Обновление конфигурации запуска

- Добавлены сервисы запуска сервера и клиента - Добавлены обертки для запуска сервера и клиента - Добавлена общая конфигурация для сервера и клиента - Возможность использования пользовательской конфигурации из под /etc/wstunnel/wstunnel.conf для запускаемых сервисов
2025-05-09 17:32:16 +03:00 · 2025-05-09 17:32:16 +03:00 · a164df6604
commit a164df6604
parent 717ba11294
6 changed files with 628 additions and 1 deletions
--- a/files/wstunnel-client
+++ b/files/wstunnel-client
@ -0,0 +1,236 @@
+#!/bin/bash
+
+# Script to launch wstunnel client using parameters from the [client] section of a configuration file
+
+# Configuration file paths
+PRIMARY_CONFIG="/etc/wstunnel/wstunnel.conf"
+FALLBACK_CONFIG="/usr/share/defaults/etc/wstunnel/wstunnel.conf"
+
+# Determine which configuration file to use
+CONFIG_FILE=""
+if [ -f "$PRIMARY_CONFIG" ]; then
+    CONFIG_FILE="$PRIMARY_CONFIG"
+elif [ -f "$FALLBACK_CONFIG" ]; then
+    CONFIG_FILE="$FALLBACK_CONFIG"
+else
+    echo "Error: Configuration file not found at '$PRIMARY_CONFIG' or '$FALLBACK_CONFIG'."
+    exit 1
+fi
+
+# Check if a configuration file is provided as an argument (overrides default paths)
+if [ $# -eq 1 ]; then
+    CONFIG_FILE="$1"
+    if [ ! -f "$CONFIG_FILE" ]; then
+        echo "Error:Specified configuration file '$CONFIG_FILE' not found."
+        exit 1
+    fi
+fi
+
+# Initialize variables for wstunnel client parameters
+SERVER_ADDRESS=""
+LOCAL_TO_REMOTE=()
+REMOTE_TO_LOCAL=()
+NO_COLOR=""
+SOCKET_SO_MARK=""
+CONNECTION_MIN_IDLE=""
+NB_WORKER_THREADS=""
+CONNECTION_RETRY_MAX_BACKOFF=""
+LOG_LEVEL=""
+TLS_SNI_OVERRIDE=""
+TLS_SNI_DISABLE=""
+TLS_VERIFY_CERTIFICATE=""
+HTTP_PROXY=""
+HTTP_PROXY_LOGIN=""
+HTTP_PROXY_PASSWORD=""
+HTTP_UPGRADE_PATH_PREFIX=""
+HTTP_UPGRADE_CREDENTIALS=""
+WEBSOCKET_PING_FREQUENCY=""
+WEBSOCKET_MASK_FRAME=""
+HTTP_HEADERS=()
+HTTP_HEADERS_FILE=""
+TLS_CERTIFICATE=""
+TLS_PRIVATE_KEY=""
+DNS_RESOLVER=()
+DNS_RESOLVER_PREFER_IPV4=""
+
+# Function to trim whitespace
+trim() {
+    local var="$1"
+    var="${var#"${var%%[![:space:]]*}"}" # Remove leading whitespace
+    var="${var%"${var##*[![:space:]]}"}" # Remove trailing whitespace
+    echo -n "$var"
+}
+
+# Parse the [client] section of the INI file
+current_section=""
+while IFS='=' read -r key value; do
+    # Skip empty lines and comments
+    if [[ -z "$key" || "$key" =~ ^\s*# || "$key" =~ ^\s*\; ]]; then
+        continue
+    fi
+
+    # Check for section headers
+    if [[ "$key" =~ ^\s*\[.*\]\s*$ ]]; then
+        current_section=$(echo "$key" | sed 's/^\s*\[\(.*\)\]\s*$/\1/')
+        continue
+    fi
+
+    # Process only the [client] section
+    if [ "$current_section" != "client" ]; then
+        continue
+    fi
+
+    # Trim whitespace from key and value
+    key=$(trim "$key")
+    value=$(trim "$value")
+
+    # Skip if value is empty
+    if [ -z "$value" ]; then
+        continue
+    fi
+
+    # Map INI keys to wstunnel client parameters
