Update examples

Documentation update
Public website overhaul
2026-06-09 08:30:41 +03:00 · 2026-06-09 08:18:12 +03:00 · 2026-06-09 07:17:24 +03:00
6 changed files with 179 additions and 4 deletions
--- a/README.md
+++ b/README.md
@@ -65,10 +65,12 @@ echo "your secret mantra" | ./konduit-ctl bootstrap -l vpn.example.com:443 -p -
 Coming soon.
-## Server Setup
+## Setup
 - [Client Quickstart](docs/client-quickstart.md) — download, configure, connect, run as a systemd service
 - [Server Quickstart](docs/server-quickstart.md) — install, provision, NAT setup for iptables and firewalld
 - [Stealth Mode Setup](docs/stealth-setup.md) — HAProxy TCP passthrough + camouflage configuration
 - [systemd units](docs/systemd/) — service files for konduit-server, konduit (client), and konduit-admin-ui
 ## Architecture
@@ -119,8 +121,9 @@ The VPN server, management UI, and stealth-mode protocol are proprietary. Keepin
 ## About
 Created by **Eugen Kaparulin**.  
-Official binaries distributed by **K-Ops Oy**.
+Official binaries distributed by **[K-Ops Oy](https://k-ops.eu)**.
 © Eugen Kaparulin. All rights reserved.  
 [`konduit-platform`](./konduit-platform) is published under the [PolyForm Noncommercial License 1.0.0](LICENSE).  
 All other parts of Konduit are proprietary.  
 [Privacy Policy](docs/privacy-policy.md)
--- a/docs/client-quickstart.md
+++ b/docs/client-quickstart.md
@@ -0,0 +1,59 @@
 # Konduit CLI Client Quickstart
 ## 1. Download
 Download the `konduit` binary from the [Releases](../../releases) page and make it executable:
 ```bash
 chmod +x konduit
 sudo cp konduit /opt/konduit/konduit
 ```
 ## 2. Get a client config
 Your server administrator will provide a `client.toml` generated by `konduit-ctl add-client`. Transfer it to the client machine:
 ```bash
 sudo cp client.toml /opt/konduit/client.toml
 sudo chmod 600 /opt/konduit/client.toml
 ```
 If your server runs in stealth mode, the config already points to port 443. No additional client-side configuration is needed.
 ## 3. Connect
 ```bash
 /opt/konduit/konduit -c /opt/konduit/client.toml
 ```
 A successful connection looks like:
 ```
 → resolving vpn.example.com  ok
 → tcp handshake  X25519  ok
 → tun device  konduit0  up
 → routes applied by server policy  ok
 connected · no udp, no root, port 443
 ```
 ## 4. Run as a systemd service
 To connect automatically on boot, use the provided systemd unit:
 ```bash
 sudo cp /opt/konduit/docs/systemd/konduit.service /etc/systemd/system/
 sudo systemctl daemon-reload
 sudo systemctl enable --now konduit
 ```
 The unit runs as root (required for TUN device creation) and restarts automatically on failure.
 ## 5. Capabilities (alternative to root)
 To run without root, grant the binary the required capability instead:
 ```bash
 sudo setcap cap_net_admin=+ep /opt/konduit/konduit
 ```
 Then change `User=root` to your user account in the systemd unit before enabling it.
--- a/docs/privacy-policy.md
+++ b/docs/privacy-policy.md
@@ -0,0 +1,72 @@
 # Konduit Privacy Policy
 _Last updated: 9 June 2026_
 ## Who we are
 Konduit is a TCP-native VPN client developed and distributed by **[K-Ops Oy](https://k-ops.eu)**. Questions about this policy can be sent to: **[konduit@k-ops.eu](mailto:konduit@k-ops.eu)**
 ## What data Konduit processes
 ### On your device
 The Konduit client stores the following data locally:
 | Data | Purpose | Where it is stored |
 |------|---------|-------------------|
 | VPN server address and port | Connect to your VPN server | Local config file |
 | Peer ID and pre-shared key (PSK) | Authenticate with your VPN server | Local config file |
 | Session statistics (bytes sent/received, connection state) | Display connection status | In-memory only, not persisted |
 ### On the VPN server
 When you connect, the VPN server you connect to processes:
 | Data | Purpose |
 |------|---------|
 | Your IP address | Route return traffic to your device |
 | Connection timestamps | Session management |
 | Traffic volume (bytes in/out) | Capacity planning and abuse prevention |
 | Destination IP addresses of tunnelled traffic | Route packets to their destination |
 The content of tunnelled traffic is not inspected beyond what is necessary for routing.
