diff --git a/.fpm b/.fpm
index f47aeb87..def9b546 100644
--- a/.fpm
+++ b/.fpm
@@ -1,6 +1,6 @@
 -s dir
 --name defguard-gateway
---description "Defguard VPN gateway service"
+--description "Defguard Gateway service"
 --url "https://defguard.net/"
 --maintainer "Defguard"
---config-files /etc/defguard/gateway.toml.sample
+--config-files /etc/defguard/gateway.toml
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 47334544..bd7a8705 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -122,57 +122,101 @@ jobs:
         with:
           fpm_args:
             "defguard-gateway-${{ env.VERSION }}-x86_64-unknown-linux-gnu=/usr/bin/defguard-gateway
-            defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service
-            example-config.toml=/etc/defguard/gateway.toml.sample"
-          fpm_opts: "--architecture amd64 --output-type deb --version ${{ env.VERSION }} --package defguard-gateway-${{ env.VERSION }}-x86_64-unknown-linux-gnu.deb --after-install after-install.sh"
+            linux/defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service
+            example-config.toml=/etc/defguard/gateway.toml"
+          fpm_opts:
+            "--architecture amd64
+            --output-type deb
+            --version ${{ env.VERSION }}
+            --package defguard-gateway-${{ env.VERSION }}-x86_64-unknown-linux-gnu.deb
+            --before-install linux/preinst
+            --after-install linux/postinst
+            --before-remove linux/prerm
+            --after-remove linux/postrm"
 
       - name: Build aarch64 DEB package
         uses: defGuard/fpm-action@main
         with:
           fpm_args:
             "defguard-gateway-${{ env.VERSION }}-aarch64-unknown-linux-gnu=/usr/bin/defguard-gateway
-            defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service
-            example-config.toml=/etc/defguard/gateway.toml.sample"
-          fpm_opts: "--architecture arm64 --output-type deb --version ${{ env.VERSION }} --package defguard-gateway-${{ env.VERSION }}-aarch64-unknown-linux-gnu.deb --after-install after-install.sh"
+            linux/defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service
+            example-config.toml=/etc/defguard/gateway.toml"
+          fpm_opts:
+            "--architecture arm64
+            --output-type deb
+            --version ${{ env.VERSION }}
+            --package defguard-gateway-${{ env.VERSION }}-aarch64-unknown-linux-gnu.deb
+            --before-install linux/preinst
+            --after-install linux/postinst
+            --before-remove linux/prerm
+            --after-remove linux/postrm"
 
       - name: Build x86_64 RPM package
         uses: defGuard/fpm-action@main
         with:
           fpm_args:
             "defguard-gateway-${{ env.VERSION }}-x86_64-unknown-linux-gnu=/usr/bin/defguard-gateway
-            defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service
-            example-config.toml=/etc/defguard/gateway.toml.sample"
-          fpm_opts: "--architecture amd64 --output-type rpm --version ${{ env.VERSION }} --package defguard-gateway-${{ env.VERSION }}-x86_64-unknown-linux-gnu.rpm --after-install after-install.sh"
+            linux/defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service
+            example-config.toml=/etc/defguard/gateway.toml"
+          fpm_opts:
+            "--architecture amd64
+            --output-type rpm
+            --version ${{ env.VERSION }}
+            --package defguard-gateway-${{ env.VERSION }}-x86_64-unknown-linux-gnu.rpm
+            --before-install linux/preinst
+            --after-install linux/postinst
+            --before-remove linux/prerm
+            --after-remove linux/postrm"
 