+    case "$key" in
+        server_address)
+            SERVER_ADDRESS="$value"
+            ;;
+        local_to_remote)
+            # Split comma-separated values into array
+            IFS=',' read -ra ltr_array <<< "$value"
+            for ltr in "${ltr_array[@]}"; do
+                LOCAL_TO_REMOTE+=("$(trim "$ltr")")
+            done
+            ;;
+        remote_to_local)
+            # Split comma-separated values into array
+            IFS=',' read -ra rtl_array <<< "$value"
+            for rtl in "${rtl_array[@]}"; do
+                REMOTE_TO_LOCAL+=("$(trim "$rtl")")
+            done
+            ;;
+        no_color)
+            NO_COLOR="$value"
+            ;;
+        socket_so_mark)
+            SOCKET_SO_MARK="$value"
+            ;;
+        connection_min_idle)
+            CONNECTION_MIN_IDLE="$value"
+            ;;
+        nb_worker_threads)
+            NB_WORKER_THREADS="$value"
+            ;;
+        connection_retry_max_backoff)
+            CONNECTION_RETRY_MAX_BACKOFF="$value"
+            ;;
+        log_level)
+            LOG_LEVEL="$value"
+            ;;
+        tls_sni_override)
+            TLS_SNI_OVERRIDE="$value"
+            ;;
+        tls_sni_disable)
+            TLS_SNI_DISABLE="$value"
+            ;;
+        tls_verify_certificate)
+            TLS_VERIFY_CERTIFICATE="$value"
+            ;;
+        http_proxy)
+            HTTP_PROXY="$value"
+            ;;
+        http_proxy_login)
+            HTTP_PROXY_LOGIN="$value"
+            ;;
+        http_proxy_password)
+            HTTP_PROXY_PASSWORD="$value"
+            ;;
+        http_upgrade_path_prefix)
+            HTTP_UPGRADE_PATH_PREFIX="$value"
+            ;;
+        http_upgrade_credentials)
+            HTTP_UPGRADE_CREDENTIALS="$value"
+            ;;
+        websocket_ping_frequency)
+            WEBSOCKET_PING_FREQUENCY="$value"
+            ;;
+        websocket_mask_frame)
+            WEBSOCKET_MASK_FRAME="$value"
+            ;;
+        http_headers)
+            # Split comma-separated values into array
+            IFS=',' read -ra headers_array <<< "$value"
+            for header in "${headers_array[@]}"; do
+                HTTP_HEADERS+=("$(trim "$header")")
+            done
+            ;;
+        http_headers_file)
+            HTTP_HEADERS_FILE="$value"
+            ;;
+        tls_certificate)
+            TLS_CERTIFICATE="$value"
+            ;;
+        tls_private_key)
+            TLS_PRIVATE_KEY="$value"
+            ;;
+        dns_resolver)
+            DNS_RESOLVER+=("$value")
+            ;;
+        dns_resolver_prefer_ipv4)
+            DNS_RESOLVER_PREFER_IPV4="$value"
+            ;;
+    esac
+done < "$CONFIG_FILE"
+
+# Build the wstunnel client command
+CMD=("wstunnel" "client")
+
+# Add server address (required argument)
+if [ -z "$SERVER_ADDRESS" ]; then
+    echo "Error: server_address is required in the [client] section of the configuration file."
