start-tunnel CLI Reference

The start-tunnel CLI manages a StartTunnel server — a WireGuard-based gateway that provides clearnet access to devices behind NAT. Run it directly on the StartTunnel server, or use start-cli tunnel to manage it remotely from a StartOS server.

Global Options

-c, --config <PATH> — Configuration file path
-H, --host <URL> — StartOS server URL
-r, --registry <URL> — Registry URL
--registry-hostname <HOST> — Registry server hostname
-t, --tunnel <URL> — Tunnel server address
-p, --proxy <URL> — HTTP/SOCKS proxy
--cookie-path <PATH> — Cookie file path
--developer-key-path <PATH> — Developer signing key path

Authentication

Manage passwords, sessions, and authorized SSH keys for remote access.

`start-tunnel auth logout <SESSION>`

End an authentication session.

`start-tunnel auth set-password`

Set the web UI password.

`start-tunnel auth reset-password`

Reset the web UI password.

`start-tunnel auth get-pubkey`

Retrieve the server’s public key.

`start-tunnel auth session list`

List active sessions.

--format — Output format

`start-tunnel auth session kill [IDS...]`

Terminate sessions.

`start-tunnel auth key add <NAME> <KEY>`

Add an authorized SSH key.

`start-tunnel auth key list`

List authorized SSH keys.

--format — Output format

`start-tunnel auth key remove <KEY>`

Remove an authorized SSH key.

Subnets

Create and remove WireGuard subnets. Each subnet is an isolated network. The <SUBNET> argument is passed to the parent subnet command.

`start-tunnel subnet <SUBNET> add <NAME>`

Create a new subnet with the given name.

`start-tunnel subnet <SUBNET> remove`

Remove a subnet and all its devices.

Devices

Manage devices within a subnet. Each device gets a unique WireGuard configuration.

`start-tunnel device add <SUBNET> <NAME> [IP]`

Add a device to a subnet. Optionally assign a specific IP address.

`start-tunnel device list <SUBNET>`

List all devices in a subnet.

--format — Output format

`start-tunnel device remove <SUBNET> <IP>`

Remove a device from a subnet.

`start-tunnel device show-config <SUBNET> <IP> [WAN_ADDR]`

Display the WireGuard configuration file for a device. Optionally override the WAN address in the generated config.

Port Forwarding

Expose a device’s port on the server’s public IP.

`start-tunnel port-forward add <SOURCE> <TARGET>`

Add a port forwarding rule mapping a public source to a private target.

--label <LABEL> — Human-readable label

`start-tunnel port-forward remove <SOURCE>`

Remove a port forwarding rule.

`start-tunnel port-forward set-enabled <SOURCE>`

Enable or disable a port forwarding rule.

--enabled — Enable the rule

--format — Output format

`start-tunnel update apply`

Apply an available update.

--format — Output format

--format — Output format

--format — Output format

`start-tunnel web get-available-ips`

List available IP addresses for binding.

--format — Output format

Database

Low-level access to the StartTunnel database.

`start-tunnel db dump [-p <POINTER>] [PATH]`

Dump database contents, optionally filtered by JSON pointer.

-p, --pointer <PTR> — JSON pointer to specific value
--format — Output format

`start-tunnel db apply <EXPR> [PATH]`

Apply a patch expression to the database.

Keyboard shortcuts

StartTunnel