diff --git a/README.md b/README.md index 32257a7..686a7df 100644 --- a/README.md +++ b/README.md @@ -65,10 +65,12 @@ echo "your secret mantra" | ./konduit-ctl bootstrap -l vpn.example.com:443 -p - Coming soon. -## Server Setup +## Setup +- [Client Quickstart](docs/client-quickstart.md) — download, configure, connect, run as a systemd service - [Server Quickstart](docs/server-quickstart.md) — install, provision, NAT setup for iptables and firewalld - [Stealth Mode Setup](docs/stealth-setup.md) — HAProxy TCP passthrough + camouflage configuration +- [systemd units](docs/systemd/) — service files for konduit-server, konduit (client), and konduit-admin-ui ## Architecture diff --git a/docs/client-quickstart.md b/docs/client-quickstart.md new file mode 100644 index 0000000..ce3be81 --- /dev/null +++ b/docs/client-quickstart.md @@ -0,0 +1,59 @@ +# Konduit CLI Client Quickstart + +## 1. Download + +Download the `konduit` binary from the [Releases](../../releases) page and make it executable: + +```bash +chmod +x konduit +sudo cp konduit /opt/konduit/konduit +``` + +## 2. Get a client config + +Your server administrator will provide a `client.toml` generated by `konduit-ctl add-client`. Transfer it to the client machine: + +```bash +sudo cp client.toml /opt/konduit/client.toml +sudo chmod 600 /opt/konduit/client.toml +``` + +If your server runs in stealth mode, the config already points to port 443. No additional client-side configuration is needed. + +## 3. Connect + +```bash +/opt/konduit/konduit -c /opt/konduit/client.toml +``` + +A successful connection looks like: + +``` +→ resolving vpn.example.com ok +→ tcp handshake X25519 ok +→ tun device konduit0 up +→ routes applied by server policy ok +connected · no udp, no root, port 443 +``` + +## 4. Run as a systemd service + +To connect automatically on boot, use the provided systemd unit: + +```bash +sudo cp /opt/konduit/docs/systemd/konduit.service /etc/systemd/system/ +sudo systemctl daemon-reload +sudo systemctl enable --now konduit +``` + +The unit runs as root (required for TUN device creation) and restarts automatically on failure. + +## 5. Capabilities (alternative to root) + +To run without root, grant the binary the required capability instead: + +```bash +sudo setcap cap_net_admin=+ep /opt/konduit/konduit +``` + +Then change `User=root` to your user account in the systemd unit before enabling it. diff --git a/docs/server-quickstart.md b/docs/server-quickstart.md index 7240870..5a7c235 100644 --- a/docs/server-quickstart.md +++ b/docs/server-quickstart.md @@ -62,7 +62,12 @@ Without this, konduit picks the first available `tunN`, which shifts if other VP ./konduit-server --config server.toml ``` -For persistent operation, use the provided systemd unit (`setup/server/konduit-server.service`). +For persistent operation, use the provided systemd units in [docs/systemd/](systemd/). Copy `konduit-server.service` to `/etc/systemd/system/`, then: + +```bash +sudo systemctl daemon-reload +sudo systemctl enable --now konduit-server +``` ## 6. NAT / Masquerade diff --git a/docs/systemd/konduit-server.service b/docs/systemd/konduit-server.service new file mode 100644 index 0000000..ef6491b --- /dev/null +++ b/docs/systemd/konduit-server.service @@ -0,0 +1,18 @@ +[Unit] +Description=Konduit Server +After=network.target + +[Service] +Type=simple +User=root +WorkingDirectory=/opt/konduit +ExecStart=/opt/konduit/konduit-server -c /opt/konduit/server.toml +Restart=on-failure +RestartSec=5 + +# Optional hardening +NoNewPrivileges=true +PrivateTmp=true + +[Install] +WantedBy=multi-user.target diff --git a/docs/systemd/konduit.service b/docs/systemd/konduit.service new file mode 100644 index 0000000..864bd82 --- /dev/null +++ b/docs/systemd/konduit.service @@ -0,0 +1,18 @@ +[Unit] +Description=Konduit Client +After=network.target + +[Service] +Type=simple +User=root +WorkingDirectory=/opt/konduit +ExecStart=/opt/konduit/konduit -c /opt/konduit/client.toml +Restart=on-failure +RestartSec=5 + +# Optional hardening +NoNewPrivileges=true +PrivateTmp=true + +[Install] +WantedBy=multi-user.target