Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Clearnet

Make your services publicly reachable on the Internet using standard domains (.com, .net, etc.) or public IP addresses. This requires a gateway, a domain name, and DNS configuration.

Use Case

This connection method permits hosting a service interface on the public Internet.

Choosing a Gateway

When hosting services on the clearnet, anyone who connects will know the IP address of the gateway used. Knowing a gateway’s IP address reveals its approximate geographic location:

Geographic LocationDetection Accuracy
Country99%
State / Region95-99%
City (large metro)60–80%
Zip Code / Neighborhood30–50%
Exact Street AddressRequires ISP subpoena

If your gateway is your home router, you are revealing the approximate location of your home. If your gateway is a VPS running StartTunnel, you are revealing the approximate location of the VPS, not your home.

Which gateway you select will depend on your threat model and budget:

  • Router: If you have no issue revealing your approximate location, use your router as your clearnet gateway (free). Since home IP addresses can change without warning, we highly recommend setting up dynamic DNS. Many routers offer this as a built-in feature. If not, third-party services are available. Without dynamic DNS, a change to your home IP will make your domains unreachable until you update their DNS records.

    Warning

    If your Internet Service Provider (ISP) uses Carrier-grade NAT (CGNAT), such as Starlink, it means you share an IP address with other customers. It is not possible to use your router as a clearnet gateway. You must use StartTunnel instead.

  • StartTunnel: If you want to obfuscate your home IP address, or your ISP uses CGNAT, you can use a StartTunnel gateway. Refer to the StartTunnel guide.

Adding a Public Domain

With few exceptions, you should add a domain to your service interface so that you and others can access it seamlessly, just like any other website or API.

  1. On the service interface page, click “Add Domain” on the desired gateway’s table and select “Public Domain”.

    Warning

    CGNAT gateways, such as Starlink, cannot be used for clearnet hosting. You must use a StartTunnel gateway. Refer to the StartTunnel guide.

  2. Enter the fully qualified domain name. For example, if you control domain.com, you could enter domain.com or public.domain.com or nextcloud.public.domain.com, etc.

  3. Select a Certificate Authority to sign the certificate for this domain.

    • Local Root CA: Good for personal access. Only devices that have downloaded and trusted your server’s Root CA will be able to access the domain without issue.
    • Let’s Encrypt: Good for public access. All devices trust Let’s Encrypt certificates by default.

  4. Click “Save”.

  5. StartOS will automatically test your DNS record and port forwarding. If both pass, the domain is ready to use. If either test fails, a setup modal will appear showing the failing tests with instructions to remedy and the ability to re-test.

Configuring DNS

StartOS tests DNS automatically when you add or enable a public domain, and will guide you through the setup if the test fails. For reference, here is what is needed:

  1. Access your domain’s DNS settings, usually in the registrar where you originally leased the domain.

  2. Create a DNS record that points your domain to your gateway’s public IP address. If you use subdomains, consider creating a wildcard record (e.g., *.domain.com) so that future subdomains work without additional records.

    Tip

    It might take a few minutes for DNS changes to propagate. You can check propagation using https://dnschecker.org.

Port Forwarding

To expose a public domain or public IP address to the Internet, the appropriate port must be forwarded in the corresponding gateway. StartOS tests port forwarding automatically when you add or enable a public address, and will guide you through the setup if the test fails.

Tip

Most websites and APIs on the Internet are hosted on port 443. Port 443 is so common, in fact, that apps and browsers infer its presence. The absence of a port means the port is 443. With rare exceptions, domains on StartOS also use port 443, and that is why your domains usually do not display a port. The port forwarding rule needed for these standard domains is always the same, which means you only have to do it once!

How you create a port forwarding rule depends on the type of gateway.

  • Routers: Port forwarding is supported by all routers and easy to do. Refer to your router’s manual for instructions.

  • StartTunnel: Refer to the StartTunnel Port Forwarding guide.