       - name: Build aarch64 RPM package
         uses: defGuard/fpm-action@main
         with:
           fpm_args:
             "defguard-gateway-${{ env.VERSION }}-aarch64-unknown-linux-gnu=/usr/bin/defguard-gateway
-            defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service
-            example-config.toml=/etc/defguard/gateway.toml.sample"
-          fpm_opts: "--architecture arm64 --output-type rpm --version ${{ env.VERSION }} --package defguard-gateway-${{ env.VERSION }}-aarch64-unknown-linux-gnu.rpm --after-install after-install.sh"
+            linux/defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service
+            example-config.toml=/etc/defguard/gateway.toml"
+          fpm_opts:
+            "--architecture arm64
+            --output-type rpm
+            --version ${{ env.VERSION }}
+            --package defguard-gateway-${{ env.VERSION }}-aarch64-unknown-linux-gnu.rpm
+            --before-install linux/preinst
+            --after-install linux/postinst
+            --before-remove linux/prerm
+            --after-remove linux/postrm"
 
       - name: Build FreeBSD package
         uses: defGuard/fpm-action@main
         with:
           fpm_args:
             "defguard-gateway-${{ env.VERSION }}-x86_64-unknown-freebsd=/usr/local/bin/defguard-gateway
-            defguard-gateway.service.freebsd=/usr/local/etc/rc.d/defguard-gateway
-            example-config.toml=/etc/defguard/gateway.toml.sample"
-          fpm_opts: "--architecture amd64 --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway-${{ env.VERSION }}_x86_64-unknown-freebsd.pkg --freebsd-osversion '*' --depends openssl"
+            freebsd/defguard-gateway=/usr/local/etc/rc.d/defguard-gateway
+            example-config.toml=/etc/defguard/gateway.toml"
+          fpm_opts:
+            "--architecture amd64
+            --output-type freebsd
+            --version ${{ env.VERSION }}
+            --package defguard-gateway-${{ env.VERSION }}_x86_64-unknown-freebsd.pkg
+            --freebsd-osversion '*'
+            --depends openssl"
 
       - name: Build OPNsense package
         uses: defGuard/fpm-action@main
         with:
           fpm_args:
             "defguard-gateway-${{ env.VERSION }}-x86_64-unknown-freebsd=/usr/local/bin/defguard-gateway
-            defguard-gateway.service.freebsd=/usr/local/etc/rc.d/defguard-gateway
-            example-config.toml=/etc/defguard/gateway.toml.sample
+            freebsd/defguard-gateway=/usr/local/etc/rc.d/defguard-gateway
+            example-config.toml=/etc/defguard/gateway.toml
             defguard-rc.conf=/etc/rc.conf.d/defguard_gateway
             opnsense/src/etc/=/usr/local/etc/
             opnsense/src/opnsense/=/usr/local/opnsense/"
-          fpm_opts: "--architecture amd64 --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway-${{ env.VERSION }}_x86_64-unknown-opnsense.pkg --freebsd-osversion '*' --depends openssl"
+          fpm_opts:
+            "--architecture amd64
+            --output-type freebsd
+            --version ${{ env.VERSION }}
+            --package defguard-gateway-${{ env.VERSION }}_x86_64-unknown-opnsense.pkg
+            --freebsd-osversion '*'
+            --depends openssl"
 
       - name: Upload Linux x86_64 archive
         uses: shogo82148/actions-upload-release-asset@v1
diff --git a/Cargo.lock b/Cargo.lock
index 8bc5d636..c096f4d0 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -3469,9 +3469,9 @@ dependencies = [
 
 [[package]]
 name = "rustls"
-version = "0.23.38"
+version = "0.23.39"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "69f9466fb2c14ea04357e91413efb882e2a6d4a406e625449bc0a5d360d53a21"
+checksum = "7c2c118cb077cca2822033836dfb1b975355dfb784b5e8da48f7b6c5db74e60e"
 dependencies = [
  "aws-lc-rs",
  "log",
@@ -4454,7 +4454,7 @@ dependencies = [
  "serde_spanned",
  "toml_datetime 1.1.1+spec-1.1.0",
  "toml_parser",
- "winnow 1.0.1",
+ "winnow 1.0.2",
 ]
 