+    exit 1
+fi
+CMD+=("$SERVER_ADDRESS")
+
+# Add optional parameters
+for ltr in "${LOCAL_TO_REMOTE[@]}"; do
+    CMD+=("-L" "$ltr")
+done
+for rtl in "${REMOTE_TO_LOCAL[@]}"; do
+    CMD+=("-R" "$rtl")
+done
+[ "$NO_COLOR" = "true" ] && CMD+=("--no-color" "true")
+[ -n "$SOCKET_SO_MARK" ] && CMD+=("--socket-so-mark" "$SOCKET_SO_MARK")
+[ -n "$CONNECTION_MIN_IDLE" ] && CMD+=("--connection-min-idle" "$CONNECTION_MIN_IDLE")
+[ -n "$CONNECTION_RETRY_MAX_BACKOFF" ] && CMD+=("--connection-retry-max-backoff" "$CONNECTION_RETRY_MAX_BACKOFF")
+[ -n "$LOG_LEVEL" ] && CMD+=("--log-lvl" "$LOG_LEVEL")
+[ -n "$TLS_SNI_OVERRIDE" ] && CMD+=("--tls-sni-override" "$TLS_SNI_OVERRIDE")
+[ "$TLS_SNI_DISABLE" = "true" ] && CMD+=("--tls-sni-disable")
+[ "$TLS_VERIFY_CERTIFICATE" = "true" ] && CMD+=("--tls-verify-certificate")
+[ -n "$HTTP_PROXY" ] && CMD+=("--http-proxy" "$HTTP_PROXY")
+[ -n "$HTTP_PROXY_LOGIN" ] && CMD+=("--http-proxy-login" "$HTTP_PROXY_LOGIN")
+[ -n "$HTTP_PROXY_PASSWORD" ] && CMD+=("--http-proxy-password" "$HTTP_PROXY_PASSWORD")
+[ -n "$HTTP_UPGRADE_PATH_PREFIX" ] && CMD+=("--http-upgrade-path-prefix" "$HTTP_UPGRADE_PATH_PREFIX")
+[ -n "$HTTP_UPGRADE_CREDENTIALS" ] && CMD+=("--http-upgrade-credentials" "$HTTP_UPGRADE_CREDENTIALS")
+[ -n "$WEBSOCKET_PING_FREQUENCY" ] && CMD+=("--websocket-ping-frequency" "$WEBSOCKET_PING_FREQUENCY")
+[ "$WEBSOCKET_MASK_FRAME" = "true" ] && CMD+=("--websocket-mask-frame")
+for header in "${HTTP_HEADERS[@]}"; do
+    CMD+=("--http-headers" "$header")
+done
+[ -n "$HTTP_HEADERS_FILE" ] && CMD+=("--http-headers-file" "$HTTP_HEADERS_FILE")
+[ -n "$TLS_CERTIFICATE" ] && CMD+=("--tls-certificate" "$TLS_CERTIFICATE")
+[ -n "$TLS_PRIVATE_KEY" ] && CMD+=("--tls-private-key" "$TLS_PRIVATE_KEY")
+for resolver in "${DNS_RESOLVER[@]}"; do
+    CMD+=("--dns-resolver" "$resolver")
+done
+[ "$DNS_RESOLVER_PREFER_IPV4" = "true" ] && CMD+=("--dns-resolver-prefer-ipv4")
+
+# Set environment variable for nb_worker_threads if specified
+if [ -n "$NB_WORKER_THREADS" ]; then
+    export TOKIO_WORKER_THREADS="$NB_WORKER_THREADS"
+fi
+
+# Print the command for debugging
+echo "Using configuration file: $CONFIG_FILE"
+
+# Execute the wstunnel client command
+exec "${CMD[@]}"
--- a/files/wstunnel-client.service
+++ b/files/wstunnel-client.service
@ -0,0 +1,12 @@
+[Unit]
+Description=wstunnel client service
+After=network.target
+
+[Service]
+Type=simple
+Restart=always
+RestartSec=1
+ExecStart=/usr/bin/wstunnel-client
+
+[Install]
+WantedBy=multi-user.target
--- a/files/wstunnel-server
+++ b/files/wstunnel-server
@ -0,0 +1,200 @@
+#!/bin/bash
+
+# Script to launch wstunnel server using parameters from the [server] section of a configuration file
+
+# Configuration file paths
+PRIMARY_CONFIG="/etc/wstunnel/wstunnel.conf"
+FALLBACK_CONFIG="/usr/share/defaults/etc/wstunnel/wstunnel.conf"
+
+# Determine which configuration file to use
+CONFIG_FILE=""
+if [ -f "$PRIMARY_CONFIG" ]; then
+    CONFIG_FILE="$PRIMARY_CONFIG"
+elif [ -f "$FALLBACK_CONFIG" ]; then
+    CONFIG_FILE="$FALLBACK_CONFIG"
+else
+    echo "Error: Configuration file not found at '$PRIMARY_CONFIG' or '$FALLBACK_CONFIG'."
