diff --git a/START-TUNNEL.md b/START-TUNNEL.md
index 2fcb28c64..e3c94eea1 100644
--- a/START-TUNNEL.md
+++ b/START-TUNNEL.md
@@ -6,6 +6,14 @@ You can think of StartTunnel as "virtual router in the cloud"
 
 Use it for private, remote access, to self-hosted services running on a personal server, or to expose self-hosted services to the public Internet without revealing the host server's IP address.
 
+## Features
+
+- **Create Subnets**: Each subnet creates a private, virtual local area network (VLAN), similar to the LAN created by a home router.
+
+- **Add Devices**: When you add a device (server, phone, laptop) to a subnet, it receives a LAN IP address on that subnet as well as a unique Wireguard config that must be copied, downloaded, or scanned into the device.
+
+- **Forward Ports**: Forwarding a port creates a "reverse tunnel", exposing a specific port on a specific device to the public Internet.
+
 ## Installation
 
 1.  Rent a low cost VPS. For most use cases, the cheapest option should be enough.
@@ -19,17 +27,12 @@ Use it for private, remote access, to self-hosted services running on a personal
 1.  Access the VPS via SSH.
 
 1.  Install StartTunnel:
+
 ```sh
-TMP_DIR=$(mktemp -d) && (cd $TMP_DIR && wget https://github.com/Start9Labs/start-os/releases/download/v0.4.0-alpha.12/start-tunnel-0.4.0-alpha.12-68f401b_$(uname -m).deb && apt-get install -y ./start-tunnel-0.4.0-alpha.12-68f401b_$(uname -m).deb) && rm -rf $TMP_DIR && systemctl start start-tunneld && sleep 1 && start-tunnel web init
+TMP_DIR=$(mktemp -d) && (cd $TMP_DIR && wget https://github.com/Start9Labs/start-os/releases/download/v0.4.0-alpha.12/start-tunnel-0.4.0-alpha.12-68f401b_$(uname -m).deb && apt-get install -y ./start-tunnel-0.4.0-alpha.12-68f401b_$(uname -m).deb) && rm -rf $TMP_DIR && systemctl start start-tunneld && echo "Installation Succeeded"
 ```
 
-## Features
-
-- **Create Subnets**: Each subnet creates a private, virtual local area network (VLAN), similar to the LAN created by a home router.
-
-- **Add Devices**: When you add a device (server, phone, laptop) to a subnet, it receives a LAN IP address on that subnet as well as a unique Wireguard config that must be copied, downloaded, or scanned into the device.
-
-- **Forward Ports**: Forwarding a port creates a "reverse tunnel", exposing a specific port on a specific device to the public Internet.
+5. [Initialize the web interface](#web-interface) (recommended)
 
 ## CLI
 
@@ -53,8 +56,8 @@ If you choose to enable the web interface (recommended in most cases), StartTunn
 
 1.  Select whether to autogenerate a self-signed certificate or provide your own certificate and key. If you choose to autogenerate, you will be asked to list all IP addresses and domains for which to sign the certificate. For example, if you intend to access your StartTunnel web UI at a domain, include the domain in the list.
 
-1.  You will receive a success message that the webserver is running at the chosen IP:port, as well as your SSL certificate and an autogenerated UI password.
+1.  You will receive a success message with 3 pieces of information:
 
-1.  If not already, trust the certificate in your system keychain and/or browser.
-
-1.  If you lose/forget your password, you can reset it using the CLI.
+    - <https://IP:port>: the URL where you can reach your personal web interface.
+    - Password: an autogenerated password for your interface. If you lose/forget it, you can reset using the CLI.
+    - Root Certificate Authority: the Root CA of your StartTunnel instance. If not already, trust it in your browser or system keychain.
diff --git a/web/projects/start-tunnel/src/app/routes/home/routes/devices/utils.ts b/web/projects/start-tunnel/src/app/routes/home/routes/devices/utils.ts
index 4567941ab..8d3bf45cd 100644
--- a/web/projects/start-tunnel/src/app/routes/home/routes/devices/utils.ts
+++ b/web/projects/start-tunnel/src/app/routes/home/routes/devices/utils.ts
@@ -56,7 +56,7 @@ export function getIp({ clients, range }: MappedSubnet) {
   const net = IpNet.parse(range)
   const last = net.broadcast()
 
-  for (let ip = net.add(1); ip.cmp(last) === -1; ip.add(1)) {
+  for (let ip = net.add(1); ip.cmp(last) === -1; ip = ip.add(1)) {
     if (!clients[ip.address]) {
       return ip.address
     }
diff --git a/web/projects/ui/src/app/routes/portal/components/interfaces/public-domains/pd.service.ts b/web/projects/ui/src/app/routes/portal/components/interfaces/public-domains/pd.service.ts
index 27ecf679e..e99ce7a4a 100644
--- a/web/projects/ui/src/app/routes/portal/components/interfaces/public-domains/pd.service.ts
+++ b/web/projects/ui/src/app/routes/portal/components/interfaces/public-domains/pd.service.ts
@@ -228,24 +228,27 @@ export class PublicDomainService {
   private gatewayAndAuthoritySpec() {
     const data = this.data()!
 
+    const gateways = data.gateways.filter(
+      ({ ipInfo: { deviceType } }) =>
+        deviceType !== 'loopback' && deviceType !== 'bridge',
+    )
+
     return {
       gateway: ISB.Value.dynamicSelect(() => ({
         name: this.i18n.transform('Gateway'),
         description: this.i18n.transform(
           'Select a gateway to use for this domain.',
         ),
-        values: data.gateways.reduce<Record<string, string>>(
+        values: gateways.reduce<Record<string, string>>(
           (obj, gateway) => ({
             ...obj,
-            [gateway.id]: gateway.name || gateway.ipInfo!.name,
+            [gateway.id]: gateway.name || gateway.ipInfo.name,
           }),
           {},
         ),
         default: '',
-        disabled: data.gateways
-          .filter(
-            g => !g.ipInfo!.wanIp || utils.CGNAT.contains(g.ipInfo!.wanIp),
-          )
+        disabled: gateways
+          .filter(g => !g.ipInfo.wanIp || utils.CGNAT.contains(g.ipInfo.wanIp))
           .map(g => g.id),
       })),
       authority: ISB.Value.select({