Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

StartWRT Documentation

StartWRT is a router operating system designed specifically for home-based self-hosting. Built on OpenWrt, it pairs a hardened networking backend with a modern web interface that makes advanced features — VPN chaining, per-device security profiles, scheduled Wi-Fi and per-profile Internet blackouts, dynamic DNS — accessible to everyone. Firmware updates are delivered over the air, directly in the app, and the interface is available in English, Spanish, German, French, and Polish.

Getting Started

Core Concepts

Internet

Network

Points of Entry

System

Reference

Installing StartWRT

StartWRT comes pre-installed on Start9 routers. If you need to reinstall or flash a new device, follow the instructions below to create a bootable microSD card and flash the firmware.

Requirements

  • A Start9 router (BananaPi BPI-F3)
  • A microSD card (4 GB or larger)
  • A computer to write the image

Download the Image

  1. Download the latest StartWRT firmware image from the Start9 releases page (StartWRT releases are the ones tagged start-wrt/v…). For a fresh install, download the sdcard image — it is named startwrt-<version>-<git hash>_spacemit-k1-sdcard.img.gz (the …-sysupgrade.img.gz file is the update payload). There is no need to decompress it — balenaEtcher flashes the .img.gz directly. The commands below use startwrt.img.gz as a placeholder for the downloaded filename.

  2. Verify the SHA256 checksum against the one listed on GitHub (optional but recommended).

    • Mac. Open a terminal and run:

      openssl dgst -sha256 startwrt.img.gz
      
    • Linux. Open a terminal and run:

      sha256sum startwrt.img.gz
      
    • Windows. Open PowerShell and run:

      Get-FileHash startwrt.img.gz
      

Write the Image to microSD

  1. Download and install balenaEtcher onto your Linux, Mac, or Windows computer.

  2. Insert the microSD card into your computer.

  3. Open balenaEtcher, click “Select Image”, and select the StartWRT image you just downloaded.

  4. Click “Select Target” and select your microSD card.

    Warning

    BE ABSOLUTELY CERTAIN you have selected the correct target drive. Whatever target you select will be COMPLETELY ERASED!!

  5. Click “Flash!”. You may be asked to approve the unusually large disk target and/or enter your password. Both are normal.

Flash the Firmware

  1. Power off the router.

  2. Insert the microSD card into the router.

  3. Power on the router. It will boot from the microSD card automatically.

  4. Connect to the StartWRT Wi-Fi network using the Wi-Fi password printed on the sticker on the bottom of the router.

  5. A captive portal will open automatically. If it does not, open a browser and navigate to router.lan.

  6. The setup wizard will guide you through the rest. If the router already has firmware installed, you can choose Keep settings or Fresh Start (full wipe). On a new device with no existing firmware, the wizard proceeds directly to Fresh Start setup. See Factory Reset for a full walkthrough of the reflash wizard.

  7. When the wizard completes, power off the router, remove the microSD card, and power it back on.

DIY and Unprogrammed Boards

Start9 routers ship with a unique Wi-Fi password programmed into the device’s EEPROM and printed on a sticker on the bottom. A vendor-programmed board “just works”: flash the image, boot, and connect to the StartWRT network with the sticker password.

If you are flashing a bare BananaPi BPI-F3 that was never programmed with a Wi-Fi password, the Wi-Fi access point will not come up after boot. To bring it online:

  1. Connect to the router over Ethernet (or serial console).

  2. Set a Wi-Fi password:

    • Random — Generates a random 12-character password and prints it:

      startwrt-cli set-wifi-password
      
    • Manual — Prompts you to enter your own password:

      startwrt-cli set-wifi-password --manual
      
  3. Record the printed (or entered) password — this becomes your Wi-Fi password.

The password lives in the router’s configuration. A factory reset re-reads the EEPROM, so on an unprogrammed board you will need to run startwrt-cli set-wifi-password again after a reset.

Next Steps

  • Initial Setup — Set up your admin password and configure the router

Initial Setup

After unboxing your Start9 router or completing a fresh install, follow these steps to get up and running. The entire process takes just a few minutes.

Connect to Wi-Fi

  1. Power on the router.

  2. On your phone or computer, connect to the StartWRT Wi-Fi network using the password printed on the sticker on the bottom of the device.

Create Your Admin Password

  1. A captive portal will open automatically. If it does not, open a browser and navigate to router.lan.

  2. Create an admin password (minimum 12 characters). This password protects the web interface and is separate from the Wi-Fi password.

  3. Confirm the password and click “Submit”.

  4. Normal Internet access will resume and you will be logged in to the StartWRT web interface.

Important

All Internet access is blocked until you set an admin password. If you dismiss the captive portal popup, open any browser and navigate to router.lan.

Note

Your timezone is auto-detected from your browser during setup. You can change it later under Settings.

Trust Your Root CA

To access the web interface securely over HTTPS, download and trust your router’s Root Certificate Authority (Root CA).

  1. Navigate to System > Settings > General and click “Download Root CA”.

  2. Follow the instructions for Trusting Your Root CA on each device you want to connect to the router’s web interface.

Explore the Web Interface

The StartWRT web interface is organized into five sections:

  • Internet — WAN settings, published ports, outbound VPNs
  • Network — LAN settings, connected devices
  • Security Profiles — Create and manage access control profiles
  • Points of Entry — Ethernet ports, Wi-Fi passwords, inbound VPN servers
  • System — General settings, SSH keys, backups, logs

Tip

Toggle Help Mode from the header to get a plain-language explanation of everything on the current page, including links to external resources.

Next Steps

  • Security Profiles — Understand the core concept behind StartWRT
  • Wi-Fi — Set up additional Wi-Fi passwords for different profiles
  • Settings — Configure timezone, language, and other preferences

Trusting Your Root CA

In order to establish a secure (HTTPS) connection with your router on the local network, it is necessary to download and trust your router’s Root Certificate Authority (Root CA).

Note

You must repeat this guide for each device you want to connect to the router’s web interface over HTTPS.

Step 1 - Download

Navigate to System > Settings > General and click “Download Root CA”. This saves the certificate as startwrt-ca.crt. When you inspect or install it, the certificate is named “StartWRT Local Root CA” followed by a short random identifier (e.g. “StartWRT Local Root CA 3f8a1b2c”) — each router generates a unique one so a reflashed device’s new CA won’t collide with one you already trust.

Step 2 - Trust

Select your platform:

  1. Locate your Root CA and double click it. Keychain Access will launch. You will be prompted for your Mac credentials. Select “Modify Keychain”.

  2. Press Command + Spacebar to launch a program, type in Keychain Access and select the resulting Keychain Access program to open it.

  3. Your router’s CA certificate will be displayed among the imported certificates in Keychain Access. Right-click on the imported CA cert and select Get Info.

  4. The details of your CA certificate will be displayed in a new dialog window. Click the “Trust” heading, then select “Always Trust” on Secure Sockets Layer (SSL) and X.509 Basic Policy.

    Click the red (x) button at the top left of the dialog window.

  5. You will then be prompted again for your Mac credentials. Click Update Settings.

  6. You will see your router’s CA certificate as trusted now, signified by a blue (+) sign and the CA cert information will now say “This certificate is marked as trusted for all users” in Keychain Access.

  7. If using Firefox, Thunderbird, or Librewolf, complete this final step.

3. Mozilla Apps (Firefox, Thunderbird, Librewolf)

Mozilla apps use their own certificate store and need extra configuration to trust your Root CA. Complete the steps above for your OS first, then follow the steps below.

For more background, see Mozilla’s blog post on why they maintain their own root certificate store.

  1. Open the app and enter about:config in the URL bar. Accept any warnings that appear.

  2. Search for security.enterprise_roots.enabled and set the value to “true”.

  3. Restart the app.

Updating

StartWRT never updates automatically — updating always requires explicit action. There are two ways to update: an in-app update from the web interface (recommended), or a microSD reflash (a fallback if an in-app update ever fails). We highly recommend keeping StartWRT up to date for the latest security and performance patches, as well as to take advantage of new features.

  1. Navigate to System > Settings > General.

  2. When a newer signed release is available, a “vX.Y.Z released!” accordion appears. Expand it to read the release notes.

  3. Click “Update now” and confirm.

  4. The download and apply progress is shown live. When it finishes, the router reboots and returns you to the app once it is back online.

