diff --git a/Home.md b/Home.md
index 9284ebd..119f684 100644
--- a/Home.md
+++ b/Home.md
@@ -1,4 +1,5 @@
 # Home
 
+1. [Setup](Setup)
 1. [HTTP Control server](HTTP-Control-server)
 1. [Contributing](Contributing)
diff --git a/Setup/Advanced.md b/Setup/Advanced.md
new file mode 100644
index 0000000..747e7dc
--- /dev/null
+++ b/Setup/Advanced.md
@@ -0,0 +1,20 @@
+# Advanced setup
+
+## Custom iptables rules
+
+If you need to specify additional iptables rules to be run after the built-in iptables rules, you can use the file at `/iptables/post-rules.txt` with one iptables command per line and these will automatically be run on container start.
+For example the `/iptables/post-rules.txt` file could contain:
+
+```sh
+iptables -A INPUT -i eth0 -s 0.0.0.0/0 -d 192.168.2.0/24 -p udp --sport 1197 -j ACCEPT
+iptables -A INPUT -i eth0 -s 0.0.0.0/0 -d 192.168.2.0/24 -p tcp --sport 1197 -j ACCEPT
+```
+
+## Disable the healthcheck
+
+If the Docker healthcheck (not running in Kubernetes) is bothering you because it accesses ip echo websites periodically, you can disable with `--no-healthcheck` or for docker-compose.yml:
+
+```yml
+    healthcheck:
+      disable: true
+```
diff --git a/Setup/External firewall.md b/Setup/External firewall.md
new file mode 100644
index 0000000..be8dfb1
--- /dev/null
+++ b/Setup/External firewall.md	
@@ -0,0 +1,42 @@
+# External firewall
+
+If you have a strict firewall setup (host level or router level), you will need to let some ports through for this container to work.
+
+## VPN connections
+
+You need the following to allow communicating with the VPN servers
+
+### Private Internet Access
+
+- If `PIA_ENCRYPTION=strong` and `PROTOCOL=udp`: allow outbound UDP 1197 to the corresponding VPN server IPs
+- If `PIA_ENCRYPTION=normal` and `PROTOCOL=udp`: allow outbound UDP 1198 to the corresponding VPN server IPs
+- If `PIA_ENCRYPTION=strong` and `PROTOCOL=tcp`: allow outbound TCP 501 to the corresponding VPN server IPs
+- If `PIA_ENCRYPTION=normal` and `PROTOCOL=tcp`: allow outbound TCP 502 to the corresponding VPN server IPs
+
+### Mullvad
+
+- If `PORT=`, please refer to the mapping of Mullvad servers in [these source code lines](../internal/constants/mullvad.go#L64-L667) to find the corresponding UDP port number and IP address(es) of your choice
+- If `PORT=53`, allow outbound UDP 53 to the corresponding VPN server IPs, which you can fine in [the mapping of Mullvad servers](../internal/constants/mullvad.go#L64-L667)
+- If `PORT=80`, allow outbound TCP 80 to the corresponding VPN server IPs, which you can fine in [the mapping of Mullvad servers](../internal/constants/mullvad.go#L64-L667)
+- If `PORT=443`, allow outbound TCP 443 to the corresponding VPN server IPs, which you can fine in [the mapping of Mullvad servers](../internal/constants/mullvad.go#L64-L667)
+
+### Windscribe
+
+- If `PROTOCOL=udp`: allow outbound UDP 443 to the corresponding VPN server IPs
+- If `PROTOCOL=tcp`: allow outbound TCP 1194 to the corresponding VPN server IPs
+
+### Surfshark
+
+- If `PROTOCOL=udp`: allow outbound UDP 1194 to the corresponding VPN server IPs
+- If `PROTOCOL=tcp`: allow outbound TCP 1443 to the corresponding VPN server IPs
+
+### Cyberghost
+
+- If `PROTOCOL=udp`: allow outbound UDP 1443 to the corresponding VPN server IPs
+- If `PROTOCOL=tcp`: allow outbound TCP 1443 to the corresponding VPN server IPs
+
+## Inbound connections
+
+- If `SHADOWSOCKS=on`, allow inbound TCP 8388 and UDP 8388 from your LAN
+- If `TINYPROXY=on`, allow inbound TCP 8888 from your LAN
+- If you want access to the built-in HTTP control server, allow inbound TCP 8000 from your LAN
diff --git a/Setup/Synology.md b/Setup/Synology.md
new file mode 100644
index 0000000..3d193eb
--- /dev/null
+++ b/Setup/Synology.md
@@ -0,0 +1,16 @@
+# Synology
+
+On some Synology devices, it is required to re-install the `tun` kernel module on your host **at every boot**.
+
+To do so, open a terminal and enter:
+
+```sh
+sudo insmod /lib/modules/tun.ko
+```
+
+You might want to [write a shell script to run as root at boot](https://help.synology.com/developer-guide/integrate_dsm/run_with_system_boot.html) with for example:
+
+```sh
+#!/bin/sh
+insmod /lib/modules/tun.ko
+```
diff --git a/Setup/Testing.md b/Setup/Testing.md
new file mode 100644
index 0000000..488ec87
--- /dev/null
+++ b/Setup/Testing.md
@@ -0,0 +1,21 @@
+# Testing
+
+Once your container is up and running, you may want to test your connection is correct and secured.
+
+## Check your IP address
+
+Assuming your container is called `gluetun`, run:
+
+```sh
+docker run --rm --network=container:gluetun alpine:3.12 wget -qO- https://ipinfo.io
+```
+
+in order to obtain the VPN IP address and ensure the connection is working.
+
+## Check DNS over TLS
+
+Ideally, use a computer and connect to `gluetun` using a Shadowsocks client tunneling UDP (for DNS) to test the following:
+
+- Check DNSSEC using [internet.nl/connection](https://www.internet.nl/connection/)
+- Check DNS leaks with [https://www.dnsleaktest.com](https://www.dnsleaktest.com)
+- Some other DNS leaks tests might not work because of [this](https://github.com/qdm12/cloudflare-dns-server#verify-dns-connection) (*TLDR*: Unbound DNS server is a local caching intermediary)