Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

StartTunnel

A self-hosted WireGuard VPN optimized for creating VLANs and reverse tunneling to personal servers.

Think of it as a “virtual router in the cloud.” Use it for private remote access to self-hosted services, or to expose services to the public Internet without revealing your server’s IP address.

  • Clearnet hosting like Cloudflare Tunnels, but you control the server
  • Private access like Tailscale, but fully self-hosted
  • Dead simple — one command to install, manage everything from the CLI or web UI
  • Open source — audit it, fork it, own it

Guides

Learn More

Installing

Install StartTunnel on a Debian VPS by renting a server, running the one-line installer script, and initializing the web interface. The entire process takes just a few minutes.

1. Get a VPS

Rent a cheap Debian 12+ VPS with a dedicated public IP. Minimum CPU/RAM/disk is fine. For bandwidth, no need to exceed your home Internet’s upload speed.

Requirements

  • Debian 12+ (Bookworm or newer)
  • x86_64, aarch64, or riscv64
  • Root access
  • Public IP (required for clearnet port forwarding; not required for private VPN use)

Important

StartTunnel is designed to be the sole application on your VPS. The installer disables UFW and manages its own firewall rules via iptables. Do not run other Internet-facing services on the same VPS.

2. Run the installer

SSH into your VPS and run:

curl -sSL https://start9labs.github.io/start-tunnel/install.sh | sh

Note

If DNS resolution is not working on your VPS, the installer will configure public DNS resolvers (Google, Cloudflare, Quad9) and back up your existing /etc/resolv.conf.

3. Initialize the web interface

start-tunnel web init

You will be guided through setup and shown your web URL, password, and Root CA certificate. To access the web interface without browser warnings, trust the Root CA on your device.

On subsequent runs (e.g. after updating), the password is not shown again. If you forget it, reset it with start-tunnel auth reset-password.

4. Next steps

User Manual

Guides for managing subnets, adding devices, configuring port forwards, updating StartTunnel, and using the CLI.

Subnets

A subnet is an isolated /24 VLAN (up to 254 devices). All devices on the same subnet can communicate with each other.

StartTunnel comes with a default subnet, which is sufficient for most users. You can create additional subnets to isolate groups of devices from each other.

Creating a Subnet

  1. In StartTunnel, navigate to Subnets and click “Add”.
  2. Name the subnet and accept or customize the IP range.
  3. Click “Save”.

Removing a Subnet

  1. Navigate to Subnets, select the subnet, and click “Remove”.

Warning

Removing a subnet disconnects all devices on it. Their WireGuard configs will no longer work.

Devices

Every device on a StartTunnel subnet — whether it’s a server, phone, or laptop — is added the same way. Each device gets a unique WireGuard configuration file.

Adding a Device

  1. In StartTunnel, navigate to Devices and click “Add”.

  2. Fill out the form:

    • Give the device a name (e.g. “Start9 Server”, “Phone”, “Laptop”).
    • Select a subnet (the default is fine).
    • Accept or choose an IP address on the subnet (the default is fine).
    • Click “Save”.

  3. Download the resulting start-tunnel.conf (or copy to your clipboard).

  4. Import the config into the appropriate app on the device:

    • StartOS server: Navigate to System > Gateways, click “Add”, name the gateway (e.g. “StartTunnel”), upload or paste the config, and click “Save”. StartOS will now see the VPS as a gateway, and each service interface will automatically acquire new addresses corresponding to it.
    • Phone or tablet: Scan the QR code shown in StartTunnel using the WireGuard app.
    • Laptop or desktop: Download the config and import it into the WireGuard app.

Removing a Device

  1. Navigate to Devices, select the device, and click “Remove”.

Port Forwarding

Port forwarding exposes a device’s port on your VPS’s public IP address. This is how you make services reachable from the public Internet.

  1. In StartTunnel, navigate to Port Forwards and click “Add”.

  2. Select the external IP address you want to use (there is usually only one).

  3. Enter the external port and the internal (device) port as. In almost all cases, they will be the same.

  4. If you are forwarding port 443 -> 443, you will see a checkbox to also forward port 80 -> 443. This is highly recommended, as it will automatically redirect HTTP to HTTPS.