 [[package]]
@@ -4481,7 +4481,7 @@ version = "1.1.2+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a2abe9b86193656635d2411dc43050282ca48aa31c2451210f4202550afb7526"
 dependencies = [
- "winnow 1.0.1",
+ "winnow 1.0.2",
 ]
 
 [[package]]
@@ -5522,9 +5522,9 @@ dependencies = [
 
 [[package]]
 name = "winnow"
-version = "1.0.1"
+version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "09dac053f1cd375980747450bfc7250c264eaae0583872e845c0c7cd578872b5"
+checksum = "2ee1708bef14716a11bae175f579062d4554d95be2c6829f518df847b7b3fdd0"
 
 [[package]]
 name = "wireguard-nt"
diff --git a/after-install.sh b/after-install.sh
deleted file mode 100755
index 6524c7d8..00000000
--- a/after-install.sh
+++ /dev/null
@@ -1,3 +0,0 @@
-if systemctl is-enabled defguard-gateway --quiet; then
-    systemctl restart defguard-gateway
-fi
diff --git a/defguard-gateway.service b/defguard-gateway.service
deleted file mode 100644
index 5da62cc0..00000000
--- a/defguard-gateway.service
+++ /dev/null
@@ -1,20 +0,0 @@
-[Unit]
-Description=defguard VPN gateway service
-Documentation=https://defguard.gitbook.io/defguard/
-Wants=network-online.target
-After=network-online.target
-
-[Service]
-ExecReload=/bin/kill -HUP $MAINPID
-ExecStart=/usr/sbin/defguard-gateway --config /etc/defguard/gateway.toml
-KillMode=process
-KillSignal=SIGINT
-LimitNOFILE=65536
-LimitNPROC=infinity
-Restart=on-failure
-RestartSec=2
-TasksMax=infinity
-OOMScoreAdjust=-1000
-
-[Install]
-WantedBy=multi-user.target
diff --git a/docs/header.png b/docs/header.png
index 3a02a4d5..8876998d 100644
Binary files a/docs/header.png and b/docs/header.png differ
diff --git a/example-config.toml b/example-config.toml
index b10dc18f..d635c010 100644
--- a/example-config.toml
+++ b/example-config.toml
@@ -1,9 +1,9 @@
-# This is an example config file for defguard VPN gateway
-# To use it fill in actual values for your deployment below
+# This is an example config file for Defguard Gateway.
+# To use it fill in actual values for your deployment below.
 
 # Required: use userspace WireGuard implementation (e.g. wireguard-go)
 userspace = false
-# Required: how often should interface stat updates be sent to defguard server (in seconds)
+# Required: how often should interface stat updates be sent to Defguard Core (in seconds)
 stats_period = 60
 # Required: name of WireGuard interface
 ifname = "wg0"
@@ -26,14 +26,13 @@ syslog_socket = "/var/run/log"
 # Example: Add a default route after WireGuard interface is up:
 #post_up = "/path/to/ip route add default via 192.168.1.1 dev wg0"
 
-
 # Optional: Command which will be run before bringing interface down
 # Example: Remove WireGuard-related firewall rules before interface is taken down:
 #pre_down = "/path/to/iptables -D INPUT -i wg0 -j ACCEPT"
 
 # Optional: Command which will be run after bringing interface down
 # Example: Remove the default route after WireGuard interface is down:
-#post_down = "/pat/to/ip route del default via 192.168.1.1 dev wg0"
+#post_down = "/path/to/ip route del default via 192.168.1.1 dev wg0"
 
