docs: update README with desktop requirements, helper builds, and realistic MVP usage notes
Expand README with desktop platform requirements (Windows x86, macOS ARM), helper build commands, gateway utility scripts, and updated local test flow. Add realistic MVP usage section clarifying current platform build status, gateway configuration needs, and admin debug profile behavior with client private key handling.
This commit is contained in:
36
docs/client-platforms.md
Normal file
36
docs/client-platforms.md
Normal file
@@ -0,0 +1,36 @@
|
||||
# Desktop Platform Strategy
|
||||
|
||||
## Windows x86
|
||||
|
||||
Current MVP integration path:
|
||||
|
||||
- NexaVPN enrolls the device and stores the generated profile locally.
|
||||
- NexaVPN is intended to ship its own bundled Windows x86 tunnel helper.
|
||||
- The end user should interact only with NexaVPN.
|
||||
- The bundled helper encapsulates the WireGuard runtime internally.
|
||||
|
||||
Repository status:
|
||||
|
||||
- the NexaVPN tunnel helper CLI is now included in `desktop-client/tunnel-helper/`
|
||||
- the Windows x86 build can be bundled into `src-tauri/bundled/windows-x86/`
|
||||
|
||||
## macOS ARM
|
||||
|
||||
Current MVP integration path:
|
||||
|
||||
- NexaVPN enrolls the device and stores the generated profile locally.
|
||||
- NexaVPN is intended to ship its own bundled macOS ARM tunnel helper.
|
||||
- The end user should interact only with NexaVPN.
|
||||
- The bundled helper encapsulates the WireGuard runtime internally.
|
||||
|
||||
Repository status:
|
||||
|
||||
- the NexaVPN tunnel helper CLI is now included in `desktop-client/tunnel-helper/`
|
||||
- the macOS ARM build can be bundled into `src-tauri/bundled/macos-arm64/`
|
||||
|
||||
## Security And Limitations
|
||||
|
||||
- Client private keys are generated and stored locally.
|
||||
- Admin debug profile downloads intentionally contain a private-key placeholder.
|
||||
- Desktop secure-secret storage is not yet production-grade keychain integration.
|
||||
- The repository now includes the helper source and bundling paths, but platform builds and signing still need to be performed in the right target environments.
|
||||
@@ -51,6 +51,47 @@ psql "$DATABASE_URL" -f backend/migrations/000001_init.sql
|
||||
psql "$DATABASE_URL" -f backend/seed/001_seed.sql
|
||||
```
|
||||
|
||||
## Gateway Helper Flow
|
||||
|
||||
1. Bootstrap an admin and log into the web UI.
|
||||
2. Open the `Gateways` page and note the gateway ID.
|
||||
3. Obtain an admin API token through the login flow.
|
||||
4. Set `NEXAVPN_GATEWAY_ID` and `NEXAVPN_API_TOKEN` in `deploy/.env`.
|
||||
5. Recreate the `gateway` service.
|
||||
|
||||
The helper writes:
|
||||
|
||||
- `/var/lib/nexavpn/sync-bundle.json`
|
||||
- `/var/lib/nexavpn/wg0.generated.conf`
|
||||
- `/var/lib/nexavpn/nftables.generated.conf`
|
||||
|
||||
Current behavior:
|
||||
|
||||
- the gateway helper fetches the sync bundle every 15 seconds
|
||||
- it renders `/etc/wireguard/<iface>.conf`
|
||||
- it applies nftables rules from generated state
|
||||
- it enables IPv4 forwarding
|
||||
- it brings up or resyncs the WireGuard interface
|
||||
|
||||
Required environment:
|
||||
|
||||
- `NEXAVPN_GATEWAY_ID`
|
||||
- `NEXAVPN_API_TOKEN`
|
||||
- `NEXAVPN_GATEWAY_PRIVATE_KEY`
|
||||
- optional: `NEXAVPN_GATEWAY_INTERFACE`
|
||||
- optional: `NEXAVPN_UPLINK_INTERFACE`
|
||||
- optional: `NEXAVPN_ENABLE_MASQUERADE`
|
||||
|
||||
Helper scripts:
|
||||
|
||||
- `deploy/scripts/generate-gateway-keypair.sh`
|
||||
- `deploy/scripts/get-admin-token.sh`
|
||||
|
||||
Host/runtime note:
|
||||
|
||||
- the gateway container expects `/dev/net/tun`
|
||||
- the host kernel must support WireGuard
|
||||
|
||||
## Production Notes
|
||||
|
||||
- Terminate TLS at nginx or another reverse proxy.
|
||||
|
||||
Reference in New Issue
Block a user