diff --git a/en/guide/config/acl.md b/en/guide/config/acl.md
index fc7120a..63d809a 100644
--- a/en/guide/config/acl.md
+++ b/en/guide/config/acl.md
@@ -25,13 +25,13 @@ Understanding the following key concepts is essential for configuring ACL:
 
 ## 🔧 Configuration Details
 
-ACL configuration must be added to Easytier's configuration file `config.yaml`.
+ACL configuration must be added to Easytier's configuration file `config.toml`.
 
 ### 1. Define Groups and Secrets
 
 This is the most critical step. Each node needs to declare which groups it belongs to in its configuration and configure the shared secrets for all related groups.
 
-```yaml
+```toml
 # This section defines the groups this node will join (for generating identity proof)
 [acl.acl_v1.group]
 members = ["admin", "web-server"]  # This node's identity: both an administrator and a web server
@@ -65,7 +65,7 @@ group_secret = "guest-secret-key"
 
 Rule chains determine how traffic is handled.
 
-```yaml
+```toml
 # Define an inbound chain
 [[acl.acl_v1.chains]]
 name = "my_acl_policy"    # Chain name
@@ -81,7 +81,7 @@ default_action = 2        # Default action: 1(Allow) 2(Deny)
 
 Rules are the core of the policy and are defined within chains.
 
-```yaml
+```toml
 # List of rules within the chain defined above
 [[acl.acl_v1.chains.rules]]
 name = "allow_admin_rdp"
@@ -121,7 +121,7 @@ stateful = true              # Enable connection tracking
 
 **Configuration**:
 
-```yaml
+```toml
 [acl.acl_v1.group]
 members = ["my-net"]  # All devices join the same group
 
@@ -161,7 +161,7 @@ enabled = true
 
 **ACL Rules on the Database Server**:
 
-```yaml
+```toml
 [[acl.acl_v1.chains]]
 name = "db_server_policy"
 chain_type = 1
@@ -217,4 +217,4 @@ enabled = true
 
 ---
 
-We hope this document helps you better understand and use Easytier's ACL features! If you have any questions, welcome to discuss them in the community. 🎉
\ No newline at end of file
+We hope this document helps you better understand and use Easytier's ACL features! If you have any questions, welcome to discuss them in the community. 🎉
diff --git a/en/guide/network/config-file.md b/en/guide/network/config-file.md
index 85e1609..b7f755a 100644
--- a/en/guide/network/config-file.md
+++ b/en/guide/network/config-file.md
@@ -1,16 +1,16 @@
 # Configuration File
 
-Supports using the -c parameter to specify the configuration file path.
+Supports using the `-c` parameter to specify the TOML configuration file path.
 
 ```sh
-easytier-core -c ./config.yaml
+easytier-core -c ./config.toml
 ```
 
 ::: warning Note
 Note: Parameters in the configuration file can be overridden by command line parameters. For example, if `--hostname abc` is specified in the configuration file, but `--hostname xyz` is used in the command line, then the hostname parameter `xyz` from the command line will be used.
 :::
 
-Running with parameters can generate a configuration file with the corresponding parameters. The configuration file will be printed in the command line, and you can manually copy and save it as a toml file.
+Running with parameters can generate a configuration file with the corresponding parameters. The configuration file will be printed in the command line, and you can manually copy and save it as a TOML file.
 
 Running `easytier-core` directly without parameters will generate the minimal configuration file.
 
@@ -19,9 +19,11 @@ Running `easytier-core` directly without parameters will generate the minimal co
 You can specify multiple configuration files through the `-c` parameter. EasyTier will load multiple configuration files in one process and start multiple virtual networks.
 
 ```sh
-easytier-core -c ./config1.yaml -c ./config2.yaml
+easytier-core -c ./config1.toml -c ./config2.toml
 ```
 
+From the network tutorial pages in this section onward, any example that shows both CLI and configuration-file syntax uses TOML as the default config format.
+
 ## Configuration File Generator
 
 The official website provides a configuration file generator, which you can access via <a target="_blank" href="https://easytier.cn/web/index.html#config_generator">Configuration File Generator</a> to generate configuration files.
diff --git a/en/guide/network/decentralized-networking.md b/en/guide/network/decentralized-networking.md
index 96e0eb2..8882520 100644
--- a/en/guide/network/decentralized-networking.md
+++ b/en/guide/network/decentralized-networking.md
@@ -23,10 +23,20 @@ nodeA <-----> nodeB
 
 1. Run the following command on Node A:
 
-   ```sh
+   ::: code-group
+
+   ```sh [CLI Flags]
    sudo easytier-core -i 10.144.144.1
    ```
 
+   ```toml [Config File]
+   ipv4 = "10.144.144.1"
+   ```
+
+   :::
+
+   Save the configuration above as `node-a.toml`, then start it with `sudo easytier-core -c ./node-a.toml`.
+
    - `-i` specifies the virtual network IP address.
 