  5. Click “Save”.

Updating / Uninstalling

Keep StartTunnel up to date by re-running the installer, or remove it entirely when decommissioning a VPS.

Updating

There are three ways to update StartTunnel.

Install script

Re-run the install command:

curl -sSL https://start9labs.github.io/start-tunnel/install.sh | sh

The installer detects the existing installation, prompts for confirmation, and restarts the service.

CLI

start-tunnel update

Web UI

Navigate to Settings > Version > Check for Updates.

Uninstalling

StartTunnel is designed to run on a dedicated VPS. To remove it, simply destroy the VPS through your hosting provider. All WireGuard keys and configuration are stored on the VPS and will be removed with it.

CLI Reference

StartTunnel can be fully managed from the command line.

start-tunnel --help

Subnets

Create isolated VLANs. Each subnet is a /24 network (up to 254 devices).

start-tunnel subnet add --subnet 10.0.1.0/24 --name "home"
start-tunnel subnet remove --subnet 10.0.1.0/24

Devices

Add devices to a subnet. Each device gets a unique WireGuard config.

start-tunnel device add --subnet 10.0.1.0/24 --name "laptop"
start-tunnel device add --subnet 10.0.1.0/24 --name "phone" --ip 10.0.1.50
start-tunnel device list --subnet 10.0.1.0/24
start-tunnel device show-config --subnet 10.0.1.0/24 --ip 10.0.1.2
start-tunnel device remove --subnet 10.0.1.0/24 --ip 10.0.1.2

Port Forwarding

Expose a device’s port on the VPS’s public IP.

start-tunnel port-forward add --source 203.0.113.5:443 --target 10.0.1.2:443
start-tunnel port-forward remove --source 203.0.113.5:443

Authentication

Manage passwords and authorized SSH keys for remote API access.

start-tunnel auth set-password
start-tunnel auth reset-password
start-tunnel auth key add --name "my-key" --key "ssh-ed25519 AAAA..."
start-tunnel auth key list
start-tunnel auth key remove --key "ssh-ed25519 AAAA..."

Updating

Check for and install updates.

start-tunnel update

Web Interface

Manage the admin web UI.

start-tunnel web init                          # Interactive setup wizard
start-tunnel web enable                        # Enable web UI
start-tunnel web disable                       # Disable web UI
start-tunnel web set-listen 0.0.0.0:8443       # Change listen address
start-tunnel web generate-certificate my.domain.com  # Generate TLS cert for a domain
start-tunnel web reset                         # Reset web UI (clears config and password)

StartTunnel

A self-hosted WireGuard VPN optimized for creating VLANs and reverse tunneling to personal servers.

Think of it as a “virtual router in the cloud.” Use it for private remote access to self-hosted services, or to expose services to the public Internet without revealing your server’s IP address.

  • Clearnet hosting like Cloudflare Tunnels, but you control the server
  • Private access like Tailscale, but fully self-hosted
  • Dead simple — one command to install, manage everything from the CLI or web UI
  • Open source — audit it, fork it, own it

Note

For setup instructions, see the User Manual.

Features

  • Create Subnets — Each subnet creates a private VLAN, similar to the LAN created by a home router
  • Add Devices — Servers, phones, laptops get a LAN IP and unique WireGuard config
  • Forward Ports — Expose specific ports on specific devices to the public Internet

How StartTunnel Compares

StartTunnel occupies a unique position between Cloudflare Tunnel and Tailscale. All three solve the problem of connecting devices across the Internet, but they make fundamentally different trade-offs around trust, control, and convenience.

Architecture

StartTunnel is a WireGuard VPN server that runs on a VPS you control. Clients connect via standard WireGuard tunnels. Port forwarding uses kernel-level iptables NAT (Layer 3/4) to route public traffic to devices on the VPN. There is no central service, no coordination server, and no third party in the data path.

Cloudflare Tunnel runs a daemon (cloudflared) on your machine that makes outbound connections to Cloudflare’s global edge network. Public traffic hits Cloudflare’s CDN first, where Cloudflare terminates TLS, inspects the request at Layer 7, and proxies it to your origin through the tunnel.