    Warning

    Do not unplug your router during the update or reboot. The update can take several minutes to apply. All network traffic — Wi-Fi, Ethernet, VPN connections, and port forwarding — will be interrupted until the router finishes restarting.

Firmware integrity is enforced cryptographically (a Blake3 commitment plus ed25519 release signatures), so only properly signed StartWRT releases will install. A tampered or unsigned image is rejected.

Update by Reflashing (Fallback)

If an in-app update ever fails, you can update StartWRT by reflashing from a microSD card. Use the Keep settings path in the reflash wizard, which replaces the firmware while preserving your settings. See Installing StartWRT for how to create a bootable microSD card, and Factory Reset for a walkthrough of the reflash wizard.

Security Profiles

Security Profiles are the core concept in StartWRT. Every device on the network is assigned a Security Profile that governs what it can access — LAN devices, the Internet, DNS servers, VPN tunnels, and time-of-day restrictions. Profiles replace the need to manually configure VLANs, firewall zones, subnets, and routing tables.

How Profiles Work

Behind the scenes, each Security Profile creates an isolated network environment:

  • VLAN — Layer 2 isolation so devices on different profiles cannot see each other’s traffic
  • Subnet — A dedicated /24 IP range with its own DHCP server and gateway
  • Firewall zone — Rules controlling what the profile can access (LAN, Internet, specific devices)
  • DNS — Inherited from the system, the outbound VPN, or overridden with custom servers
  • Outbound routing — Which gateway or VPN chain handles the profile’s Internet traffic
  • WAN Blackout — Optional time-of-day restrictions on Internet access

You do not need to configure any of these individually. When you create a profile, StartWRT sets up all the underlying networking automatically.

How Devices Get Profiles

A device’s Security Profile is determined by its point of entry — how it connects to the network:

  • Ethernet — The physical port a device plugs into. Each port maps to a profile. See Ethernet.
  • Wi-Fi — The password a device uses to join the Wi-Fi network. Each password maps to a profile. See Wi-Fi.
  • Inbound VPN — The WireGuard server a device connects to remotely. Each VPN server maps to a profile. See Inbound VPNs.

One SSID, multiple passwords. One router, multiple isolated networks. The profile abstraction keeps it simple.

Creating a Profile

  1. Navigate to Security Profiles and click “Add”.

  2. Enter a Name at the top of the dialog (e.g. “Admin”, “Guest”, “Children”, “Smart Devices”). The Name field sits above three tabs — LAN, WAN / Internet, and DNS.

  3. On the LAN tab, configure local-network settings:

    • Subnet — Set the third octet of the profile’s /24 subnet. The first two octets are shown but locked; for example, a value of 2 creates the subnet 192.168.2.0/24. They are locked because every profile must stay within the primary LAN network block’s /16 for cross-subnet routing to work — changing the LAN network block moves all profiles with it. Each profile must have a unique subnet. The gateway address is always .1 within the subnet (e.g. 192.168.2.1).

    • Access control — Controls which other profiles this profile can communicate with on the local network:

      • All — Full access to devices on all profiles.
      • Same profile — Only communicate with devices on this same profile.
      • Whitelist — Select specific profiles from a list.
    • Auto whitelist new profiles — A toggle shown in Whitelist mode. When enabled, newly created profiles are automatically added to this profile’s whitelist. Useful for admin profiles that should maintain access to all network segments.

    • Outbound Routing — Choose how traffic from this profile reaches the Internet. Select Direct for direct Internet access, or VPN to route all traffic through an outbound VPN. Choosing VPN reveals an Outbound VPN client picker (disabled if you have no outbound VPN clients).

  4. On the WAN / Internet tab, configure Internet access:

    • WAN Access — Controls Internet access for devices on this profile:

      • All — Unrestricted Internet access.
      • None — No Internet access. Devices can only reach LAN resources permitted by the LAN access setting.
      • Whitelist — Allow connections only to specific destination IPs or CIDR ranges (e.g. 1.1.1.1, 8.8.8.0/24).
      • Blacklist — Block connections to specific destination IPs or CIDR ranges, allow everything else.
    • WAN Blackout — An inlined schedule editor for time-of-day Internet restrictions (see WAN Blackout below). It is disabled when WAN Access is None; any existing windows are retained.

  5. On the DNS tab, choose Inherit from system or Custom. Custom lets you specify up to three DNS servers, each with an optional DoH (DNS-over-HTTPS) toggle. When inheriting, the profile uses the outbound VPN’s DNS (if routing through a VPN) or the system DNS from WAN Settings.

  6. Click “Save”.

Editing a Profile

  1. Navigate to Security Profiles and select the profile.

  2. Modify any settings and click “Save”.

Warning

Changing a profile’s settings takes effect immediately for all devices currently assigned to that profile.

Deleting a Profile

  1. Navigate to Security Profiles and select the profile.

  2. Click “Delete”.

Warning

Deleting a profile disconnects all devices assigned to it. Associated points of entry (Wi-Fi passwords, Ethernet port assignments, VPN servers) are automatically removed.

Note

The primary LAN profile cannot be deleted.

WAN Blackout

Each profile can optionally restrict Internet access during specific time periods. WAN Blackout defines block windows — periods when WAN access is removed for devices on the profile. Wi-Fi connectivity and LAN access are unaffected. Outside of these windows, the profile’s normal WAN access rules apply.

WAN Blackout is edited inline on the WAN / Internet tab of the profile create/edit dialog (see Creating a Profile).

  1. The schedule is displayed as a 7-day visual timeline grid, with one row per day of the week.

  2. Click “Add” to create a block window:

    • Set the start and end times. Times use a 12-hour HH:MM AM/PM format, with a 15-minute quick-pick dropdown. A window may cross midnight (e.g. 10:00 PM to 6:00 AM). Setting the start time equal to the end time creates a full 24-hour window.
    • Select which days of the week the window applies to.
    • Click “Save”.
  3. Multiple block windows per day are supported.

Overlapping windows are rejected when you save. A schedule that covers the entire week with no gap is also rejected — the system needs at least one boundary to toggle WAN access on and off.

Tip

Click a window once to edit it. Removing a window does not ask for confirmation.

Note

WAN Blackout blocks Internet access, not LAN access. Devices can still reach LAN resources during blocked periods according to the profile’s LAN access setting. For disabling the Wi-Fi radio itself on a schedule (affecting all Wi-Fi devices), use Wi-Fi Blackout.

Example Profiles

Here is an example of how a household might use Security Profiles:

ProfileWAN AccessLAN AccessDNSOutbound RoutingWAN Blackout
AdminAllAllInheritMullvad VPN
ChildrenAllSame profileCustom (filtering)DNS-filtering VPNBlock 9 PM - 7 AM
GuestAllSame profileInheritProton VPN
Smart DevicesWhitelistSame profileInheritDirect
Shared ServicesNoneWhitelistInheritDirect

Points of Entry

A point of entry is how a device connects to the StartWRT network and receives its Security Profile. There are three types of entry points, each mapping to a profile.

Ethernet

Each physical Ethernet port on the router maps to a Security Profile. The port a device plugs into determines its profile. See Ethernet.

Wi-Fi

StartWRT uses one Wi-Fi network (one SSID) with multiple passwords. Each password maps to a different Security Profile. The password a device uses to join the network determines its profile. See Wi-Fi.

Inbound VPN

Each WireGuard VPN server on the router maps to a Security Profile. Remote devices connect to a VPN server and receive the corresponding profile, as if they were physically present on the network. See Inbound VPNs.

Why Entry Points Matter

Traditional routers require you to think in terms of VLANs, firewall rules, and subnets. StartWRT replaces all of that with a simple mental model: how you connect determines what you can access. Whether a device plugs into a specific Ethernet port, uses a specific Wi-Fi password, or connects through a specific VPN server, the result is the same — it gets assigned a profile that governs its network access.

WAN Settings

The WAN (Wide Area Network) page configures how the router connects to the Internet through your ISP. Most users will not need to change these settings — StartWRT auto-detects your Internet connection on first boot. Navigate to Internet > WAN Settings.

IPv4

Configure the router’s IPv4 Internet connection. The default is DHCP, which works for most ISPs.