    After startup, this node will listen on the following ports by default:
@@ -51,10 +61,23 @@ nodeA <-----> nodeB
 
 2. Run the following command on Node B:
 
-   ```sh
+   ::: code-group
+
+   ```sh [CLI Flags]
    sudo easytier-core -d -p udp://22.1.1.1:11010
    ```
 
+   ```toml [Config File]
+   dhcp = true
+
+   [[peer]]
+   uri = "udp://22.1.1.1:11010"
+   ```
+
+   :::
+
+   Save the configuration above as `node-b.toml`, then start it with `sudo easytier-core -c ./node-b.toml`.
+
    - `-d` represents DHCP mode, automatically assign virtual IP.
    - `-p` specifies the public address and port of Node A.
 
@@ -83,10 +106,23 @@ nodeC <-----> nodeA
 
 1. Run the following command on Node C:
 
-   ```sh
+   ::: code-group
+
+   ```sh [CLI Flags]
    sudo easytier-core -d -p udp://22.1.1.1:11010
    ```
 
+   ```toml [Config File]
+   dhcp = true
+
+   [[peer]]
+   uri = "udp://22.1.1.1:11010"
+   ```
+
+   :::
+
+   Save the configuration above as `node-c.toml`, then start it with `sudo easytier-core -c ./node-c.toml`.
+
    - `-d` represents DHCP mode, automatically assign virtual IP.
    - `-p` specifies the public address and port of Node A.
 
diff --git a/en/guide/network/host-public-server.md b/en/guide/network/host-public-server.md
index f9919a7..d48be24 100644
--- a/en/guide/network/host-public-server.md
+++ b/en/guide/network/host-public-server.md
@@ -2,10 +2,20 @@
 
 Users can use their own public nodes to set up a public shared node for networking without a public IP, making it easier for other users without a public IP to network. Simply start EasyTier without any parameters, and the node can be used as a public server (no root privileges required):
 
-```
+::: code-group
+
+```sh [CLI Flags]
 easytier-core
 ```
 
+```toml [Config File]
+# An empty config file is enough to start a shared node
+```
+
+:::
+
+Save an empty file as `config.toml`, then start it with `easytier-core -c ./config.toml`.
+
 Additionally, EasyTier supports shared node clusters. Each virtual network (created with the same network name and key) can act as a shared node cluster, and nodes from other networks can connect to any node in the shared node cluster, discovering each other without a public IP. Running a self-built public server cluster is the same as running a virtual network, but you can skip configuring the IPv4 address.
 
 If you wish to contribute a public server to the EasyTier community, you can contact the administrator, and we will inform you how to add your node to the community shared node list. Of course, this requires your node to have a certain level of bandwidth and stability.
@@ -18,16 +28,43 @@ To change this behavior, you can use the `--relay-network-whitelist` parameter t
 
 EasyTier can avoid forwarding network packets for other virtual networks and only help them establish P2P links by setting the whitelist to empty and configuring it to only forward RPC traffic. The reference command is:
 
-```
+::: code-group
+
+```sh [CLI Flags]
 easytier-core --relay-network-whitelist --relay-all-peer-rpc
 ```
 
+```toml [Config File]
+[flags]
+relay_network_whitelist = ""
+relay_all_peer_rpc = true
+```
+
+:::
+
+Save the configuration above as `config.toml`, then start it with `easytier-core -c ./config.toml`.
+
 ## Private Mode
 
 If you want EasyTier to only provide services in your virtual network and don't want nodes from other virtual networks to connect to your node, you can start EasyTier with the `--private-mode true` parameter.
 
-```
+::: code-group
+
+```sh [CLI Flags]
 sudo easytier-core --private-mode true --network-name my-network --network-secret my-secret
 ```
 
+```toml [Config File]
+[network_identity]
+network_name = "my-network"
+network_secret = "my-secret"
+
+[flags]
+private_mode = true
+```
+
+:::
+
+Save the configuration above as `config.toml`, then start it with `sudo easytier-core -c ./config.toml`.
+
 This will only allow nodes with network name `my-network` and key `my-secret` to connect to this EasyTier node.
diff --git a/en/guide/network/install-as-a-systemd-service.md b/en/guide/network/install-as-a-systemd-service.md
index e7c9bd0..b1a5d2a 100644
--- a/en/guide/network/install-as-a-systemd-service.md
+++ b/en/guide/network/install-as-a-systemd-service.md
@@ -2,9 +2,25 @@
 
 On Linux distributions that support systemd, you can configure the service to start with the system by following these steps:
 
-1. Create a new service file `/etc/systemd/system/easytier.service` and modify the command line parameters after `ExecStart` as needed.
+1. Create a new service file `/etc/systemd/system/easytier.service`. Using a TOML config file is recommended; if you prefer, you can still keep the CLI-flags form.
 
-```shell
+::: code-group
+
+```ini [Config File Mode]
+[Unit]
+Description=EasyTier Service
+After=network.target syslog.target
+Wants=network.target
+
+[Service]
+Type=simple
+ExecStart=/root/easytier-core -c /etc/easytier/config.toml
+
+[Install]
+WantedBy=multi-user.target
+```
+
+```ini [CLI Flags Mode]
 [Unit]
 Description=EasyTier Service
 After=network.target syslog.target
@@ -18,6 +34,21 @@ ExecStart=/root/easytier-core --ipv4 x.x.x.x --network-name xxx --network-secret
 WantedBy=multi-user.target
 ```
 