Tailscale is a mesh VPN built on WireGuard. A proprietary coordination server (hosted by Tailscale Inc.) distributes keys and facilitates peer discovery, while actual traffic flows directly between devices. For public exposure, Tailscale Funnel routes traffic through Tailscale’s ingress servers, which terminate TLS.

Privacy and Trust

This is the most important difference. It comes down to: who can see your traffic?

StartTunnel: Nobody but you. Port forwarding operates at Layer 3/4 (iptables DNAT), meaning the VPS rewrites IP headers and forwards packets without inspecting payloads. If a service uses HTTPS, TLS terminates at the service itself — the VPS never sees plaintext. For VPN traffic between devices, WireGuard provides end-to-end encryption. Since you own the VPS, there is no third party with access to your traffic or metadata.

Cloudflare Tunnel: Cloudflare terminates TLS at their edge and re-encrypts to your origin. This means Cloudflare can — and does — see plaintext traffic. They offer “TLS inspection” as a feature and can scan request bodies, filter content, and inject responses. Using Cloudflare Tunnel requires trusting a publicly traded company not to misuse its position as a man-in-the-middle on all your traffic.

Tailscale: For device-to-device traffic, encryption is end-to-end — even Tailscale’s DERP relay servers forward encrypted packets they cannot read. However, the coordination server (run by Tailscale Inc.) sees metadata: which devices are connecting, their IPs, OS versions, and connection state. Tailscale explicitly states it is “not an anonymity service.” For public exposure via Funnel, Tailscale’s ingress servers terminate TLS, similar to Cloudflare.

Self-Hosting and Sovereignty

StartTunnel: Fully self-hosted. You rent a VPS, run the installer, and own the entire stack. No phone-home, no telemetry, no accounts, no dependency on any company’s infrastructure. If Start9 disappeared tomorrow, your tunnel would keep working.

Cloudflare Tunnel: The cloudflared client runs on your machine, but all traffic must route through Cloudflare’s proprietary global network. You cannot self-host the edge. If Cloudflare goes down — as happened in a 5.5-hour outage in November 2025 — your services go down with it.

Tailscale: The client is mostly open source, but the coordination server is proprietary. Headscale is a community-built open source alternative, but it reimplements a narrower scope (single tailnet) and is not maintained by Tailscale. By default, you depend on Tailscale Inc. for key distribution, peer discovery, and DERP relays.

Vendor Lock-In and Terms of Service

StartTunnel: MIT licensed. No terms of service. No content restrictions. No account that can be terminated. Use it however you want.

Cloudflare Tunnel: Cloudflare’s ToS prohibit streaming video or large file serving unless you use Cloudflare R2/Stream. Cloudflare reserves the right to terminate accounts “at any time, with or without notice for any reason or no reason at all.” Your services are one policy change away from going dark.

Tailscale: More permissive terms than Cloudflare, but you still depend on a company’s continued goodwill and operation. The free tier (3 users, 100 devices) has limits that paid tiers expand.

Comparison Table

StartTunnelCloudflare TunnelTailscale
ArchitectureWireGuard VPN to your VPSOutbound tunnel to Cloudflare edgeWireGuard mesh with coordination server
Who sees your traffic?Only youCloudflare (TLS terminated at edge)Nobody for P2P; Tailscale for Funnel
TLS terminationAt the origin service (L3/L4 passthrough)At Cloudflare’s edge (L7 proxy)At origin for P2P; at Tailscale for Funnel
Self-hostable?FullyClient only; edge is proprietaryClient + DERP relays; coordination server via Headscale
Open sourceFully (MIT)Client only (Apache-2.0)Client mostly; coordination server proprietary
Requires account?NoYes (Cloudflare account)Yes (via third-party identity provider)
DNS managementNone (bring your own)Optional (Cloudflare DNS or external)MagicDNS for private; *.ts.net for Funnel
Works behind CGNAT?Yes (clients initiate outbound UDP)Yes (client initiates outbound QUIC/HTTP2)Yes (hole-punching + DERP fallback)
Subnet isolationYes (isolated VLANs)N/AACLs between devices
ProtocolTCP + UDP forwardingHTTP/S, TCP, UDP (via QUIC)Any (WireGuard tunnel)
DDoS protectionNone (use VPS provider’s)Built-in (Cloudflare network)None
Global edge/CDNNo (single VPS location)Yes (Cloudflare’s global network)No (direct P2P or DERP relay)
Content restrictionsNoneNo video streaming without R2/StreamNone
CostFree + VPS (~$5-10/mo)Free (50 users); $7/user/mo aboveFree (3 users); $5-18/user/mo

