diff --git a/README.md b/README.md
index 40a18ac..1fc7e5d 100644
--- a/README.md
+++ b/README.md
@@ -133,26 +133,6 @@ The binary can be built with `VENDOR_ID` and `CLIENT_SECRET` built into the bina
 You can also change the `serviceName` and `serviceDescription` at build time.
 See `examples/run-as-client.sh`.
 
-## White Label Builds
-
-```bash
-go generate ./...
-
-VENDOR_ID="example.com"
-
-CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build \
-    -mod=vendor \
-    -ldflags="-X 'main.VendorID=$VENDOR_ID'" \
-    -o telebit-debug.exe \
-    ./cmd/telebit/telebit.go
-
-CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build \
-    -mod=vendor \
-    -ldflags "-H windowsgui -X 'main.VendorID=$VENDOR_ID'" \
-    -o telebit-windows.exe \
-    ./cmd/telebit/telebit.go
-```
-
 # Help
 
 ```
diff --git a/WHITELIST.md b/WHITELIST.md
new file mode 100644
index 0000000..daf53e6
--- /dev/null
+++ b/WHITELIST.md
@@ -0,0 +1,41 @@
+# Custom Telebit Server Setup Guide
+
+There are three components to a telebit configuration:
+
+1. the telebit relay
+2. the management (authentication) server
+3. (optional) DNS-01 and/or HTTP-01 ACME relay
+
+# DNS
+
+-   `devices.example.com` and `*.devices.example.com` should have A (and AAAA) records pointing to the tunnel server
+    -   `https://devices.example.com/` is `TUNNEL_RELAY_URL`
+    -   `devices.example.com` is the _primary_ or _base_ domain for the devices `telebit-mgmt --domain devices.example.com`
+
+All of the devices need to be under the same domain. You are limited by Let's Encrypt to 10-20 certificates per week. We can solve for this in the future if needed - either by adding more domains or by adding devices.example.com to the PSL (the stated reason would be for browser security, NOT for Let's Encrypt limits).
+
+-   Other domains can be pointed to the same server. For example:
+    -   It would be OKAY to use `tunnel.example.com` as `TUNNEL_RELAY_URL`.
+    -   It would be OKAY to use `auth.example.com` as `AUTH_URL`
+-   It is fine to have the `AUTH_URL` on a different server.
+-   having multiple tunnel server URLs is NOT supported, but this is a relatively small change to the `telebit-mgmt` in the future
+
+## White Label Builds
+
+```bash
+go generate ./...
+
+VENDOR_ID="example.com"
+
+CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build \
+    -mod=vendor \
+    -ldflags="-X 'main.VendorID=$VENDOR_ID'" \
+    -o telebit-debug.exe \
+    ./cmd/telebit/telebit.go
+
+CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build \
+    -mod=vendor \
+    -ldflags "-H windowsgui -X 'main.VendorID=$VENDOR_ID'" \
+    -o telebit-windows.exe \
+    ./cmd/telebit/telebit.go
+```