+    exit 1
+fi
+
+# Check if a configuration file is provided as an argument (overrides default paths)
+if [ $# -eq 1 ]; then
+    CONFIG_FILE="$1"
+    if [ ! -f "$CONFIG_FILE" ]; then
+        echo "Error: Specified configuration file '$CONFIG_FILE' not found."
+        exit 1
+    fi
+fi
+
+# Initialize variables for wstunnel server parameters
+BIND_ADDRESS=""
+SOCKET_SO_MARK=""
+WEBSOCKET_PING_FREQUENCY=""
+NO_COLOR=""
+WEBSOCKET_MASK_FRAME=""
+DNS_RESOLVER=()
+DNS_RESOLVER_PREFER_IPV4=""
+LOG_LEVEL=""
+RESTRICT_TO=()
+RESTRICT_HTTP_UPGRADE_PATH_PREFIX=()
+RESTRICT_CONFIG=""
+TLS_CERTIFICATE=""
+TLS_PRIVATE_KEY=""
+TLS_CLIENT_CA_CERTS=""
+HTTP_PROXY=""
+HTTP_PROXY_LOGIN=""
+HTTP_PROXY_PASSWORD=""
+REMOTE_TO_LOCAL_SERVER_IDLE_TIMEOUT=""
+NB_WORKER_THREADS=""
+
+# Function to trim whitespace
+trim() {
+    local var="$1"
+    var="${var#"${var%%[![:space:]]*}"}" # Remove leading whitespace
+    var="${var%"${var##*[![:space:]]}"}" # Remove trailing whitespace
+    echo -n "$var"
+}
+
+# Parse the [server] section of the INI file
+current_section=""
+while IFS='=' read -r key value; do
+    # Skip empty lines and comments
+    if [[ -z "$key" || "$key" =~ ^\s*# || "$key" =~ ^\s*\; ]]; then
+        continue
+    fi
+
+    # Check for section headers
+    if [[ "$key" =~ ^\s*\[.*\]\s*$ ]]; then
+        current_section=$(echo "$key" | sed 's/^\s*\[\(.*\)\]\s*$/\1/')
+        continue
+    fi
+
+    # Process only the [server] section
+    if [ "$current_section" != "server" ]; then
+        continue
+    fi
+
+    # Trim whitespace from key and value
+    key=$(trim "$key")
+    value=$(trim "$value")
+
+    # Skip if value is empty
+    if [ -z "$value" ]; then
+        continue
+    fi
+
+    # Map INI keys to wstunnel server parameters
+    case "$key" in
+        bind_address)
+            BIND_ADDRESS="$value"
+            ;;
+        socket_so_mark)
+            SOCKET_SO_MARK="$value"
+            ;;
+        websocket_ping_frequency)
+            WEBSOCKET_PING_FREQUENCY="$value"
+            ;;
+        no_color)
+            NO_COLOR="$value"
+            ;;
+        websocket_mask_frame)
+            WEBSOCKET_MASK_FRAME="$value"
+            ;;
+        dns_resolver)
+            DNS_RESOLVER+=("$value")
+            ;;
+        dns_resolver_prefer_ipv4)
+            DNS_RESOLVER_PREFER_IPV4="$value"
+            ;;
+        log_level)
+            LOG_LEVEL="$value"
+            ;;
+        restrict_to)
+            # Split comma-separated values into array
+            IFS=',' read -ra restrict_array <<< "$value"
+            for restrict in "${restrict_array[@]}"; do
+                RESTRICT_TO+=("$(trim "$restrict")")
+            done
+            ;;
+        restrict_http_upgrade_path_prefix)
+            # Split comma-separated values into array
+            IFS=',' read -ra prefix_array <<< "$value"
+            for prefix in "${prefix_array[@]}"; do
+                RESTRICT_HTTP_UPGRADE_PATH_PREFIX+=("$(trim "$prefix")")
+            done
+            ;;
+        restrict_config)
+            RESTRICT_CONFIG="$value"
+            ;;
+        tls_certificate)
+            TLS_CERTIFICATE="$value"
+            ;;
+        tls_private_key)
+            TLS_PRIVATE_KEY="$value"
+            ;;
+        tls_client_ca_certs)
+            TLS_CLIENT_CA_CERTS="$value"
+            ;;
+        http_proxy)
+            HTTP_PROXY="$value"
+            ;;
+        http_proxy_login)
+            HTTP_PROXY_LOGIN="$value"
+            ;;
+        http_proxy_password)
+            HTTP_PROXY_PASSWORD="$value"
+            ;;
+        remote_to_local_server_idle_timeout)
+            REMOTE_TO_LOCAL_SERVER_IDLE_TIMEOUT="$value"
+            ;;
+        nb_worker_threads)
+            NB_WORKER_THREADS="$value"
+            ;;
+    esac
+done < "$CONFIG_FILE"
+
+# Build the wstunnel server command
+CMD=("wstunnel" "server")
+
+# Add bind address (required argument)
+if [ -z "$BIND_ADDRESS" ]; then
+    echo "Error: bind_address is required in the [server] section of the configuration file."