What You Give Up

StartTunnel prioritizes sovereignty over convenience. That means:

  • No DDoS protection — Your VPS IP is exposed on forwarded ports. Use your VPS provider’s DDoS protection, or place a CDN in front if needed.
  • No global edge network — Traffic routes through one VPS, not a global CDN. Latency depends on VPS location.
  • No built-in DNS — You manage your own DNS records.
  • No identity provider integration — Authentication is key-based and password-based, not SSO.
  • You manage the VPS — Minimal maintenance (Debian + one binary), but it’s yours to keep updated.

For many self-hosters, these trade-offs are not just acceptable — they’re the point.

Security

StartTunnel is built on WireGuard, a modern VPN protocol with a minimal, auditable codebase (~4,000 lines of code in-kernel).

  • Encryption: ChaCha20-Poly1305 for symmetric encryption, Curve25519 for key exchange, BLAKE2s for hashing
  • Pre-shared keys: Each peer connection uses an additional pre-shared key (PSK) for a layer of post-quantum resistance
  • Key isolation: Private keys are generated on-device and never leave the device. Only public keys are exchanged.
  • TLS passthrough: Port-forwarded traffic is not decrypted by the VPS. If your service uses HTTPS, TLS terminates at the service, not the tunnel.

Requirements

  • Debian 12+ (Bookworm or newer)
  • x86_64, aarch64, or riscv64
  • Root access
  • Public IP (required for clearnet port forwarding; not required for private VPN use)

Source Code

The StartTunnel source code and release binaries live in the StartOS monorepo. The start-tunnel repo hosts the installer script via GitHub Pages.

To report bugs or request features, open an issue.

FAQ

Answers to common questions about StartTunnel’s security model, compatibility, VPS requirements, and what happens if Start9 goes away.

Can anyone else see my traffic?

No. Port forwarding operates at Layer 3/4 (iptables DNAT), meaning the VPS rewrites IP headers and forwards packets without inspecting payloads. If your service uses HTTPS, TLS terminates at the service itself — the VPS never sees plaintext. For VPN traffic between devices, WireGuard provides end-to-end encryption. Since you own the VPS, there is no third party in the data path.

Do I need a WireGuard client on my devices?

Only for private access — phones, laptops, and other devices connecting to your server over the VPN. For clearnet hosting (exposing ports to the public Internet), no WireGuard client is needed on the devices accessing your services.

Can I run other services on the same VPS?

No. StartTunnel manages its own firewall rules and disables UFW. It is designed to be the sole application on the VPS.

Does StartTunnel work behind CGNAT?

Yes. WireGuard clients initiate outbound UDP connections, so CGNAT is not a problem for connecting devices to the VPN. Port forwarding still works because public traffic arrives at the VPS’s public IP.

What if I forget my password?

SSH into your VPS and run:

start-tunnel auth reset-password

What if Start9 goes away?

StartTunnel keeps working. It is fully self-hosted with no dependency on Start9 infrastructure. There is no coordination server, no telemetry, and no phone-home. The binary runs entirely on your VPS.

How do I remove StartTunnel?

StartTunnel is designed to run on a dedicated VPS. To remove it, simply destroy the VPS through your hosting provider. All WireGuard keys and configuration are stored on the VPS and will be removed with it.

What VPS providers work with StartTunnel?

Any provider that offers Debian 12+ with root access and a public IP. Common choices include Hetzner, DigitalOcean, Linode, Vultr, and OVH. Budget VPS providers (~$5/mo) work fine — StartTunnel has minimal resource requirements.

Does StartTunnel provide DDoS protection?

No. Your VPS IP is exposed on forwarded ports. Use your VPS provider’s built-in DDoS protection, or place a CDN in front if needed. See the Architecture page for a full comparison of trade-offs.