f46cdc6ee5
The POSTROUTING MASQUERADE rules in forward-port failed to handle two hairpin scenarios: 1. Host-to-target hairpin (OUTPUT DNAT): when sip is a WAN IP (tunnel case), the old rule matched `-s sip` but the actual source of locally-originated packets is a local interface IP, not the WAN IP. Fix: use `-m addrtype --src-type LOCAL -m conntrack --ctorigdst sip` to match any local source while tying the rule to the specific sip. 2. Same-subnet self-hairpin (PREROUTING DNAT): when a WireGuard peer connects to itself via the tunnel's public IP, traffic is DNAT'd back to the peer. Without MASQUERADE the response takes a loopback shortcut, bypassing the tunnel server's conntrack and breaking NAT reversal. Fix: add `-s dip/dprefix -d dip` to masquerade same-subnet traffic, which also subsumes the old bridge_subnet rule. Also bind the hairpin detection socket to the gateway interface and local IP for consistency with the echoip client.
StartOS
What is StartOS?
StartOS is an open-source Linux distribution for running a personal server. It handles discovery, installation, network configuration, data backup, dependency management, and health monitoring of self-hosted services.
Tech stack: Rust backend (Tokio/Axum), Angular frontend, Node.js container runtime with LXC, and a custom diff-based database (Patch-DB) for reactive state synchronization.
Services run in isolated LXC containers, packaged as S9PKs — a signed, merkle-archived format that supports partial downloads and cryptographic verification.
What can you do with it?
StartOS lets you self-host services that would otherwise depend on third-party cloud providers — giving you full ownership of your data and infrastructure.
Browse available services on the Start9 Marketplace, including:
- Bitcoin & Lightning — Run a full Bitcoin node, Lightning node, BTCPay Server, and other payment infrastructure
- Communication — Self-host Matrix, SimpleX, or other messaging platforms
- Cloud Storage — Run Nextcloud, Vaultwarden, and other productivity tools
Services are added by the community. If a service you want isn't available, you can package it yourself.
Getting StartOS
Buy a Start9 server
The easiest path. Buy a server from Start9 and plug it in.
Build your own
Follow the install guide to install StartOS on your own hardware. . Reasons to go this route:
- You already have compatible hardware
- You want to save on shipping costs
- You prefer not to share your physical address
- You enjoy building things
Build from source
See CONTRIBUTING.md for environment setup, build instructions, and development workflow.
Contributing
There are multiple ways to contribute: work directly on StartOS, package a service for the marketplace, or help with documentation and guides. See CONTRIBUTING.md or visit start9.com/contribute.
To report security issues, email security@start9.com.