+    exit 1
+fi
+CMD+=("$BIND_ADDRESS")
+
+# Add optional parameters
+[ -n "$SOCKET_SO_MARK" ] && CMD+=("--socket-so-mark" "$SOCKET_SO_MARK")
+[ -n "$WEBSOCKET_PING_FREQUENCY" ] && CMD+=("--websocket-ping-frequency" "$WEBSOCKET_PING_FREQUENCY")
+[ "$NO_COLOR" = "true" ] && CMD+=("--no-color" "true")
+[ "$WEBSOCKET_MASK_FRAME" = "true" ] && CMD+=("--websocket-mask-frame")
+for resolver in "${DNS_RESOLVER[@]}"; do
+    CMD+=("--dns-resolver" "$resolver")
+done
+[ "$DNS_RESOLVER_PREFER_IPV4" = "true" ] && CMD+=("--dns-resolver-prefer-ipv4")
+[ -n "$LOG_LEVEL" ] && CMD+=("--log-lvl" "$LOG_LEVEL")
+for restrict in "${RESTRICT_TO[@]}"; do
+    CMD+=("--restrict-to" "$restrict")
+done
+for prefix in "${RESTRICT_HTTP_UPGRADE_PATH_PREFIX[@]}"; do
+    CMD+=("--restrict-http-upgrade-path-prefix" "$prefix")
+done
+[ -n "$RESTRICT_CONFIG" ] && CMD+=("--restrict-config" "$RESTRICT_CONFIG")
+[ -n "$TLS_CERTIFICATE" ] && CMD+=("--tls-certificate" "$TLS_CERTIFICATE")
+[ -n "$TLS_PRIVATE_KEY" ] && CMD+=("--tls-private-key" "$TLS_PRIVATE_KEY")
+[ -n "$TLS_CLIENT_CA_CERTS" ] && CMD+=("--tls-client-ca-certs" "$TLS_CLIENT_CA_CERTS")
+[ -n "$HTTP_PROXY" ] && CMD+=("--http-proxy" "$HTTP_PROXY")
+[ -n "$HTTP_PROXY_LOGIN" ] && CMD+=("--http-proxy-login" "$HTTP_PROXY_LOGIN")
+[ -n "$HTTP_PROXY_PASSWORD" ] && CMD+=("--http-proxy-password" "$HTTP_PROXY_PASSWORD")
+[ -n "$REMOTE_TO_LOCAL_SERVER_IDLE_TIMEOUT" ] && CMD+=("--remote-to-local-server-idle-timeout" "$REMOTE_TO_LOCAL_SERVER_IDLE_TIMEOUT")
+
+# Set environment variable for nb_worker_threads if specified
+if [ -n "$NB_WORKER_THREADS" ]; then
+    export TOKIO_WORKER_THREADS="$NB_WORKER_THREADS"
+fi
+
+# Print the command for debugging
+echo "Using configuration file: $CONFIG_FILE"
+
+# Execute the wstunnel server command
+exec "${CMD[@]}"
--- a/files/wstunnel-server.service
+++ b/files/wstunnel-server.service
@ -0,0 +1,12 @@
+[Unit]
+Description=wstunnel server service
+After=network.target
+
+[Service]
+Type=simple
+Restart=always
+RestartSec=1
+ExecStart=/usr/bin/wstunnel-server
+
+[Install]
+WantedBy=multi-user.target
--- a/files/wstunnel.conf
+++ b/files/wstunnel.conf
@ -0,0 +1,159 @@
+[server]
+; Address to bind the wstunnel server (ws:// for non-TLS, wss:// for TLS)
+; Example: wss://0.0.0.0:8080 or ws://[::]:8080
+bind_address = wss://0.0.0.0:8080
+
+; (Linux only) Mark network packets with SO_MARK sockoption
+; Requires root, sudo, or specific capabilities
+; socket_so_mark = 123
+
+; Frequency of websocket ping to clients (set to 0 to disable)
+websocket_ping_frequency = 30s
+
+; Disable color output in logs
+; no_color = true
+
+; Enable masking of websocket frames (only for non-TLS ws://, adds overhead)
+; websocket_mask_frame = false
+
+; DNS resolver(s) for domain name lookups
+; Can specify multiple resolvers (e.g., dns://1.1.1.1, dns+https://1.1.1.1?sni=cloudflare-dns.com)
+; Use system://0.0.0.0 for libc resolver
+; dns_resolver = dns://1.1.1.1
+
+; Prefer IPv4 over IPv6 for DNS resolution (useful for broken IPv6 connections)
+; dns_resolver_prefer_ipv4 = false