 ## What we do not collect
 - Konduit does **not** collect analytics, crash reports, usage statistics, or any telemetry.
 - Konduit does **not** display advertising.
 - Konduit does **not** sell or share connection metadata with third parties.
 ## Self-hosted deployments
 Konduit is designed to be self-hosted. If you run your own Konduit server, all server-side data listed above stays under your control and is never transmitted to [K-Ops Oy](https://k-ops.eu).
 ## Data retention and deletion
 All client-side data is stored in the local config file. To delete it, remove your configuration or uninstall Konduit.
 Server-side connection logs are retained for a limited period for operational purposes and then deleted. The exact retention period depends on the server operator.
 ## Security
 - All traffic between client and server is encrypted using **X25519** key exchange and **ChaCha20-Poly1305** AEAD.
 - The pre-shared key (PSK) is stored in the local config file with permissions restricted to the current user.
 - Stealth mode wraps the tunnel in a protocol that is indistinguishable from HTTPS, preventing deep-packet inspection from identifying Konduit traffic.
 ## Children
 Konduit is not directed at children under 13 and does not knowingly collect data from children.
 ## GDPR (EU residents)
 When using a [K-Ops Oy](https://k-ops.eu) operated server, [K-Ops Oy](https://k-ops.eu) acts as data processor for connection metadata (IP address, timestamps, traffic volume) as described above. This data is processed on the legal basis of legitimate interest (providing the VPN service). You may request deletion of your connection metadata by contacting **[konduit@k-ops.eu](mailto:konduit@k-ops.eu)**.
 When using a self-hosted server, [K-Ops Oy](https://k-ops.eu) does not process any of your data.
 ## Changes to this policy
 If we update this policy, the new version will be published at this URL with an updated "Last updated" date.
 ## Contact
 Privacy questions: **[konduit@k-ops.eu](mailto:konduit@k-ops.eu)**
--- a/docs/server-quickstart.md
+++ b/docs/server-quickstart.md
@@ -62,7 +62,12 @@ Without this, konduit picks the first available `tunN`, which shifts if other VP
 ./konduit-server --config server.toml
 ```
-For persistent operation, use the provided systemd unit (`setup/server/konduit-server.service`).
+For persistent operation, use the provided systemd units in [docs/systemd/](systemd/). Copy `konduit-server.service` to `/etc/systemd/system/`, then:
 ```bash
 sudo systemctl daemon-reload
 sudo systemctl enable --now konduit-server
 ```
 ## 6. NAT / Masquerade
--- a/docs/systemd/konduit-server.service
+++ b/docs/systemd/konduit-server.service
@@ -0,0 +1,18 @@
 [Unit]
 Description=Konduit Server
 After=network.target
 [Service]
 Type=simple
 User=root
 WorkingDirectory=/opt/konduit
 ExecStart=/opt/konduit/konduit-server -c /opt/konduit/server.toml
 Restart=on-failure
 RestartSec=5
 # Optional hardening
 NoNewPrivileges=true
 PrivateTmp=true
 [Install]
 WantedBy=multi-user.target
--- a/docs/systemd/konduit.service
+++ b/docs/systemd/konduit.service
@@ -0,0 +1,18 @@
 [Unit]
 Description=Konduit Client
 After=network.target
 [Service]
 Type=simple
 User=root
 WorkingDirectory=/opt/konduit
 ExecStart=/opt/konduit/konduit -c /opt/konduit/client.toml
 Restart=on-failure
 RestartSec=5
 # Optional hardening
 NoNewPrivileges=true
 PrivateTmp=true
 [Install]
 WantedBy=multi-user.target
Author	SHA1	Message	Date
E. Kaparulin	10def914ab	Update examples	2026-06-09 08:30:41 +03:00
E. Kaparulin	1e08ba34f0	Documentation update	2026-06-09 08:18:12 +03:00
Eugen Kaparulin	5cd882f74b	Public website overhaul	2026-06-09 07:17:24 +03:00