+:::
+
+If you use the config-file mode, save the EasyTier configuration as `/etc/easytier/config.toml`:
+
+```toml
+ipv4 = "x.x.x.x"
+
+[network_identity]
+network_name = "xxx"
+network_secret = "yyy"
+
+[[peer]]
+uri = "tcp://peer_host:11010"
+```
+
 2. After saving the file, run the following command in the terminal to enable the service:
 
 ```sh
diff --git a/en/guide/network/kcp-proxy.md b/en/guide/network/kcp-proxy.md
index 423745e..a0ce578 100644
--- a/en/guide/network/kcp-proxy.md
+++ b/en/guide/network/kcp-proxy.md
@@ -32,10 +32,21 @@ graph LR
 
 To proxy TCP traffic on Node A to the KCP protocol, simply start EasyTier on Node A with the `--enable-kcp-proxy` parameter.
 
-```sh
+::: code-group
+
+```sh [CLI Flags]
 sudo easytier-core --enable-kcp-proxy
 ```
 
+```toml [Config File]
+[flags]
+enable_kcp_proxy = true
+```
+
+:::
+
+Save the configuration above as `config.toml`, then start it with `sudo easytier-core -c ./config.toml`.
+
 - `--enable-kcp-proxy` enables the KCP proxy feature.
 
 The KCP proxy ensures version compatibility by automatically reverting to the TCP protocol if it detects that the counterpart node does not support the KCP proxy.
@@ -44,10 +55,22 @@ The KCP proxy ensures version compatibility by automatically reverting to the TC
 
 By default, the KCP proxy uses the kernel's network stack, which may not work correctly due to system firewall settings. You can try using the `--use-smoltcp` parameter to switch to the user-space network stack.
 
-```sh
+::: code-group
+
+```sh [CLI Flags]
 sudo easytier-core --enable-kcp-proxy --use-smoltcp
 ```
 
+```toml [Config File]
+[flags]
+enable_kcp_proxy = true
+use_smoltcp = true
+```
+
+:::
+
+Save the configuration above as `config.toml`, then start it with `sudo easytier-core -c ./config.toml`.
+
 - `--use-smoltcp` switches to the user-space network stack.
 
 ### Disable KCP Input
@@ -56,10 +79,21 @@ If you do not want traffic destined for a specific node to use the KCP protocol,
 
 For example, if you do not want Node B to receive KCP traffic, start EasyTier on Node B with the following command:
 
-```sh
+::: code-group
+
+```sh [CLI Flags]
 sudo easytier-core --disable-kcp-input
 ```
 
+```toml [Config File]
+[flags]
+disable_kcp_input = true
+```
+
+:::
+
+Save the configuration above as `config.toml`, then start it with `sudo easytier-core -c ./config.toml`.
+
 - `--disable-kcp-input` disables KCP inbound traffic.
 
 In this case, even if Node A has enabled the KCP proxy, the traffic from Node A to Node B will continue to use the TCP protocol.
@@ -68,10 +102,22 @@ In this case, even if Node A has enabled the KCP proxy, the traffic from Node A
 
 If Node A is a router, and the subnet under A needs to access other EasyTier nodes or other proxied subnets, it can also use the KCP proxy. However, Node A must use the user-space network stack by specifying the `--use-smoltcp` parameter.
 
-```sh
+::: code-group
+
+```sh [CLI Flags]
 sudo easytier-core --enable-kcp-proxy --use-smoltcp
 ```
 
+```toml [Config File]
+[flags]
+enable_kcp_proxy = true
+use_smoltcp = true
+```
+
+:::
+
+Save the configuration above as `config.toml`, then start it with `sudo easytier-core -c ./config.toml`.
+
 Otherwise, the TCP protocol will still be used.
 
 ## Checking KCP Proxy Status
@@ -98,16 +144,38 @@ EasyTier v2.3.2 introduced support for QUIC proxy, which works similarly to KCP
 
 QUIC proxy can be enabled on the connection initiator side using the `--enable-quic-proxy` parameter.
 
-```sh
+::: code-group
+
+```sh [CLI Flags]
 sudo easytier-core --enable-quic-proxy
 ```
 
+```toml [Config File]
+[flags]
+enable_quic_proxy = true
+```
+
+:::
+
+Save the configuration above as `config.toml`, then start it with `sudo easytier-core -c ./config.toml`.
+
 QUIC proxy on the receiving end can be disabled using the `--disable-quic-input` parameter.
 
-```sh
+::: code-group
+
+```sh [CLI Flags]
 sudo easytier-core --disable-quic-input
 ```
 
+```toml [Config File]
+[flags]
+disable_quic_input = true
+```
+
+:::
+
+Save the configuration above as `config.toml`, then start it with `sudo easytier-core -c ./config.toml`.
+
 Both the sender and receiver can check the QUIC proxy connection status using the `easytier-cli proxy` command.
 
 ```bash
diff --git a/en/guide/network/magic-dns.md b/en/guide/network/magic-dns.md
index ccb04fb..3416631 100644
--- a/en/guide/network/magic-dns.md
+++ b/en/guide/network/magic-dns.md
@@ -2,6 +2,21 @@
 
 EasyTier supports a Magic DNS feature similar to Tailscale, allowing users to access other nodes via domain names without remembering virtual IP addresses. Simply add the `--accept-dns` parameter during startup to enable the Magic DNS feature.
 