  • DHCP — The router obtains an IP address automatically from your ISP. This is the default and most common setting.

  • Static — Manually configure a fixed IP address assigned by your ISP:

    • WAN IP — The static IPv4 address.
    • Prefix Length — The subnet prefix (e.g. /24). The equivalent subnet mask is displayed alongside (e.g. 255.255.255.0).
    • Gateway IP — The default gateway provided by your ISP.
  • PPPoE — Used by some DSL providers. Enter the credentials provided by your ISP:

    • Username — Your ISP account username.
    • Password — Your ISP account password.
    • Device — (Optional) Select a specific network interface for the PPPoE connection.

IPv6

Configure IPv6 if your ISP supports it.

  • SLAAC (default) — Automatic IPv6 configuration. The most common option if your ISP supports IPv6.
  • DHCPv6 — The ISP assigns an IPv6 address via DHCP. Use if SLAAC does not work with your ISP.
  • Static — Manually configure a fixed IPv6 address, prefix length, and gateway. A LAN Prefix field sets the IPv6 prefix delegated to your LAN.
  • 6RD — Tunnels IPv6 over an IPv4 connection. Required by some ISPs that do not provide native IPv6. Configuration fields: IPv6 Prefix, IPv6 Prefix Length, IPv4 Prefix Length, and Border Relay IP (the IPv4 address of the ISP’s relay server).
  • Disabled — No IPv6 on the WAN interface.

For SLAAC and DHCPv6, an optional IPv6 Prefix field lets you request a specific prefix length from your ISP for prefix delegation (e.g. /48, /56, /64). Leave empty to let your ISP decide automatically.

The WAN summary shows an IPv6 status badge indicating whether IPv6 is Enabled or Disabled, along with its mode (SLAAC, DHCPv6, Static, or 6RD).

DNS

Configure which DNS servers the router uses to resolve domain names.

  • Get from ISP (default) — Use DNS servers provided automatically by your ISP via DHCP.
  • Custom — Specify your own DNS servers. Up to three servers are supported (Primary required, Secondary and Tertiary optional). Each server has a Secure (DoH) toggle to enable DNS-over-HTTPS encryption for that server.

Note

Not all DNS servers support DoH. Common servers that do include Cloudflare (1.1.1.1), Google (8.8.8.8), and Quad9 (9.9.9.9).

Tip

Using privacy-focused DNS providers can improve both privacy and performance compared to your ISP’s default DNS servers. Individual Security Profiles can override these DNS settings with their own Custom DNS configuration.

MAC Address

Some ISPs bind your Internet connection to a specific MAC address. If you are replacing an existing router, you may need to clone the old router’s MAC address.

  • Router (default) — Use the router’s built-in MAC address.
  • Custom — Enter the MAC address of your previous router or modem.

Note

If you do not know whether your ISP requires a specific MAC address, leave this setting at its default. You only need to change it if your Internet connection does not work after switching routers.

Dynamic DNS

See Dynamic DNS for full details on configuring DDNS from this tab.

Dynamic DNS

Dynamic DNS (DDNS) maps a stable domain name to your home IP address, even when your ISP changes it. This is essential for remote access features like Inbound VPNs and Published Ports, which require external devices to find your router on the Internet.

Why You Need DDNS

Most home Internet connections have a dynamic IP address that can change without warning. When your IP changes, any remote VPN clients or port forwarding rules pointing to the old IP stop working. DDNS automatically updates a domain name to point to your current IP, so remote connections keep working.

Start9 Dynamic DNS

StartWRT includes free integration with Start9’s Dynamic DNS service. No account is required.

  1. Navigate to Internet > WAN Settings > DDNS.

  2. Select Start9 as the provider.

  3. Toggle Enable Dynamic DNS on and click “Save”. A unique domain name will be assigned to your router automatically.

Tip

The Start9 DDNS domain is all you need for VPN access. You do not need to own a custom domain name.

Other Providers

StartWRT also supports third-party DDNS providers:

  • Cloudflare
  • DuckDNS
  • DynDNS
  • FreeDNS
  • No-IP

To use a third-party provider:

  1. Navigate to Internet > WAN Settings > DDNS.

  2. Select the provider and enter your credentials or API token.

  3. Enter the domain name or hostname you have registered with the provider.

  4. Click “Save”.

Checking Your DDNS Status

The DDNS section on the WAN Settings page shows the current status of your dynamic DNS configuration: whether it is enabled, the provider, and the hostname.

Published Ports

Published ports (port forwarding) allow devices on the Internet to reach specific devices on your LAN. Each rule maps a port on the router’s public IP address to a port on a device behind the router.

When to Use Port Forwarding

  • Self-hosting — Expose a web server, email server, or other service running on a LAN device.
  • Remote access — Allow external access to a specific device or application.
  • Gaming — Open ports required by game servers or peer-to-peer connections.

Important

Port forwarding exposes devices directly to the Internet. Only forward ports for services you intend to be publicly accessible. For private remote access, use Inbound VPNs instead.

Creating a Rule

  1. Navigate to Internet > Published Ports and click “Add”.

  2. Configure the rule:

    • Label — A descriptive name (e.g. “Home Assistant”, “Minecraft Server”, “Bitcoin P2P”).
    • Device — Select the target device from the list. The device is identified by name and IP address. If the device does not already have a reserved IPv4 address, one will be assigned automatically to ensure the rule always reaches the correct device.
    • Port — The port or port range on the device to expose. Enter a single port (e.g. 443) or a range (e.g. 27015-27030).
    • Protocol — TCP, UDP, or TCP + UDP.
    • Source — Who can connect. Select Any to allow connections from anywhere on the Internet, or Custom to restrict access to a specific IP address or CIDR range (e.g. 203.0.113.0/24).
    • IP Version — IPv4, IPv6, or IPv4 + IPv6. Options may be disabled if the device lacks an address for that version or if WAN IPv6 is not configured.
    • External Port (IPv4 only) — Same as device keeps the external port identical to the internal port. Select Other to specify a different external port (e.g. forward WAN port 9090 to device port 8080).
  3. Click “Save”.

Editing a Rule

  1. Navigate to Internet > Published Ports and select “Edit” from the rule’s actions menu.

  2. Modify any settings and click “Save”.

Enabling and Disabling Rules

Each rule can be toggled on and off without deleting it. Use the “Enable” or “Disable” option in the rule’s actions menu.

Deleting a Rule

  1. Navigate to Internet > Published Ports and select “Delete” from the rule’s actions menu.

Status Indicators

Each published port rule shows a status indicator in the table:

  • Active (green) — The rule is working and traffic is being forwarded.
  • Partial (yellow) — The rule is partially working. For example, IPv4 forwarding may be unavailable because your ISP uses CGNAT, while IPv6 is functioning normally.
  • Paused (orange) — The target device is offline or not reachable.
  • Error (red) — The rule failed to apply.
  • Disabled (grey) — The rule has been toggled off.

Endpoints

The Endpoints column in the table shows the public addresses where each forwarded port can be reached. IPv4 endpoints display the router’s public IP (or DDNS domain) with the external port. IPv6 endpoints display the device’s IPv6 address with the port directly. These are useful for configuring external services or sharing access details.

Note

Port forwarding requires a public IP address. If your ISP uses CGNAT, IPv4 forwarding will not work — the rule will show a “Partial” status if IPv6 is available, or “Error” if not.

Note

IPv6 forwarding requires the target device to have a globally routable address. If the device only has a local-only ULA address (one that starts with fc or fd), a warning appears that a global address — from your ISP’s prefix delegation — is required. The IPv6 rule is skipped, but saving is not blocked, so any IPv4 rule still applies.

Outbound VPNs

Route your network’s Internet traffic through one or more WireGuard VPN providers for privacy. Outbound VPNs hide your home IP address from the services your devices connect to and prevent your ISP from monitoring traffic.

Adding a VPN Client

  1. Navigate to Internet > Outbound VPNs and click “Add”.

  2. Configure the VPN:

    • Label — A descriptive name (e.g. “Mullvad Sweden”, “Proton US”).
    • Config File — Upload or paste a WireGuard .conf file from your VPN provider. Most providers (Mullvad, ProtonVPN, IVPN, etc.) offer WireGuard config file downloads from their account dashboard.
    • Target — Where this VPN’s traffic should be routed:
      • Internet — Traffic exits directly to the Internet through this VPN.
      • Another VPN — Chain through another VPN first for additional privacy. Select the target VPN from the dropdown. Only VPNs that would not create a circular chain are shown.
  3. Click “Save”.

