Installing

Install StartTunnel on a Debian VPS by renting a server, running the one-line installer script, and initializing the web interface. The entire process takes just a few minutes.

Before setting up a VPS, make sure you have an SSH key pair on your laptop or desktop — this is how you’ll log into the server. Most providers require you to upload your public key during server creation. If you don’t have one yet, open a terminal on your computer and run:

ssh-keygen -t ed25519

Your public key will be at ~/.ssh/id_ed25519.pub. You’ll paste its contents into your VPS provider’s dashboard when creating the server.

Get a VPS

Rent a cheap VPS with a dedicated public IP. Minimum CPU/RAM/disk is fine. For bandwidth, no need to exceed your home Internet’s upload speed.

Requirements

Debian 13
Root access
Public IP (required for clearnet port forwarding; not required for private VPN use)

Important

StartTunnel is designed to be the sole application on your VPS. The installer disables UFW and manages its own firewall rules via iptables. Do not run other Internet-facing services on the same VPS.

Cloud firewalls

Some VPS providers have a cloud-panel firewall that sits outside the operating system. This firewall can silently block WireGuard traffic (UDP 51820) before it ever reaches your VPS, even if the OS firewall is correctly configured. If your provider is listed below, you must open UDP 51820 in the cloud panel before devices can connect.

Note

Providers like Hetzner, DigitalOcean, Vultr, and Linode have optional cloud firewalls that are not enabled by default. If you haven’t explicitly enabled one, no action is needed.

IONOS VPSes have a hardware-level firewall that by default only allows TCP 22, 80, 443, 8443, and 8447. UDP 51820 is blocked before it reaches the VM.

Log into the IONOS Cloud Panel.
Go to Server & Cloud → select your VPS → Network → Firewall Policies.
Add an inbound rule: Protocol = UDP, Port = 51820.
Save and apply.

Oracle Cloud has two firewalls that both need to be opened: the VCN Security List (cloud-level) and OS-level iptables rules pre-installed on the image.

Cloud-level (Security List):

In the OCI Console, go to Networking → Virtual Cloud Networks → select your VCN.
Select your subnet’s Security List.
Add an Ingress Rule: Source CIDR = 0.0.0.0/0, IP Protocol = UDP, Destination Port Range = 51820.

OS-level (if using Oracle Linux):

sudo firewall-cmd --add-port=51820/udp --permanent
sudo firewall-cmd --reload

Warning

Both layers must be opened. Opening only one will still block WireGuard.

Connect to your VPS

Most providers let you add an SSH public key during server creation. If you did, connect with:

ssh root@<VPS_IP>

Some providers (notably IONOS standard VPS) only provide a root password at provisioning — no SSH key option. If your provider emailed or displayed a root password, connect with:

ssh root@<VPS_IP>

Enter the password when prompted.

Run the installer

Run:

curl -sSL https://start9labs.github.io/start-tunnel/install.sh | sh

Note

If DNS resolution is not working on your VPS, the installer will configure public DNS resolvers (Google, Cloudflare, Quad9) and back up your existing /etc/resolv.conf.

Initialize the web interface

StartTunnel can be fully managed from the command line, but it also offers a web UI for convenience. To set it up, run:

start-tunnel web init

This initializes a web server, creates a random password, and configures an SSL certificate. You will be prompted to either generate a new Root CA or provide your own certificate.

Save the URL and password to your password manager.

Note

The URL, password, and certificate are only for accessing your StartTunnel’s web user interface. None are needed to use StartTunnel from the command line.

Certificate options

When prompted for a certificate, you have two choices:

If you already have a StartOS server and have trusted its Root CA, you can sign the StartTunnel certificate with that same CA. This means your browser will trust the StartTunnel web UI automatically — no additional certificate to manage.

On your StartOS server, generate a certificate for your StartTunnel’s hostname or IP:
```
start-cli net ssl generate-certificate <HOSTNAME_OR_IP>
```
This outputs a private key and certificate chain in PEM format.
During start-tunnel web init, when prompted for a certificate, select Provide.
Paste the private key first and press Enter. You may need to press Enter an extra time for it to be accepted.
Paste the certificate chain next and press Enter. Again, you may need to press Enter an extra time.

Select Generate when prompted. StartTunnel will create its own Root CA and use it to sign a certificate. The Root CA will be printed to the console.

Trust the Root CA on each device that will access the web UI. Select your operating system:

Open the Terminal app.
Type or paste the following command (do not press Return yet):
```
pbpaste > ~/Desktop/tunnel-ca.crt
```
Again, do not press Return yet.
Copy your Root CA to clipboard from the console output (including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----). do not paste it anywhere.
Back in Terminal, just press Return. The file tunnel-ca.crt is saved to your Desktop.
Trust the certificate.

Next steps

Subnets — Create isolated VLANs
Devices — Add servers, phones, and laptops
Port Forwarding — Expose ports on your VPS’s public IP

StartTunnel