+::: code-group
+
+```sh [CLI Flags]
+easytier-core --accept-dns true
+```
+
+```toml [Config File]
+[flags]
+accept_dns = true
+```
+
+:::
+
+Save the configuration above as `config.toml`, then start it with `easytier-core -c ./config.toml`.
+
 Magic DNS uses `100.100.100.101` as the default DNS server address. You can `ping` this address to test whether Magic DNS is successfully enabled.
 
 If Magic DNS is successfully enabled, and the hostname of Node A is `node-a`, other nodes can access Node A via `node-a.et.net`.
diff --git a/en/guide/network/network-to-network.md b/en/guide/network/network-to-network.md
index 8e526ab..9098fce 100644
--- a/en/guide/network/network-to-network.md
+++ b/en/guide/network/network-to-network.md
@@ -31,9 +31,11 @@ To achieve network to network, Node A needs to be the gateway for the 192.168.1.
 
 Node A
 
-```bash
+::: code-group
+
+```bash [CLI Flags]
 # Start EasyTier and proxy the 192.168.1.0/24 subnet, using a public server to help network
-easytier-core -i 10.144.144.1 -n 192.168.1.0/24 --network-name n2n_test
+easytier-core -i 10.144.144.1 -n 192.168.1.0/24 -p tcp://<Shared Node IP>:11010 --network-name n2n_test
 
 # Allow the gateway to forward traffic and configure the firewall to allow traffic forwarding
 sysctl -w net.ipv4.ip_forward=1
@@ -41,9 +43,47 @@ iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
 iptables -A FORWARD -d 192.168.1.0/24 -j ACCEPT
 ```
 
+```toml [Config File]
+ipv4 = "10.144.144.1"
+
+[network_identity]
+network_name = "n2n_test"
+network_secret = ""
+
+[[proxy_network]]
+cidr = "192.168.1.0/24"
+
+[[peer]]
+uri = "tcp://<Shared Node IP>:11010"
+```
+
+:::
+
+Save the EasyTier configuration above as `node-a.toml`, then start it with `easytier-core -c ./node-a.toml`; the `sysctl` and `iptables` commands still need to be run separately.
+
 Node B
 
-```bash
+::: code-group
+
+```bash [CLI Flags]
 # Start EasyTier and proxy the 10.1.1.0/24 subnet, using a public server to help network
-easytier-core -i 10.144.144.2 -n 10.1.1.0/24 --network-name n2n_test
+easytier-core -i 10.144.144.2 -n 10.1.1.0/24 -p tcp://<Shared Node IP>:11010 --network-name n2n_test
+```
+
+```toml [Config File]
+ipv4 = "10.144.144.2"
+
+[network_identity]
+network_name = "n2n_test"
+network_secret = ""
+
+[[proxy_network]]
+cidr = "10.1.1.0/24"
+
+[[peer]]
+uri = "tcp://<Shared Node IP>:11010"
 ```
+
+:::
+
+Save the configuration above as `node-b.toml`, then start it with `easytier-core -c ./node-b.toml`.
diff --git a/en/guide/network/networking-without-public-ip.md b/en/guide/network/networking-without-public-ip.md
index ef24233..9557e83 100644
--- a/en/guide/network/networking-without-public-ip.md
+++ b/en/guide/network/networking-without-public-ip.md
@@ -10,16 +10,50 @@ For example, with two nodes:
 
 Node A executes:
 
-```sh
+::: code-group
+
+```sh [CLI Flags]
 sudo easytier-core -i 10.144.144.1 --network-name abc --network-secret abc -p tcp://<Shared Node IP>:11010
 ```
 
+```toml [Config File]
+ipv4 = "10.144.144.1"
+
+[network_identity]
+network_name = "abc"
+network_secret = "abc"
+
+[[peer]]
+uri = "tcp://<Shared Node IP>:11010"
+```
+
+:::
+
+Save the configuration above as `node-a.toml`, then start it with `sudo easytier-core -c ./node-a.toml`.
+
 Node B executes:
 
-```sh
+::: code-group
+
+```sh [CLI Flags]
 sudo easytier-core --ipv4 10.144.144.2 --network-name abc --network-secret abc -p tcp://<Shared Node IP>:11010
 ```
 
+```toml [Config File]
+ipv4 = "10.144.144.2"
+
+[network_identity]
+network_name = "abc"
+network_secret = "abc"
+
+[[peer]]
+uri = "tcp://<Shared Node IP>:11010"
+```
+
+:::
+
+Save the configuration above as `node-b.toml`, then start it with `sudo easytier-core -c ./node-b.toml`.
+
 After successful execution, Node A can access Node B via the virtual IP `10.144.144.2`.
 