+
+; Log verbosity level (TRACE, DEBUG, INFO, WARN, ERROR, OFF)
+log_level = INFO
+
+; Restrict connections to specific destination:port pairs
+; Can specify multiple restrictions
+; restrict_to = google.com:443, localhost:22
+
+; Restrict websocket upgrade to specific path prefix (acts as a client authentication secret)
+; restrict_http_upgrade_path_prefix = /custom/path
+
+; Path to YAML restriction config file (automatically reloaded on change)
+; restrict_config = /path/to/restrict.yaml
+
+; Custom TLS certificate (PEM format, auto-reloaded on change)
+; tls_certificate = /path/to/certificate.pem
+
+; Custom TLS private key (PEM, EC, or RSA, auto-reloaded on change)
+; tls_private_key = /path/to/private_key.pem
+
+; Enable mTLS by specifying CA certificates for client authentication (PEM, auto-reloaded)
+; tls_client_ca_certs = /path/to/ca_certs.pem
+
+; HTTP proxy to connect to clients (format: user:pass@host:port)
+; http_proxy = user:pass@proxy.example.com:8080
+
+; Override HTTP proxy login
+; http_proxy_login = custom_login
+
+; Override HTTP proxy password
+; http_proxy_password = custom_password
+
+; Idle timeout for remote-to-local server before unbinding (default: 3 minutes)
+remote_to_local_server_idle_timeout = 3m
+
+; Number of worker threads (set via environment variable TOKIO_WORKER_THREADS)
+; Note: This flag is ignored in the command line, use environment variable instead
+; nb_worker_threads = 4
+
+[client]
+; Address of the wstunnel server (supports ws://, wss://, http://, https://)
+; Example: wss://wstunnel.example.com or https://wstunnel.example.com
+server_address = wss://wstunnel.example.com
+
+; Local-to-remote forwarding rules (tcp, udp, socks5, stdio, unix)
+; Can specify multiple rules
+; Examples:
+; - tcp://1212:google.com:443 (listen locally on port 1212, forward to google.com:443)
+; - udp://1212:1.1.1.1:53?timeout_sec=10 (listen on UDP port 1212, forward to 1.1.1.1:53, timeout after 10s)
+; - socks5://[::1]:1212?login=admin&password=admin (SOCKS5 proxy with authentication)
+; - stdio://google.com:443 (forward stdio to google.com:443)
+; - unix:///tmp/wstunnel.sock:google.com:443 (listen on Unix socket, forward to google.com:443)
+; local_to_remote = tcp://1212:google.com:443
+
+; Remote-to-local forwarding rules (tcp, udp, socks5, unix)
+; Can specify multiple rules
+; Examples:
+; - tcp://1212:google.com:443 (server listens on port 1212, forwards to local google.com:443)
+; - socks5://[::1]:1212 (server listens for SOCKS5, forwards dynamically to local)
+; remote_to_local = tcp://1212:google.com:443
+
+; Disable color output in logs
+; no_color = true
+
+; (Linux only) Mark network packets with SO_MARK sockoption
+; Requires root, sudo, or specific capabilities
+; socket_so_mark = 123
+
+; Maximum number of idle connections to keep open to the server
+connection_min_idle = 0
+
+; Number of worker threads (set via environment variable TOKIO_WORKER_THREADS)
+; Note: This flag is ignored in the command line, use environment variable instead
+; nb_worker_threads = 4