Tip

Download a config file for a VPN server location near you for best performance.

VPN Chaining

VPN chaining routes traffic through multiple VPN providers in sequence, so no single provider sees both your identity and your destination. This achieves multi-jurisdictional resilience — the providers would need to collaborate across different legal jurisdictions to correlate your activity.

Chaining is configured through the Target field. When you set a VPN’s target to another VPN instead of “Internet”, traffic flows through both:

Your device → StartWRT → First VPN → Second VPN → Internet

For example, if “Mullvad” targets “Proton” and “Proton” targets “Internet”:

  • Mullvad knows your home IP but not your destination.
  • Proton knows your destination but sees Mullvad’s IP, not yours.

Note

VPN chaining adds latency since traffic passes through multiple servers. For most users, a single VPN provider is sufficient.

IPv6 and Kill Switch

How IPv6 traffic is handled depends on whether the VPN’s WireGuard tunnel supports it:

  • IPv6-capable VPN — If the imported config includes an IPv6 address for the tunnel interface, profiles routed through the VPN send their IPv6 traffic (::/0) through the tunnel, just like IPv4.
  • IPv4-only VPN — If the tunnel has no IPv6 address, profiles routed through it get no IPv6. IPv6 is blocked (it “fails closed”) so it cannot leak around the tunnel and out your WAN.

A kill switch protects every VPN-routed profile: both IPv4 and IPv6 fail closed. If the tunnel goes down, traffic is blocked rather than leaking out the WAN.

Note

Routing IPv6 through a VPN requires the VPN’s tunnel config to include an IPv6 address on the tunnel interface. Without one, the VPN carries IPv4 only and IPv6 is blocked for routed profiles.

VPN Detail Page

Click a VPN label in the table to open its detail page, which shows:

  • Connection Path — The full route traffic takes from this VPN to the Internet (e.g. “Mullvad → Proton → Internet”).
  • Used by — Which Security Profiles currently route their traffic through this VPN. Check this before making changes to understand the impact.
  • Label — Edit the display name.
  • Connects to — Change the target (Internet or another VPN).

To delete a VPN, click “Delete” on its detail page.

Note

You cannot delete a VPN if other VPNs use it as a target. Change their target first.

Enabling and Disabling

Each VPN has an enable/disable toggle in the table view. When a VPN is disabled, profiles that route through it will fall back to the WAN (direct Internet).

Note

You cannot disable a VPN if other VPNs use it as a target. Change their target first.

Assigning VPNs to Profiles

By default, all Security Profiles use the router’s default gateway (your ISP) for Internet traffic. You can override this per profile:

  1. Navigate to Security Profiles and select a profile.

  2. Under Outbound Routing, select a VPN client.

  3. Click “Save”.

This lets you route different profiles through different VPNs. For example:

  • Admin profile routes through Mullvad
  • Children profile routes through a DNS-filtering VPN
  • Guest profile routes through Proton
  • Smart Devices profile uses the default gateway (no VPN)

LAN Settings

The LAN (Local Area Network) page configures the router’s internal network addressing. Most users will not need to change these settings — the defaults work for typical home networks. Navigate to Network > LAN Settings.

IPv4

Configure the router’s LAN IPv4 addressing.

  • Network Block — Select the private IP block for your network. The first octet determines the RFC 1918 block: 192.168.x.x, 172.16.x.x, or 10.0.x.x. The second octet selects which /16 within that block, and the editable range depends on the block:

    • 192.168.0.0/16 — the second octet is locked to 168.
    • 172.16.0.0/12 — the second octet is editable, 1631.
    • 10.0.0.0/8 — the second octet is editable, 0255.

    The default is 192.168, so existing networks are unaffected. Only RFC 1918 private ranges are accepted; out-of-range values are flagged inline (e.g. “Second octet must be 16–31”) and block saving rather than being auto-corrected. Each Security Profile receives its own /24 subnet within this block, allowing up to 256 separate subnets with 254 devices each.

  • Router address — The router’s LAN IP is the gateway (.1) of the primary Admin Security Profile’s subnet. The first two octets come from the Network Block above; the third octet is set by the Admin profile’s Subnet field, not on this page. For example, with the 192.168.x.x block and an Admin subnet of 1, the router is reachable at 192.168.1.1. This is the address you use to access the web interface (or simply router.lan).

Note

DHCP is managed automatically for each Security Profile. You do not need to configure DHCP ranges or lease times.

Warning

Changing the Network Block changes the router’s LAN address. If you are connected to the gateway IP address (opposed to router.lan), you will need to navigate to the new address to access the web interface. If any inbound VPN servers exist, they will be deleted because their client configurations become invalid with the new addressing.

Note

Changing the second octet counts as a subnet change. Like other subnet changes, it is blocked while any device has a static IP reservation. Remove those reservations first.

IPv6

Configure IPv6 addressing on the LAN.

  • SLAAC — Toggle to enable or disable IPv6 on the LAN via Stateless Address Autoconfiguration. When enabled, devices generate their own IPv6 addresses from the router’s advertised prefix.

  • Prefix Length — Shown when SLAAC is enabled. The LAN IPv6 prefix length must be larger (a higher number) than your WAN prefix to create a valid subnet. For example, if your ISP assigns you a /48 prefix, you can use /56, /60, or /64 for the LAN. A /64 is recommended for most home networks.

Note

If any device has a static IPv6 reservation, SLAAC cannot be disabled until those reservations are removed.

Devices

The Devices page shows all devices that have connected to your router, organized into Online (currently connected) and Offline (previously seen) groups. Each device is associated with a Security Profile based on its point of entry.

Devices appear here even without an active DHCP lease: devices with static IPs, IPv6-only devices, and devices connected through an external switch (learned from the bridge forwarding table) are all listed. Names are resolved on the router from the device’s hostname, with mDNS/Bonjour used as a fallback to recover a friendly name.

Viewing Devices

Navigate to Network > Devices to see the device list. Each entry shows:

  • Name — The device’s hostname or a custom name you have assigned. Click to open the device detail page.
  • Connection — How the device connects: Ethernet, Wi-Fi 2.4GHz, Wi-Fi 5GHz, or VPN.
  • MAC address — The device’s unique hardware identifier.
  • IP address — The device’s IPv4 and IPv6 addresses. A lock icon indicates a reserved (static) IP address.
  • Data and Speed — Cumulative data usage and real-time upload/download speed for online devices.

Device Detail Page

Click a device name to open its detail page:

  • Summary — Displays the device’s current status (online/offline), connection type, Security Profile, IPv4 and IPv6 addresses, and real-time upload/download speed.

  • Data Usage — A chart showing historical upload and download over time. Use the dropdown to select a time period: Last Week (7 days), Last 30 Days, or Last 3 Months (90 days). Usage history survives firmware updates.

  • Name — Edit the custom display name for this device. If left empty, the device’s hostname is used. Saving shows a brief spinner and a confirmation, then refreshes from the router so the displayed name always matches the saved state.

  • Reserve — Toggle on to assign a fixed IPv4 address that persists across reboots. Enter the desired IP address within the device’s profile subnet. Useful for servers, printers, NAS devices, or any device that needs a consistent address.

  • Forget — Remove an offline device from the list. Custom name, reserved IP settings, and the device’s cached name are lost. If the device reconnects, it will appear as a new entry.

Tip

Reserve an IP for any device you plan to use with Published Ports. Port forwarding rules require a stable IP address to ensure traffic always reaches the correct device.

Note

Forgetting a device only removes it from the list. If the device reconnects, it will reappear. To prevent a device from accessing the network, delete the Wi-Fi password or Inbound VPN client it uses to connect.

Ethernet

Each physical Ethernet port on the StartWRT router maps to a Security Profile. The port a device plugs into determines its profile — no manual configuration is needed on the device itself.

How It Works

When a device is plugged into an Ethernet port, the router assigns it to the profile mapped to that port. The device receives an IP address on that profile’s subnet and is subject to that profile’s firewall rules, VPN routing, and schedule restrictions.