 `--ipv4 x.x.x.x` can be replaced with `-d` to enable DHCP functionality, allowing EasyTier to automatically allocate the IP address of this node based on other existing virtual IPs within the virtual network.
diff --git a/en/guide/network/no-root.md b/en/guide/network/no-root.md
index a255632..4b99560 100644
--- a/en/guide/network/no-root.md
+++ b/en/guide/network/no-root.md
@@ -2,6 +2,21 @@
 
 Since creating a TUN device requires ROOT permissions, EasyTier provides a method that does not rely on TUN for environments where Root permissions cannot be obtained. Simply add the `--no-tun` parameter when starting EasyTier.
 
+::: code-group
+
+```sh [CLI Flags]
+easytier-core --no-tun
+```
+
+```toml [Config File]
+[flags]
+no_tun = true
+```
+
+:::
+
+Save the configuration above as `config.toml`, then start it with `easytier-core -c ./config.toml`.
+
 When using the no TUN mode for networking, nodes can be accessed via virtual IP (TCP, UDP, and ICMP are all supported), and can also act as subnet proxies (using the -n parameter). However, they cannot actively initiate access to other nodes.
 
 To actively access other nodes in no TUN mode, you can use EasyTier's [SOCKS5 server feature](/guide/network/socks5).
diff --git a/en/guide/network/p2p-optimize.md b/en/guide/network/p2p-optimize.md
index ed463d2..0074ef0 100644
--- a/en/guide/network/p2p-optimize.md
+++ b/en/guide/network/p2p-optimize.md
@@ -9,18 +9,42 @@ EasyTier supports P2P communication between nodes via IPv6. By default, EasyTier
 In some cases, specifying the listening IPv6 address and port may be more beneficial for P2P communication between nodes.
 You can use the `-l` option to configure the IPv6 listener. For example:
 
-```sh
+::: code-group
+
+```sh [CLI Flags]
 easytier-core -l 'tcp://[::]:12345' -l 'udp://[::]:12345'
 ```
 
+```toml [Config File]
+listeners = [
+  "tcp://[::]:12345",
+  "udp://[::]:12345",
+]
+```
+
+:::
+
+Save the configuration above as `config.toml`, then start it with `easytier-core -c ./config.toml`.
+
 ## Specify Public IP and Port
 
 In some cases, the node has a public IP and port, but EasyTier cannot correctly identify them (e.g., NAT host). You can use the `--mapped-listeners` option to configure the public IP and port. For example:
 
-```sh
+::: code-group
+
+```sh [CLI Flags]
 easytier-core --mapped-listeners tcp://8.8.8.8:12345 -l tcp://0.0.0.0:11010
 ```
 
+```toml [Config File]
+listeners = ["tcp://0.0.0.0:11010"]
+mapped_listeners = ["tcp://8.8.8.8:12345"]
+```
+
+:::
+
+Save the configuration above as `config.toml`, then start it with `easytier-core -c ./config.toml`.
+
 This EasyTier instance listens on the local 11010 TCP port, and this port is mapped to the public 12345 port. Other nodes will try to connect to the public 12345 port.
 
 ## Disable Internet Assistance Tools
diff --git a/en/guide/network/point-to-networking.md b/en/guide/network/point-to-networking.md
index 268d117..9cc3d4f 100644
--- a/en/guide/network/point-to-networking.md
+++ b/en/guide/network/point-to-networking.md
@@ -21,10 +21,23 @@ nodeA <--> nodeB <-.-> id1
 
 The startup parameters for node B's easytier are as follows (add the -n parameter)
 
-```sh
+::: code-group
+
+```sh [CLI Flags]
 sudo easytier-core --ipv4 10.144.144.2 -n 10.1.1.0/24
 ```
 
+```toml [Config File]
+ipv4 = "10.144.144.2"
+
+[[proxy_network]]
+cidr = "10.1.1.0/24"
+```
+
+:::
+
+Save the configuration above as `config.toml`, then start it with `sudo easytier-core -c ./config.toml`.
+
 The subnet proxy information will be automatically synchronized to each node in the virtual network, and each node will automatically configure the corresponding routes. Node A can check if the subnet proxy is effective with the following command.
 
 1. Check if the routing information has been synchronized. The proxy_cidrs column shows the proxied subnets.
@@ -46,10 +59,25 @@ The subnet proxy information will be automatically synchronized to each node in
 ::: warning Note
 The -n parameter for subnet proxy can be specified multiple times to proxy multiple subnets; you can also set the mask to 32 to proxy a single IP address.
 
-```sh
+::: code-group
+
+```sh [CLI Flags]
 easytier-core -n 10.1.1.0/24 -n 10.2.0.0/16 -n 10.3.3.3/32
 ```
 
+```toml [Config File]
+[[proxy_network]]
+cidr = "10.1.1.0/24"
+
+[[proxy_network]]
+cidr = "10.2.0.0/16"
+
+[[proxy_network]]
+cidr = "10.3.3.3/32"
+```
+
+:::
+
 :::
 
 ## Firewall
@@ -80,10 +108,24 @@ This can simplify networking in most cases, but in some scenarios, users may not
 
 When using `--manual-routes`, only the segments configured with this parameter will enter the virtual network. If the list after this parameter is empty, EasyTier will not handle any traffic for non-virtual network segments. For example:
 
