Installing

Install StartTunnel on a Debian VPS by renting a server, running the one-line installer script, and initializing the web interface. The entire process takes just a few minutes.

Get a VPS

Rent a cheap Debian 12+ VPS with a dedicated public IP. Minimum CPU/RAM/disk is fine. For bandwidth, no need to exceed your home Internet’s upload speed.

Requirements

Debian 13
Root access
Public IP (required for clearnet port forwarding; not required for private VPN use)

Important

StartTunnel is designed to be the sole application on your VPS. The installer disables UFW and manages its own firewall rules via iptables. Do not run other Internet-facing services on the same VPS.

Run the installer

SSH into your VPS and run:

curl -sSL https://start9labs.github.io/start-tunnel/install.sh | sh

Note

If DNS resolution is not working on your VPS, the installer will configure public DNS resolvers (Google, Cloudflare, Quad9) and back up your existing /etc/resolv.conf.

Initialize the web interface

StartTunnel can be fully managed from the command line, but it also offers a web UI for convenience. To set it up, run:

start-tunnel web init

This initializes a web server, creates a random password, and configures an SSL certificate. You will be prompted to either generate a new Root CA or provide your own certificate.

Save the URL and password to your password manager.

Note

The URL, password, and certificate are only for accessing your StartTunnel’s web user interface. None are needed to use StartTunnel from the command line.

Certificate options

When prompted for a certificate, you have two choices:

If you already have a StartOS server and have trusted its Root CA, you can sign the StartTunnel certificate with that same CA. This means your browser will trust the StartTunnel web UI automatically — no additional certificate to manage.

On your StartOS server, generate a certificate for your StartTunnel’s hostname or IP:
```
start-cli net ssl generate-certificate <HOSTNAME_OR_IP>
```
This outputs a private key and certificate chain in PEM format.
During start-tunnel web init, when prompted for a certificate, select Provide.
Paste the private key first and press Enter. You may need to press Enter an extra time for it to be accepted.
Paste the certificate chain next and press Enter. Again, you may need to press Enter an extra time.

Select Generate when prompted. StartTunnel will create its own Root CA and use it to sign a certificate. The Root CA will be printed to the console.

Trust the Root CA on each device that will access the web UI. Select your operating system:

Open the Terminal app.
Type or paste the following command (do not press Return yet):
```
pbpaste > ~/Desktop/tunnel-ca.crt
```
Again, do not press Return yet.
Copy your Root CA to clipboard from the console output (including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----). do not paste it anywhere.
Back in Terminal, just press Return. The file tunnel-ca.crt is saved to your Desktop.
Trust the certificate.

Next steps

Subnets — Create isolated VLANs
Devices — Add servers, phones, and laptops
Port Forwarding — Expose ports on your VPS’s public IP

Keyboard shortcuts