Behind the scenes, StartWRT uses bridge VLAN filtering to isolate traffic between ports. Each port tags traffic with a different VLAN ID, ensuring devices on different profiles cannot communicate at Layer 2 unless explicitly allowed.

WAN Port

One Ethernet port is designated as the WAN port, which connects to your ISP modem or upstream network. The WAN port is shown with a “WAN” badge in the port list and cannot be assigned a Security Profile.

Assigning Profiles to Ports

  1. Navigate to Points of Entry > Ethernet.

  2. For each non-WAN port, select the desired Security Profile from the dropdown.

  3. Click “Save”.

Note

Changes take effect immediately. A device currently plugged into a port will be reassigned to the new profile without needing to unplug and replug.

Note

If you connect a network switch to an Ethernet port, all devices on that switch share the same Security Profile. StartWRT cannot differentiate between devices beyond its onboard Ethernet ports. Those devices still appear individually in the Devices list — including hosts with static IPs or only IPv6 addresses — because the router learns them from the bridge forwarding table even without a DHCP lease.

Changing the WAN Port

If you need to use a different physical port for your ISP connection:

  1. Navigate to Points of Entry > Ethernet.

  2. Click “Change WAN Port”.

  3. Select the new port.

  4. Confirm the change.

Warning

Changing the WAN port restarts the network and may briefly interrupt your Internet connection. Ensure your modem cable is connected to the new port before confirming.

Example

PortProfileUse Case
Port 1(WAN)Connected to ISP modem
Port 2AdminDesktop computer with full LAN and Internet access
Port 3AdminStartOS server with full LAN and Internet access
Port 4GuestGuest-accessible Ethernet jack in the living room

Wi-Fi

StartWRT uses a single Wi-Fi network (one SSID) with multiple passwords. Each password maps to a different Security Profile. The password a device uses to connect determines its profile — no manual network selection or VLAN configuration required.

How It Works

Traditional routers create separate Wi-Fi networks (separate SSIDs) for different access levels. StartWRT takes a different approach: one SSID with multiple WPA2 passwords. When a device connects, the router identifies which password was used and assigns the corresponding Security Profile. This is powered by WPA2’s identity PSK feature with dynamic VLAN assignment.

From the user’s perspective, everyone connects to the same network name — the password is what determines their access level.

The Default Password

The Wi-Fi password printed on the sticker on the bottom of your router is the default password. It maps to the default Security Profile (typically “Admin” with full access). This password is set during manufacturing and stored in the router’s EEPROM. The EEPROM value is only authoritative on a factory reset, when it is re-read to restore the default password. During normal operation the active password is whatever is in the router’s running configuration: you can delete the Default entry and create a new one, and that new password is respected regardless of the EEPROM value. It also appears on the Points of Entry > Wi-Fi > Passwords page as the Default entry (mapped to the Admin profile), where you can reveal or copy it.

Note

Keep the sticker password safe. On a DIY or unprogrammed board with no EEPROM Wi-Fi password, set one in the GUI (if connected via ethernet) or with startwrt-cli set-wifi-password. See Installing StartWRT.

Adding a Wi-Fi Password

  1. Navigate to Points of Entry > Wi-Fi > Passwords.

  2. Click “Add”.

  3. Configure the password:

    • Label — A descriptive name for this password (e.g. “Home”, “Guest Network”, “Kids”).
    • Password — Enter a password (8–63 characters) or click “Generate” to create a strong random password.
    • Security Profile — Select the Security Profile this password should map to.
  4. Click “Save”.

Share this password with the people or devices that should receive that profile. They connect to the same network — the router handles the rest.

Removing a Wi-Fi Password

  1. Navigate to Points of Entry > Wi-Fi > Passwords.

  2. Select the password from the actions menu and click “Delete”.

Warning

Removing a Wi-Fi password immediately disconnects all devices using it. Those devices will need a different password to reconnect.

Settings

Configure the Wi-Fi radio hardware under Points of Entry > Wi-Fi > Settings:

  • Enable Wi-Fi — Global toggle to turn the wireless radio on or off. When disabled, no devices can connect via Wi-Fi.

  • SSID — The network name that devices see when scanning for Wi-Fi (default: StartWRT). All passwords share this single SSID.

  • Broadcast — Toggle SSID visibility. When off, the network is hidden from device scans and users must manually enter the network name to connect.

  • Frequency Band — 2.4 GHz, 5 GHz, or Both. 2.4 GHz has better range and wall penetration. 5 GHz offers higher speeds but shorter range. Both enables dual-band operation.

  • Broadcast Separately — Shown only when Band is “Both”. When enabled, the 5 GHz band gets a separate SSID with a -5G suffix (e.g. StartWRT and StartWRT-5G). Useful if you want to control which band a device connects to.

  • Channel — Separate dropdowns for each band. Auto (recommended) lets the router select the least congested channel. You can also select a specific channel: 1–11 for 2.4 GHz, or 36–165 for 5 GHz.

Warning

Changing the SSID disconnects all Wi-Fi clients. You will be prompted to confirm before the change is applied.

Tip

For 2.4 GHz, channels 1, 6, and 11 are the only non-overlapping channels. If you experience interference, try one of these.

Example

LabelPasswordProfileWho uses it
Default(sticker)AdminYou — full LAN and Internet access
GuestRv3kWpTm8xNqYb5JGuestVisitors — Internet only, through Proton VPN
KidsDn7cXfHs4uEgAw2RChildrenYour children — Internet during daytime only, with DNS filtering
IoTYm9pVtKe6jQrZh3FSmart DevicesIoT devices — limited Internet, no LAN access

Wi-Fi Blackout

Wi-Fi Blackout lets you disable the Wi-Fi radio on a recurring timetable. During a blackout window, the radio is powered off entirely — all Wi-Fi devices disconnect regardless of their profile, while Ethernet-connected devices are unaffected.

Use Cases

  • Limit late-night usage — Disable Wi-Fi from 10 PM to 7 AM so household members are not online at night.
  • Reduce RF exposure — Power off the radio during sleeping hours to minimize radiofrequency EMF in the home.
  • Energy savings — Turn off Wi-Fi when nobody is home during the day.

Note

Wi-Fi Blackout affects the radio hardware itself, not individual devices or profiles. When Wi-Fi is off, all Wi-Fi-connected devices are disconnected regardless of their profile. Ethernet-connected devices are unaffected. For per-profile time restrictions on Internet access (not Wi-Fi connectivity), use WAN Blackout in Security Profiles.

Setting a Schedule

The schedule is displayed as a 7-day visual timeline grid, with one row per day of the week. Blackout windows appear as shaded blocks on the timeline.

  1. Navigate to Points of Entry > Wi-Fi > Schedule.

  2. Click “Add” to create a blackout window.

  3. Set the start and end times for the blackout period. Times use a 12-hour HH:MM AM/PM format, with a 15-minute quick-pick dropdown. A window may cross midnight (e.g. 10:00 PM to 6:00 AM). Setting the start time equal to the end time creates a full 24-hour window.

  4. Select which days of the week the window applies to.

  5. Click “Save”.

Multiple blackout windows per day are supported. For example, you could disable Wi-Fi from 12:00 AM to 6:00 AM and again from 10:00 PM to 12:00 AM.

Overlapping windows are rejected when you save. A schedule that covers the entire week with no gap is also rejected — the system needs at least one boundary to toggle the radio on and off.

Tip

Click a window once to edit it.

Note

If the router reboots during a blackout window, the schedule is re-evaluated at boot and the radio is powered back off for the remainder of the window. There is a brief interval early in boot, before the controller starts, during which the radio may come up momentarily before the blackout is reasserted.

Removing a Schedule

To remove a blackout window, click it and click “Delete”. Removing all blackout windows effectively disables the schedule — Wi-Fi will remain on at all times.

Inbound VPNs

Create WireGuard VPN servers on your router for secure remote access to your home network. Each VPN server maps to a Security Profile, so remote devices receive the same access controls as if they were connected locally.

How It Works

An inbound VPN server listens for WireGuard connections from the Internet. When a remote device connects, it is assigned the VPN server’s Security Profile — gaining access to the LAN, Internet, or both, according to that profile’s rules. This is like giving someone a key to a specific door in your house rather than handing them the master key.