-```sh
+::: code-group
+
+```sh [CLI Flags]
 sudo easytier-core --ipv4 10.144.144.2 -n 10.1.1.0/24 --manual-routes 10.1.1.0/24
 ```
 
+```toml [Config File]
+ipv4 = "10.144.144.2"
+routes = ["10.1.1.0/24"]
+
+[[proxy_network]]
+cidr = "10.1.1.0/24"
+```
+
+:::
+
+Save the configuration above as `config.toml`, then start it with `sudo easytier-core -c ./config.toml`.
+
 `--manual-routes` can be specified multiple times to configure multiple segments, with the same format as the `-n` parameter.
 
 Then only traffic from the 10.1.1.0/24 segment will be handled by the virtual network on this node, and traffic from other segments will not enter the virtual network.
@@ -94,7 +136,9 @@ Assume the following scenario: Both node A and node B have subnets of `192.168.1
 
 The following commands map `192.168.1.0/24` to `10.1.1.0/24` on node A, and `192.168.1.0/24` to `10.2.2.0/24` on node B.
 
-```sh
+::: code-group
+
+```sh [CLI Flags]
 # Run on node A
 sudo easytier-core --ipv4 10.144.144.1 -n '192.168.1.0/24->10.1.1.0/24'
 
@@ -102,6 +146,26 @@ sudo easytier-core --ipv4 10.144.144.1 -n '192.168.1.0/24->10.1.1.0/24'
 sudo easytier-core --ipv4 10.144.144.2 -n '192.168.1.0/24->10.2.2.0/24'
 ```
 
+```toml [Node A Config File]
+ipv4 = "10.144.144.1"
+
+[[proxy_network]]
+cidr = "192.168.1.0/24"
+mapped_cidr = "10.1.1.0/24"
+```
+
+```toml [Node B Config File]
+ipv4 = "10.144.144.2"
+
+[[proxy_network]]
+cidr = "192.168.1.0/24"
+mapped_cidr = "10.2.2.0/24"
+```
+
+:::
+
+Save the configurations for Node A and Node B into separate TOML files, then start them with `sudo easytier-core -c ./node-a.toml` and `sudo easytier-core -c ./node-b.toml`.
+
 Other nodes in the virtual network can access the `192.168.1.X` proxied by node A by accessing `10.1.1.X`; and access the `192.168.1.X` proxied by node B by accessing `10.2.2.X`.
 
 ::: warning Note
diff --git a/en/guide/network/socks5.md b/en/guide/network/socks5.md
index b5083c6..a68e97f 100644
--- a/en/guide/network/socks5.md
+++ b/en/guide/network/socks5.md
@@ -3,3 +3,17 @@
 EasyTier supports creating SOCKS5 servers. Other programs on the node can access the virtual network and other proxy subnets within the virtual network by setting the proxy to EasyTier's SOCKS5 service.
 
 The parameter to enable the SOCKS5 service is `--socks5 12333`. Adding this parameter to the easytier-core startup command will allow the local 12333 port to serve SOCKS5 clients. Currently, the SOCKS5 server does not require username and password authentication and can be used directly.
+
+::: code-group
+
+```sh [CLI Flags]
+easytier-core --socks5 12333
+```
+
+```toml [Config File]
+socks5_proxy = "socks5://0.0.0.0:12333"
+```
+
+:::
+
+Save the configuration above as `config.toml`, then start it with `easytier-core -c ./config.toml`.
diff --git a/en/guide/network/use-easytier-with-wireguard-client.md b/en/guide/network/use-easytier-with-wireguard-client.md
index 811e833..6e8781f 100644
--- a/en/guide/network/use-easytier-with-wireguard-client.md
+++ b/en/guide/network/use-easytier-with-wireguard-client.md
@@ -31,11 +31,25 @@ We need the iPhone to access the EasyTier network through node A, and the config
 
 In the `easytier-core` command on node A, add the `--vpn-portal` parameter to specify the port WireGuard listens on and the subnet used by the WireGuard network.
 
-```sh
+::: code-group
+
+```sh [CLI Flags]
 # The following parameters mean: listen on 0.0.0.0:11013 port, WireGuard uses the 10.14.14.0/24 subnet
 sudo easytier-core --ipv4 10.144.144.1 --vpn-portal wg://0.0.0.0:11013/10.14.14.0/24
 ```
 
+```toml [Config File]
+ipv4 = "10.144.144.1"
+
+[vpn_portal_config]
+client_cidr = "10.14.14.0/24"
+wireguard_listen = "0.0.0.0:11013"
+```
+
+:::
+
+Save the configuration above as `node-a.toml`, then start it with `sudo easytier-core -c ./node-a.toml`.
+
 ### 2. Get WireGuard Client Configuration
 
 After `easytier-core` starts successfully, use `easytier-cli` to get the WireGuard client configuration.
diff --git a/en/guide/network/web-console.md b/en/guide/network/web-console.md
index 2d4a21b..d7739e7 100644
--- a/en/guide/network/web-console.md
+++ b/en/guide/network/web-console.md
@@ -16,6 +16,10 @@ sudo ./easytier-core -w <your username>
 
 > Please replace `<your username>` with the username you registered on the Web Console.
 
+::: tip Note
+Currently, `config_server` does not take effect through `-c config.toml`, so connecting to the Web Console still needs to be configured through CLI flags.
+:::
+
 If the terminal shows messages like "Connection successful" or "Connected to server", it means Easytier Core has successfully connected to the Web Console server.
 
 ::: tip Note
@@ -26,6 +30,8 @@ sudo ./easytier-core -w <your username> --machine-id abc123
 ```
 
 Please ensure the machine code is unique and unchanged across all devices. **It is strongly recommended to manually specify the machine code in Docker environments.**
+
+`machine_id` should also be passed through CLI flags here rather than relying on `-c config.toml`.
 :::
 
 ::: danger Note
@@ -36,6 +42,12 @@ Only one EasyTier process on a machine can be managed by the Web Console. Having
 
 You can specify the hostname displayed on the console using the `--hostname <custom hostname>` parameter.
 