+
+; Maximum backoff time for retrying server connections
+connection_retry_max_backoff = 5m
+
+; Log verbosity level (TRACE, DEBUG, INFO, WARN, ERROR, OFF)
+log_level = INFO
+
+; Domain name for SNI during TLS handshake
+; Required if behind a CDN like Cloudflare to match HTTP HOST header
+; tls_sni_override = example.com
+
+; Disable sending SNI during TLS handshake
+; tls_sni_disable = false
+
+; Enable TLS certificate verification (disabled by default, allows self-signed certs)
+; tls_verify_certificate = false
+
+; HTTP proxy to connect to the server (format: user:pass@host:port)
+; http_proxy = user:pass@proxy.example.com:8080
+
+; Override HTTP proxy login
+; http_proxy_login = custom_login
+
+; Override HTTP proxy password
+; http_proxy_password = custom_password
+
+; HTTP upgrade path prefix for websocket upgrade request
+http_upgrade_path_prefix = v1
+
+; Basic auth credentials for HTTP upgrade request (format: user:pass)
+; http_upgrade_credentials = user:pass
+
+; Frequency of websocket pings to the server (set to 0 to disable)
+websocket_ping_frequency = 30s
+
+; Enable masking of websocket frames (only for non-TLS ws://, adds overhead)
+; websocket_mask_frame = false
+
+; Custom headers for HTTP upgrade request (format: HEADER_NAME: HEADER_VALUE)
+; Can specify multiple headers
+; http_headers = X-Custom-Header: Value
+
+; File containing custom headers for HTTP upgrade request (format: HEADER_NAME: HEADER_VALUE per line)
+; http_headers_file = /path/to/headers.txt
+
+; TLS certificate (PEM) for mTLS client authentication
+; Automatically reloaded on change
+; tls_certificate = /path/to/certificate.pem
+
+; TLS private key (PEM) for mTLS client authentication
+; Automatically reloaded on change
+; tls_private_key = /path/to/private_key.pem
+
+; DNS resolver(s) for domain name lookups
+; Can specify multiple resolvers (e.g., dns://1.1.1.1, dns+https://1.1.1.1?sni=cloudflare-dns.com)
+; Use system://0.0.0.0 for libc resolver
+; dns_resolver = dns://1.1.1.1
+
+; Prefer IPv4 over IPv6 for DNS resolution (useful for broken IPv6 connections)
+; dns_resolver_prefer_ipv4 = false
--- a/package.yml
+++ b/package.yml
@ -1,6 +1,6 @@
 name       : wstunnel
 version    : 10.2.0
-release    : 2
+release    : 3
 source     :
    - https://github.com/erebe/wstunnel/archive/refs/tags/v10.2.0.tar.gz : e5b29465c447c110e4f7d2c1e99a9e6e883f2ddaf6373459d1008607811e637d
 homepage   : https://github.com/erebe/wstunnel
@ -18,3 +18,11 @@ build      : |
    %cargo_build --package wstunnel-cli
 install    : |
    %cargo_install
+
+    install -Dm00644 $pkgfiles/wstunnel-client.service $installdir/%libdir%/systemd/system/wstunnel-client.service
+    install -Dm00644 $pkgfiles/wstunnel-server.service $installdir/%libdir%/systemd/system/wstunnel-server.service
+
+    install -Dm00644 $pkgfiles/wstunnel.conf /usr/share/defaults/etc/wstunnel/wstunnel.conf
+
+    install -Dm00755 $pkgfiles/wstunnel-client $installdir/usr/bin/wstunnel-client
+    install -Dm00755 $pkgfiles/wstunnel-server $installdir/usr/bin/wstunnel-server