Important

Inbound VPN requires either a public IP address or Dynamic DNS so remote devices can reach your router. If your ISP uses CGNAT, inbound connections cannot reach your router directly. Consider using StartTunnel as a gateway instead.

Creating a VPN Server

  1. Navigate to Points of Entry > Inbound VPNs and click “Add”.

  2. Configure the server:

    • Label — A descriptive name (e.g. “Home VPN”, “Friends”, “Work”).
    • Endpoint — The address where remote clients will connect. Select from available options: WAN IPv4 address, WAN IPv6 address, or a DDNS domain (if Dynamic DNS is configured). If you have a dynamic IP, use a DDNS domain so clients do not need to update their configuration when your IP changes.
    • Security Profile — The Security Profile to assign to connecting clients.
    • Port — The WireGuard listen port (default: 51820). Must be unique across all VPN servers. If the default is already in use, the next available port is suggested.
  3. Click “Save”.

Managing Clients

Each VPN server has a client management page listing all peers. Navigate to a VPN server and click “Manage clients” from the actions menu to view the client list, which shows each peer’s name, LAN IP address, and routing mode.

Adding a Client

  1. Select the VPN server and click “Add”.

  2. Configure the client:

    • Label — A name for the client (e.g. “My iPhone”, “Work Laptop”).
    • LAN IP Address — The IP address assigned to this client on the VPN subnet.
    • Public Key — (Optional) Enter an existing WireGuard public key if the device already has a keypair configured. Leave empty to auto-generate a keypair.
    • Route all traffic through tunnel — When enabled, all of the client’s Internet traffic routes through the VPN (full tunnel). When disabled (the default), only LAN traffic uses the tunnel and the client uses its own Internet connection for everything else (split tunnel).

    Tip

    “Route all traffic through tunnel” is especially useful when the VPN server’s Security Profile uses an Outbound VPN. Most devices only support one active VPN at a time, so a phone, for example, could either use WireGuard to access your LAN or use Mullvad/Proton directly — but not both. With full tunnel routing, the device connects to your router via WireGuard and its Internet traffic is then routed through the Outbound VPN automatically, giving you both LAN access and VPN protection in a single connection. If that Outbound VPN is IPv6-capable, the client’s IPv6 traffic is tunneled through it as well; with an IPv4-only Outbound VPN, only IPv4 is tunneled and IPv6 is blocked so it cannot leak. This adds some latency since traffic passes through two tunnels.

  3. A WireGuard configuration is generated.

Viewing Client Configuration

After creating a client, the configuration can be viewed in two formats:

  • File — Displays the configuration as text. Use the copy button to copy to clipboard, or the download button to save as a .conf file that WireGuard apps can import.
  • QR — Displays the configuration as a QR code. Scan with the WireGuard mobile app to configure the client without manual entry.

Changing Client Routing

You can switch between routing modes from the actions menu on the client list:

  • Switch to All traffic — Full tunnel. All Internet traffic routes through the VPN.
  • Switch to LAN only — Split tunnel. Only local network traffic uses the tunnel.

Warning

Changing the routing mode deletes the existing peer and creates a new one. You will need to reconfigure the device with the new configuration.

Renaming a Client

Select “Rename” from the client’s actions menu to change its display name.

Removing a Client

Select “Delete” from the client’s actions menu. The client’s WireGuard configuration is immediately invalidated.

Connecting Remote Devices

Install the WireGuard app on the remote device and import the configuration:

  • Phone or tablet: Scan the QR code from the client configuration page using the WireGuard app.
  • Laptop or desktop: Download the .conf file and import it into the WireGuard app.

Removing a VPN Server

  1. Navigate to Points of Entry > Inbound VPNs and select “Delete” from the server’s actions menu.

Warning

Deleting a VPN server immediately disconnects all clients and invalidates their configuration files. Clients will need new config files if a new server is created.

Example

VPN ServerProfileEndpointUse Case
PrimaryAdminDDNS domainYour personal remote access to everything
FamilyShared ServicesDDNS domainFamily members accessing the home server
FriendsGuestDDNS domainFriends using your Internet connection via VPN

Settings

The Settings page contains system preferences, account management, and advanced tools. Navigate to System > Settings. The page is organized into tabs: General, Password, SSH Keys, Backup, Logs, Activity, and Advanced. See also SSH Access and Backups for dedicated documentation on those tabs.

General

Preferences

  • Theme — System, Dark, or Light. System follows your browser or OS preference.
  • Language — A dropdown for the web interface language. Available languages are English, Spanish, German, French, and Polish (English is the fallback). The choice is saved per-router (server-side) and only takes effect when you click “Save” — there is no automatic browser-language detection.
  • Timezone — A searchable combo box populated from the device, listing hundreds of IANA time zones (e.g. labelled like “(GMT-6) America/Denver”). It’s auto-detected from your browser during initial setup (falling back to UTC if detection fails). Changing the timezone restarts the schedule engine so that WAN Blackout and Wi-Fi Blackout windows fire at the correct local time. It also affects activity timestamps and log timestamps.

About

The General page shows an About block with the firmware Version and a Build identifier (a short git hash; hover to see the full hash). These are useful when filing bug reports.

Remote Access

Controls whether the web interface is accessible from outside the local network. When remote access is enabled, the router detects whether it has a public or private WAN IP and adjusts accordingly. Remote access works over the router’s WAN IP or Dynamic DNS domain, and is also reachable through an Inbound VPN connection.

  • When behind NAT (default) — The recommended setting for most users. The admin-interface access rules (ports 80/443/22) are scoped to private and ULA source ranges (RFC 1918 for IPv4, fc00::/7 for IPv6), so the admin interface stays reachable from your local network but closed to the public Internet — even if a public, globally routable address later appears on the WAN.
  • Never — Disables remote access entirely. The admin interface is only accessible from devices on the local network.
  • Always — Enables remote access at all times, even with a public IP.

Warning

Selecting “Always” exposes your router’s admin interface to the Internet. Only use this if you understand the security implications and have a strong admin password.

Security

  • Download Root CA — Download the router’s Root CA certificate, saved as startwrt-ca.crt. See Trusting Your Root CA for installation instructions.

Updates

When a firmware update is available, a banner appears at the top of the General page showing the new version number. Expand the banner to view release notes before updating. See Updating for the full update procedure.

Password

Change your admin password. The admin password protects the web interface and is separate from the Wi-Fi password.

  1. Navigate to System > Settings > Password.

  2. Enter your current password.

  3. Enter and confirm your new password (minimum 12 characters).

  4. Click “Save”.

Logs

View real-time system logs streamed from the router via WebSocket. Useful for diagnosing network issues, monitoring VPN connections, or verifying firewall behavior.

Navigate to System > Settings > Logs to open the live log viewer. You can download the full log as a text file or scroll to the bottom to follow new entries in real time.

Activity

View a log of administrative actions taken through the web interface. Each entry shows:

  • Status icon — Green check for successful actions, red X for failures.
  • Timestamp — When the action occurred.
  • Summary — A description of the action performed.
  • Error details — If the action failed, the error message is shown below the summary.

Individual entries can be deleted, or click “Clear All” to remove the entire log. The list is paginated with 10 entries per page.

Advanced

The Advanced tab contains power-user tools:

  • Launch LuCI Interface — Opens the underlying OpenWrt LuCI admin panel in a new tab for direct access to low-level configuration.
  • Download Support Diagnostics — Generates and downloads a diagnostic bundle for troubleshooting with Start9 support.
  • Factory Reset — Erases all settings (excluding the sticker Wi-Fi password) and reboots the router. See Factory Reset for details.

Warning

Factory reset is irreversible. Create a backup first if you want to preserve your configuration.

SSH Access

Access your router’s command line over SSH for advanced troubleshooting, package management, or direct configuration. SSH accepts both password authentication (using your admin password) and public key authentication.

Warning

SSH provides root access to the underlying OpenWrt system. Misconfiguration can break networking, lock you out, or require a factory reset. Only use SSH if you are comfortable with the Linux command line.

Adding an SSH Key

  1. Navigate to System > Settings > SSH Keys.

  2. Click “Add Key”.

  3. Paste your public key (the contents of ~/.ssh/id_ed25519.pub or ~/.ssh/id_rsa.pub). The key is labeled automatically from the comment at the end of the public key (e.g. user@hostname).