 # A HTTP port that will expose the REST HTTP gateway health status
 # STATUS CODES:
diff --git a/defguard-gateway.service.freebsd b/freebsd/defguard-gateway
similarity index 72%
rename from defguard-gateway.service.freebsd
rename to freebsd/defguard-gateway
index cb05f5b0..0c097631 100755
--- a/defguard-gateway.service.freebsd
+++ b/freebsd/defguard-gateway
@@ -8,13 +8,12 @@
 
 name="defguard_gateway"
 rcvar=defguard_gateway_enable
-command="/usr/local/sbin/defguard-gateway"
+command="/usr/local/bin/defguard-gateway"
 config="/etc/defguard/gateway.toml"
 start_cmd="${name}_start"
 
-defguard_gateway_start()
-{
-  ${command} --config ${config} &
+defguard_gateway_start() {
+	${command} --config ${config} &
 }
 
 load_rc_config $name
diff --git a/linux/defguard-gateway.service b/linux/defguard-gateway.service
new file mode 100644
index 00000000..27561aeb
--- /dev/null
+++ b/linux/defguard-gateway.service
@@ -0,0 +1,24 @@
+[Unit]
+Description=Defguard Gateway service
+Documentation=https://docs.defguard.net/
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+User=defguard
+Group=defguard
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStart=/usr/bin/defguard-gateway --config /etc/defguard/gateway.toml
+KillMode=process
+KillSignal=SIGINT
+LimitNOFILE=65536
+LimitNPROC=infinity
+Restart=on-failure
+RestartSec=2
+TasksMax=infinity
+OOMScoreAdjust=-1000
+
+[Install]
+WantedBy=multi-user.target
diff --git a/linux/postinst b/linux/postinst
new file mode 100755
index 00000000..31fed8c9
--- /dev/null
+++ b/linux/postinst
@@ -0,0 +1,22 @@
+#!/bin/sh
+set -e
+
+SERVICE_NAME='defguard-gateway'
+
+case "${1}" in
+1 | configure)
+	if [ -x /usr/bin/systemctl ]; then
+		/usr/bin/systemctl daemon-reload
+		/usr/bin/systemctl enable ${SERVICE_NAME}
+		/usr/bin/systemctl --no-block start ${SERVICE_NAME}
+	fi
+	;;
+abort-upgrade | abort-remove | abort-deconfigure)
+	if [ -x /usr/bin/systemctl ]; then
+		/usr/bin/systemctl daemon-reload
+		if /usr/bin/systemctl is-enabled --quiet ${SERVICE_NAME}; then
+			/usr/bin/systemctl --no-block restart ${SERVICE_NAME}
+		fi
+	fi
+	;;
+esac
diff --git a/linux/postrm b/linux/postrm
new file mode 100644
index 00000000..2b473f8a
--- /dev/null
+++ b/linux/postrm
@@ -0,0 +1,12 @@
+#!/bin/sh
+set -e
+
+USERNAME=defguard
+
+if [ -x /usr/bin/systemctl ]; then
+	/usr/bin/systemctl --quiet daemon-reload || true
+fi
+
+if id -u ${USERNAME} >/dev/null 2>&1; then
+	echo "If no longer needed, remove ${USERNAME} manually: userdel ${USERNAME}"
+fi
diff --git a/linux/preinst b/linux/preinst
new file mode 100755
index 00000000..6cc33233
--- /dev/null
+++ b/linux/preinst
@@ -0,0 +1,12 @@
+#!/bin/sh
+set -e
+
+USERNAME=defguard
+
+if ! id -u ${USERNAME} >/dev/null 2>&1; then
+	useradd --system --user-group --no-create-home ${USERNAME}
+fi
+
+mkdir -p /etc/defguard
+chown -R ${USERNAME}:${USERNAME} /etc/defguard
+chmod 750 /etc/defguard
diff --git a/linux/prerm b/linux/prerm
new file mode 100644
index 00000000..3e3cbcb3
--- /dev/null
+++ b/linux/prerm
@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+
+SERVICE_NAME='defguard-gateway'
+
+if [ -x /usr/bin/systemctl ]; then
+	/usr/bin/systemctl --no-block --quiet stop ${SERVICE_NAME} || true
+fi