+The equivalent configuration file syntax is:
+
+```toml
+hostname = "my-hostname"
+```
+
 :::
 
 ## Using the Web Console
@@ -117,6 +129,10 @@ Previously, we set up the web console locally with the configuration delivery po
 ./easytier-core -w udp://127.0.0.1:22020/<your_username_on_the_self-hosted_web_console>
 ```
 
+::: tip Note
+In the self-hosted-console case, `config_server` also needs to be passed through CLI flags; it should not be documented as a working `-c config.toml` setting.
+:::
+
 Subsequent usage is the same as the official console.
 
 ::: tip Attention
diff --git a/guide/config/acl.md b/guide/config/acl.md
index 31673fe..560ae89 100644
--- a/guide/config/acl.md
+++ b/guide/config/acl.md
@@ -25,13 +25,13 @@
 
 ## 🔧 配置详解
 
-ACL 配置需添加到 Easytier 的配置文件 `config.yaml` 中。
+ACL 配置需添加到 Easytier 的配置文件 `config.toml` 中。
 
 ### 1. 定义组与密钥
 
 这是最关键的一步。每个节点需在配置中声明其所属的组，并配置所有相关组的共享密钥。
 
-```yaml
+```toml
 # 本节定义本节点要加入的组（用于生成身份证明）
 [acl.acl_v1.group]
 members = ["admin", "web-server"]  # 本节点身份：既是管理员，也是Web服务器
@@ -65,7 +65,7 @@ group_secret = "guest-secret-key"
 
 规则链决定了如何处理流量。
 
-```yaml
+```toml
 # 定义一个入站链
 [[acl.acl_v1.chains]]
 name = "my_acl_policy"    # 链名称
@@ -81,7 +81,7 @@ default_action = 2        # 默认动作：1(允许) 2(拒绝)
 
 规则是策略的核心，定义在链内部。
 
-```yaml
+```toml
 # 上面定义的链中的规则列表
 [[acl.acl_v1.chains.rules]]
 name = "allow_admin_rdp"
@@ -121,7 +121,7 @@ stateful = true              # 启用连接跟踪
 
 **配置**：
 
-```yaml
+```toml
 [acl.acl_v1.group]
 members = ["my-net"]  # 所有设备都加入同一个组
 
@@ -161,7 +161,7 @@ enabled = true
 
 **数据库服务器上的 ACL 规则**：
 
-```yaml
+```toml
 [[acl.acl_v1.chains]]
 name = "db_server_policy"
 chain_type = 1
@@ -217,4 +217,4 @@ enabled = true
 
 ---
 
-希望这份文档能帮助您更好地理解和使用 Easytier 的 ACL 功能！如有任何问题，欢迎在社区讨论。🎉
\ No newline at end of file
+希望这份文档能帮助您更好地理解和使用 Easytier 的 ACL 功能！如有任何问题，欢迎在社区讨论。🎉
diff --git a/guide/network/config-file.md b/guide/network/config-file.md
index 457b537..b3f795a 100644
--- a/guide/network/config-file.md
+++ b/guide/network/config-file.md
@@ -1,25 +1,27 @@
 # 配置文件
 
-支持使用 -c 参数指定配置文件路径。
+支持使用 `-c` 参数指定 TOML 配置文件路径。
 
 ```sh
-easytier-core -c ./config.yaml
+easytier-core -c ./config.toml
 ```
 
 ::: warning 注意
 注意：配置文件中的参数可以被命令行覆盖，比如配置文件中指定了 `--hostname abc`，但在命令行中使用 `--hostname xyz`，则会使用命令行中的主机名参数 `xyz`。
 :::
 
-使用参数运行可以获得对应参数的配置文件。配置文件会打印在命令行中，可以手动复制对应配置保存为toml文件即可。
+使用参数运行可以获得对应参数的配置文件。配置文件会打印在命令行中，可以手动复制对应配置保存为 TOML 文件即可。
 
 在不使用参数的情况下直接运行 `easytier-core` 可以获得最小配置文件。
 
+从本章节中的网络教程页开始，凡是同时提供了命令行和配置文件写法的示例，均默认使用 TOML 作为配置文件格式。
+
 ## 多配置文件启动
 
 可以通过 `-c` 参数指定多个配置文件，EasyTier 会在一个进程中加载多个配置文件并启动多个虚拟网络。
 