  4. Click “Save”.

Tip

If you do not have an SSH key pair, generate one:

ssh-keygen -t ed25519

This creates a private key (~/.ssh/id_ed25519) and a public key (~/.ssh/id_ed25519.pub). Add the public key to StartWRT. Never share the private key.

Connecting

Once your key is added, connect from a terminal:

ssh root@router.lan

Removing an SSH Key

  1. Navigate to System > Settings > SSH Keys.

  2. Click the trash (Delete) button on the key’s row.

Note

Even with no SSH keys configured, you can still connect using your admin password.

Backups

Back up your router’s configuration so you can restore it after an update, factory reset, or hardware failure. Backups capture your settings — security profiles, Wi-Fi passwords, firewall rules, VPN configurations, SSH keys, and other customizations.

Creating a Backup

  1. Navigate to System > Settings > Backup.

  2. Click “Create Backup”.

  3. A backup file will be downloaded to your computer.

Store the backup file in a safe location, such as a password manager or encrypted drive.

Tip

Create a backup before performing firmware updates. While the “Keep settings” path preserves settings, having a backup provides an extra safety net.

Restoring a Backup

  1. Navigate to System > Settings > Backup.

  2. Click “Restore Backup”.

  3. Select the backup file from your computer.

  4. Click “Restore”.

The router will apply the configuration and restart.

Warning

Restoring a backup overwrites your current configuration entirely. Any changes made since the backup was created will be lost.

What Is Included

IncludedNot Included
Security ProfilesSystem logs
Wi-Fi passwordsDevice history
Published PortsData usage counters
Ethernet port assignments
Inbound and Outbound VPN configs
SSH keys
DDNS settings
LAN/WAN settings
Admin password
Router name, timezone, language

Factory Reset

A factory reset restores StartWRT to its default state at unboxing. There are two ways to reset: from the web interface (soft reset) or from a microSD card (reflash).

Soft Reset (Web Interface)

A soft reset erases the overlay filesystem where all configuration changes are stored, then reboots the router. The base firmware (read-only squashfs) is untouched — only your customizations are removed. The Wi-Fi password survives because it is re-read from the router’s EEPROM on boot.

  1. Navigate to System > Settings.

  2. Click “Factory Reset”.

  3. Confirm the action.

The router will reboot. After reboot:

  • Wi-Fi works immediately using the original sticker password (re-read from the router’s EEPROM on boot).
  • The admin password is cleared — you will be prompted to create a new one via the captive portal.
  • All settings (security profiles, VPN configs, firewall rules, SSH keys, etc) are wiped.

Warning

A factory reset cannot be undone. Create a backup first if you want to preserve your settings.

Reflash (microSD)

A microSD reflash boots the router from a StartWRT image and replaces the firmware entirely. The router enters setup mode and brings up the StartWRT Wi-Fi network limited to a single client, with a captive portal that auto-opens the setup wizard.

  1. Create a bootable microSD card — see Installing StartWRT.

  2. Power off the router, insert the microSD card, and power it back on.

  3. Connect to the StartWRT network via ethernet or by using the Wi-Fi password printed on the sticker. The captive portal opens the wizard automatically.

  4. Choose a reflash path:

    • Keep settings — Keeps your settings, prompts for a new admin password, and replaces the firmware. Your configuration (including Wi-Fi and profile settings) is preserved. User-installed extra package binaries are wiped, so you will need to reinstall them — but their config files are retained. See also Updating.
    • Fresh Start — Wipes everything and installs a clean copy of StartWRT. You set a new admin password, and the timezone is auto-detected from your browser (you can change it later in Settings). After reboot, Wi-Fi comes back up automatically using the sticker password re-read from the router’s EEPROM — no Wi-Fi credentials are carried over from the old configuration. Equivalent to a factory reset plus a firmware reinstall.
  5. When the wizard completes, power off the router, remove the microSD card, and power it back on.

Note

On a DIY or unprogrammed board with no Wi-Fi password in the EEPROM, the wizard is reachable over Ethernet only, and the reflashed router boots with no Wi-Fi until you run startwrt-cli set-wifi-password. See Installing StartWRT.

What Gets Wiped

Soft ResetKeep settings (microSD)Fresh Start (microSD)
All settings and customizationsSettings preservedAll settings and customizations
Admin password clearedNew admin passwordAdmin password cleared
Firmware unchangedFirmware replacedFirmware replaced
Wi-Fi password preservedWi-Fi password preservedWi-Fi password preserved

The Wi-Fi password survives in every case. For Soft Reset and Fresh Start — which wipe the overlay — it is re-read from the router’s EEPROM on boot. With Keep settings, the existing Wi-Fi configuration (including any password you set yourself) is preserved as-is.

Lost Wi-Fi Password

The Wi-Fi password is printed on the sticker on the bottom of your router and stored in the router’s EEPROM. The EEPROM value is the password restored by a factory reset; during normal operation the active password is whatever is in the running configuration, so if you have replaced the Default entry with your own, that password is what’s in effect. If you are still logged in, you can also reveal or copy it on the Points of Entry > Wi-Fi > Passwords page (the Default entry). On a DIY or unprogrammed board that has no EEPROM Wi-Fi password, set one via the GUI (if connected via ethernet) or with startwrt-cli set-wifi-password. See Installing StartWRT for details.

CGNAT (Carrier-Grade NAT)

CGNAT is a networking technique where your ISP places your home network behind an additional layer of NAT that you do not control. If your ISP uses CGNAT, several StartWRT features will not work.

What Is CGNAT?

Normally, your router is assigned a public IP address by your ISP. This allows devices on the Internet to initiate connections to your router, which can then forward them to devices on your LAN.

With CGNAT, your ISP does not give your router a public IP. Instead, many customers share a single public IP managed by the ISP’s equipment. Your router’s “WAN IP” is actually a private address on the ISP’s internal network. Because you don’t control the ISP’s NAT, no one on the Internet can initiate a connection to your router.

Who Is Affected?

CGNAT is common with:

  • Satellite Internet — Starlink, HughesNet, Viasat
  • Cellular/fixed wireless — T-Mobile Home Internet, Verizon Home Internet, and similar 4G/5G home broadband services
  • Some fiber and cable ISPs — particularly in regions with IPv4 address shortages

Impact on StartWRT

CGNAT blocks all inbound connections to your router. This significantly limits StartWRT’s feature set:

  • Inbound VPNs — VPN servers need to accept connections from the Internet. Behind CGNAT, remote devices cannot reach your router.
  • Published Ports — Port forwarding requires a public IP. Rules will show “Error” or “Partial” status behind CGNAT.
  • Dynamic DNS — DDNS maps a domain to your IP, but if that IP is behind CGNAT, the domain still cannot receive inbound connections.

CGNAT does not affect:

  • Local network access — Devices on your LAN connect directly, bypassing the ISP entirely.
  • Outbound VPNs — Outbound connections are not blocked by CGNAT.
  • All other StartWRT features — Security Profiles, Wi-Fi management, Ethernet configuration, WAN Blackout, and backups work normally.

The Solution: StartTunnel

StartTunnel is a virtual private router (VPR) — a minimal, self-hosted router that runs on a VPS with a public IP address. Your devices connect outbound to the VPS, and the VPS accepts inbound connections on their behalf. Because the VPS has a real public IP, CGNAT is completely bypassed.

How to Check

Compare your router’s WAN IP with your actual public IP:

  1. In StartWRT, navigate to Internet > WAN Settings and note your WAN IP address.

  2. Visit a site like whatismyip.com from a device on the same network.

  3. If the two addresses match, you are not behind CGNAT. If they differ, you are likely behind CGNAT.

Tip

Another indicator: if your router’s WAN IP is in the 100.64.0.0/10 range (100.64.x.x through 100.127.x.x), that is the CGNAT address block defined by RFC 6598 and confirms you are behind CGNAT.

Note

Some ISPs offer a way to opt out of CGNAT, either through a support request or by purchasing a static IP add-on. Check with your ISP before assuming CGNAT is permanent.

Architecture

StartWRT is a router operating system built on OpenWrt with a custom Rust backend and Angular web interface. It reimagines the router experience by abstracting raw networking primitives — VLANs, firewall zones, subnets, routing tables — behind the Security Profile model. The result is enterprise-grade network segmentation that anyone can configure in minutes.

