Update examples

README.md

@@ -65,10 +65,12 @@ echo "your secret mantra" | ./konduit-ctl bootstrap -l vpn.example.com:443 -p -
 
 Coming soon.
 
-## Server Setup
+## Setup
 
+- [Client Quickstart](docs/client-quickstart.md) — download, configure, connect, run as a systemd service
 - [Server Quickstart](docs/server-quickstart.md) — install, provision, NAT setup for iptables and firewalld
 - [Stealth Mode Setup](docs/stealth-setup.md) — HAProxy TCP passthrough + camouflage configuration
+- [systemd units](docs/systemd/) — service files for konduit-server, konduit (client), and konduit-admin-ui
 
 ## Architecture
 

docs/client-quickstart.md

@@ -0,0 +1,59 @@
+# Konduit CLI Client Quickstart
+
+## 1. Download
+
+Download the `konduit` binary from the [Releases](../../releases) page and make it executable:
+
+```bash
+chmod +x konduit
+sudo cp konduit /opt/konduit/konduit
+```
+
+## 2. Get a client config
+
+Your server administrator will provide a `client.toml` generated by `konduit-ctl add-client`. Transfer it to the client machine:
+
+```bash
+sudo cp client.toml /opt/konduit/client.toml
+sudo chmod 600 /opt/konduit/client.toml
+```
+
+If your server runs in stealth mode, the config already points to port 443. No additional client-side configuration is needed.
+
+## 3. Connect
+
+```bash
+/opt/konduit/konduit -c /opt/konduit/client.toml
+```
+
+A successful connection looks like:
+
+```
+→ resolving vpn.example.com  ok
+→ tcp handshake  X25519  ok
+→ tun device  konduit0  up
+→ routes applied by server policy  ok
+connected · no udp, no root, port 443
+```
+
+## 4. Run as a systemd service
+
+To connect automatically on boot, use the provided systemd unit:
+
+```bash
+sudo cp /opt/konduit/docs/systemd/konduit.service /etc/systemd/system/
+sudo systemctl daemon-reload
+sudo systemctl enable --now konduit
+```
+
+The unit runs as root (required for TUN device creation) and restarts automatically on failure.
+
+## 5. Capabilities (alternative to root)
+
+To run without root, grant the binary the required capability instead:
+
+```bash
+sudo setcap cap_net_admin=+ep /opt/konduit/konduit
+```
+
+Then change `User=root` to your user account in the systemd unit before enabling it.

docs/server-quickstart.md

@@ -62,7 +62,12 @@ Without this, konduit picks the first available `tunN`, which shifts if other VP
 ./konduit-server --config server.toml
 ```
 
-For persistent operation, use the provided systemd unit (`setup/server/konduit-server.service`).
+For persistent operation, use the provided systemd units in [docs/systemd/](systemd/). Copy `konduit-server.service` to `/etc/systemd/system/`, then:
+
+```bash
+sudo systemctl daemon-reload
+sudo systemctl enable --now konduit-server
+```
 
 ## 6. NAT / Masquerade
 

docs/systemd/konduit-server.service

@@ -0,0 +1,18 @@
+[Unit]
+Description=Konduit Server
+After=network.target
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=/opt/konduit
+ExecStart=/opt/konduit/konduit-server -c /opt/konduit/server.toml
+Restart=on-failure
+RestartSec=5
+
+# Optional hardening
+NoNewPrivileges=true
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target

docs/systemd/konduit.service

@@ -0,0 +1,18 @@
+[Unit]
+Description=Konduit Client
+After=network.target
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=/opt/konduit
+ExecStart=/opt/konduit/konduit -c /opt/konduit/client.toml
+Restart=on-failure
+RestartSec=5
+
+# Optional hardening
+NoNewPrivileges=true
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target