unable to sync its clock with the Internet using the Network Time Protocol (NTP). This is usually due to a firewall issue with your network/router. Make sure you are not blocking NTP. If the issue persists, please contact support.

Issue with a particular service

If a service is misbehaving or crashing, check the logs for that service. Look for any errors that might explain the problem. Often, the solution is to restart the service by clicking “Restart”. If the issue persist, contact support.

Common Speaker Noises

The Server Pure (2023 and older) and and Server One (2022 and older) have an internal speaker. Below are the meanings of various noises.

bep: Server is starting up
chime: Server is ready
double/triple bep: Server is updating
flatline: Server initialization failed / no network connection
Beethoven’s 5th: Something has gone wrong. Visit http://start.local to view Diagnostic Mode and contact support.

Keyboard shortcuts

StartOS