What StartWRT Adds to OpenWrt

OpenWrt is a powerful open-source router OS, but it exposes raw networking primitives through its LuCI interface. Configuring VLANs, firewall zones, and multi-password Wi-Fi requires understanding how these systems interact at a low level. StartWRT keeps OpenWrt’s battle-tested networking stack and adds:

  • Security Profiles — A single abstraction that replaces manual VLAN, firewall, subnet, and routing configuration. One click creates an isolated network segment with its own DHCP, DNS, firewall rules, and VPN routing.
  • Multi-password Wi-Fi — One SSID with multiple passwords, each mapping to a different Security Profile. No separate SSIDs, no manual VLAN tagging.
  • VPN chaining — Route traffic through multiple VPN providers in sequence for multi-jurisdictional privacy.
  • Modern web interface — A purpose-built Angular UI that manages the full router configuration without requiring CLI knowledge. The underlying OpenWrt CLI and LuCI remain available for advanced users.
  • OTA updates — Firmware updates delivered through the web interface.

How It Works

StartWRT has three components:

  • OpenWrt — The base operating system. Handles kernel-level networking, Wi-Fi drivers, and package management.
  • Rust backend — A single binary (startwrt) that runs as the RPC server and CLI. It manages all configuration, service reloads, TLS certificates, authentication, and system operations.
  • Angular frontend — A single-page application embedded in the backend binary. Communicates with the backend over JSON-RPC 2.0.

All persistent configuration lives in UCI files under /etc/config/ — the same configuration system used by stock OpenWrt, with no separate configuration database. The backend reads and writes these files atomically, so the CLI, LuCI, and the StartWRT web interface all share a single source of truth. (The activity log and login sessions are stored separately under /etc/startwrt/, outside the UCI config system.)

Security Profile Internals

When you create a Security Profile, the backend orchestrates changes across multiple UCI config files:

UCI ConfigWhat Changes
networkNew bridge interface, VLAN, and subnet
firewallNew zone with inter-zone forwarding rules (fw4/nftables)
dhcpNew DHCP server for the profile’s subnet
wirelessNew PSK entry in wpa_psk_file (for Wi-Fi passwords)

This is why the web interface never exposes raw VLANs or firewall rules — the profile abstraction handles all of it consistently. StartWRT’s firewall is built on fw4/nftables, so any custom firewall rules you add must be written as nftables (fw4) rules.

Network Isolation

Device isolation uses bridge VLAN filtering at Layer 2. Each Security Profile is assigned a unique VLAN ID. Traffic is tagged at the entry point (Ethernet port, Wi-Fi password, or VPN server) and can only reach destinations within the same VLAN unless the firewall explicitly allows inter-zone traffic.

Multi-Password Wi-Fi

StartWRT’s multi-password Wi-Fi uses WPA2’s identity PSK feature with dynamic VLAN assignment. Each password in the PSK file is associated with a VLAN ID. When a device authenticates, the router matches the password, looks up the VLAN, and places the device on the correct network segment — all transparently.

Security

  • Admin password — Stored as a SHA-512 hash in /etc/shadow
  • Wi-Fi password — Printed on the sticker and stored in the router’s EEPROM
  • Sessions — Random token with 1-day expiry; HTTP-only SameSite=Strict cookie
  • Rate limiting — 3 login attempts per 20 seconds
  • SSH — Public key authentication or password auth (Admin password)
  • TLS — rustls with a Root CA certificate chain

TLS and Certificates

Certificate generation is delegated to the StartOS SSL primitives. The trust chain uses a root CA with CN “StartWRT Local Root CA” and an intermediate CA with CN “StartWRT Local Intermediate CA” (both with Org/OU “StartWRT”), and the issued server certificate carries a default SAN of router.lan. The web server hot-reloads its TLS certificate when the LAN IP changes, so no restart is required. See Trusting Your Root CA for installation steps.

IPv6

Each router generates a unique per-device ULA /48 prefix at first boot. This ensures that chained StartWRT routers never collide on the same ULA range.

Source Code

The StartWRT source code lives in the start-technologies monorepo, alongside the other Start9 products.

To report bugs or request features, open an issue.

FAQ

Answers to common questions about StartWRT’s features, security model, and compatibility.

What is StartWRT?

StartWRT is a router operating system built on OpenWrt, designed specifically for home-based self-hosting. It replaces traditional networking concepts (VLANs, firewall rules, routing tables) with Security Profiles — a simple model where how a device connects determines what it can access.

How is StartWRT different from stock OpenWrt?

Stock OpenWrt exposes raw networking primitives through the LuCI interface, requiring users to understand VLANs, firewall zones, and routing tables. StartWRT abstracts all of this behind Security Profiles and provides a modern web interface that makes advanced features accessible without CLI expertise. Under the hood, StartWRT still uses OpenWrt’s networking stack — the difference is entirely in the management layer.

How does multi-password Wi-Fi work?

StartWRT uses WPA2’s identity PSK feature. A single SSID (StartWRT) accepts multiple passwords, each mapped to a different Security Profile. When a device connects, the router identifies which password was used and places the device on the corresponding VLAN and subnet automatically. See Wi-Fi for details.

Is VPN chaining really more private?

Yes, with caveats. VPN chaining routes traffic through multiple providers so that no single provider sees both your identity (home IP) and your destination. However, if the providers collaborate or are compelled by law enforcement across jurisdictions, correlation is still theoretically possible. For most users, the practical benefit is significant — especially when chaining providers in different legal jurisdictions. See Outbound VPNs for setup instructions.

Does StartWRT work with my ISP?

StartWRT supports DHCP, static IP, and PPPoE WAN connections, which covers the vast majority of ISPs. If your ISP uses CGNAT, you can still use all local features, but inbound connections (VPN servers, port forwarding) will not work. See CGNAT to learn more and check if you are affected.

Can I still use the OpenWrt CLI?

Yes. StartWRT is built on OpenWrt, and the full CLI is accessible over SSH. You can use apk to install packages, edit UCI files directly, and run standard Linux networking tools. Changes made via the CLI are respected by the web interface.

What happens if I forget my admin password?

You have two options:

  1. Factory reset — Perform a factory reset from the web interface (if you are still logged in). This wipes all settings but preserves the Wi-Fi password.
  2. Reflash — Boot from a microSD card and choose “Keep settings” to reinstall the firmware while preserving settings. You will be prompted to create a new admin password. See Installing StartWRT.

What if I lose my Wi-Fi sticker password?

The Wi-Fi password is printed on the sticker on the bottom of the router and stored in the router’s EEPROM — it can also be displayed in the StartWRT GUI on the WiFi tab as the Admin Profile ‘Default’ label. The EEPROM value is only re-read on a factory reset; if you have replaced the Default password with your own, that new password is what’s in effect. On a DIY or unprogrammed board with no EEPROM Wi-Fi password, set one via the GUI (if connected via ethernet) or with startwrt-cli set-wifi-password. See Installing StartWRT for the full procedure.

Why doesn’t one of my profiles have IPv6 Internet access?

If your ISP delegates only a single IPv6 prefix (for example, a /64), that prefix is assigned to your primary LAN. Non-admin Security Profiles routed Direct to the Internet then receive only a local-only ULA address and have no global IPv6 connectivity — IPv4 still works normally. To give such a profile global IPv6, route it through an IPv6-capable Outbound VPN, or ask your ISP for a larger prefix delegation (such as a /56 or /48).

Does StartWRT phone home or collect telemetry?

No. StartWRT has no telemetry, no analytics, and no phone-home behavior. The only outbound connection the router initiates on your behalf is to check for firmware updates and to register with a Dynamic DNS provider (if configured). Both are optional and user-initiated — StartWRT never updates automatically, and you can also update entirely offline by reflashing from a microSD card. See Updating.

Can I use StartWRT with StartOS?

Absolutely. StartWRT and StartOS are complementary products. StartOS runs your self-hosted services; StartWRT handles the networking. Together, they provide a complete self-hosting stack with proper network isolation, VPN access, and port forwarding — all without touching the command line.

Where can I report bugs or request features?

Open an issue on the start-technologies GitHub repository — StartWRT lives in the monorepo alongside the other Start9 products.