 ```sh
-easytier-core -c ./config1.yaml -c ./config2.yaml
+easytier-core -c ./config1.toml -c ./config2.toml
 ```
 
 
diff --git a/guide/network/decentralized-networking.md b/guide/network/decentralized-networking.md
index 61d70a6..af9f084 100644
--- a/guide/network/decentralized-networking.md
+++ b/guide/network/decentralized-networking.md
@@ -23,10 +23,20 @@ nodeA <-----> nodeB
 
 1. 在节点 A 上运行以下命令：
 
-   ```sh
+   ::: code-group
+
+   ```sh [命令行参数]
    sudo easytier-core -i 10.144.144.1
    ```
 
+   ```toml [配置文件]
+   ipv4 = "10.144.144.1"
+   ```
+
+   :::
+
+   将上面的配置保存为 `node-a.toml` 后，可通过 `sudo easytier-core -c ./node-a.toml` 启动。
+
    - `-i` 指定虚拟网的 IP 地址。
 
    该节点启动后会默认监听以下端口：
@@ -51,10 +61,23 @@ nodeA <-----> nodeB
 
 2. 在节点 B 上运行以下命令：
 
-   ```sh
+   ::: code-group
+
+   ```sh [命令行参数]
    sudo easytier-core -d -p udp://22.1.1.1:11010
    ```
 
+   ```toml [配置文件]
+   dhcp = true
+
+   [[peer]]
+   uri = "udp://22.1.1.1:11010"
+   ```
+
+   :::
+
+   将上面的配置保存为 `node-b.toml` 后，可通过 `sudo easytier-core -c ./node-b.toml` 启动。
+
    - `-d` 表示 DHCP 模式，自动分配虚拟 IP。
    - `-p` 指定节点 A 的公网地址和端口。
 
@@ -83,10 +106,23 @@ nodeC <-----> nodeA
 
 1. 在节点 C 上运行以下命令：
 
-   ```sh
+   ::: code-group
+
+   ```sh [命令行参数]
    sudo easytier-core -d -p udp://22.1.1.1:11010
    ```
 
+   ```toml [配置文件]
+   dhcp = true
+
+   [[peer]]
+   uri = "udp://22.1.1.1:11010"
+   ```
+
+   :::
+
+   将上面的配置保存为 `node-c.toml` 后，可通过 `sudo easytier-core -c ./node-c.toml` 启动。
+
    - `-d` 表示 DHCP 模式，自动分配虚拟 IP。
    - `-p` 指定节点 A 的公网地址和端口。
 
diff --git a/guide/network/host-public-server.md b/guide/network/host-public-server.md
index 36a7c76..821cc6d 100644
--- a/guide/network/host-public-server.md
+++ b/guide/network/host-public-server.md
@@ -2,10 +2,20 @@
 
 用户可以使用自己的公网节点自建用于无公网 IP 组网的公共共享节点，方便其他无公网 IP 的用户组网。 需要不带任何参数启动 EasyTier，该节点就可作为公共服务器使用（不需要 root 权限）：
 
-```shell
+::: code-group
+
+```shell [命令行参数]
 easytier-core
 ```
 
+```toml [配置文件]
+# 空配置即可作为共享节点启动
+```
+
+:::
+
+将空配置保存为 `config.toml` 后，可通过 `easytier-core -c ./config.toml` 启动。
+
 另外 EasyTier 支持共享节点集群。每个虚拟网络（通过相同的网络名称和密钥建链）都可以充当共享节点集群，其他网络的节点可以连接到共享节点集群中的任意节点，无需公共 IP 即可发现彼此。运行自建的公共服务器集群与运行虚拟网络完全相同，不过可以跳过配置 ipv4 地址。
 
 如果你希望为 EasyTier 社区贡献公共服务器，可以联系管理员，我们将告知你如何将你的节点添加到社区共享节点列表中。当然这需要你的节点有一定的带宽和稳定性。
@@ -18,18 +28,45 @@ easytier-core
 
 EasyTier 可以做到不转发其他虚拟网的网络包，而是只帮助他们建立 P2P 链接，只需将白名单置空，并设置仅转发 RPC 流量即可。参考命令为：
 
-```shell
+::: code-group
+
+```shell [命令行参数]
 easytier-core --relay-network-whitelist --relay-all-peer-rpc
 ```
 
+```toml [配置文件]
+[flags]
+relay_network_whitelist = ""
+relay_all_peer_rpc = true
+```
+
+:::
+
+将上面的配置保存为 `config.toml` 后，可通过 `easytier-core -c ./config.toml` 启动。
+
 ## 私有模式
 
 如果你希望 EasyTier 仅在你的虚拟网络中提供服务，而不希望其他虚拟网的节点连接到你的节点，可以使用 `--private-mode true` 参数启动 EasyTier。
 
-```shell
+::: code-group
+
+```shell [命令行参数]
 sudo easytier-core --private-mode true --network-name my-network --network-secret my-secret
 ```
 
+```toml [配置文件]
+[network_identity]
+network_name = "my-network"
+network_secret = "my-secret"
+
+[flags]
+private_mode = true
+```
+
+:::
+
+将上面的配置保存为 `config.toml` 后，可通过 `sudo easytier-core -c ./config.toml` 启动。
+
 这会仅允许网络名为 `my-network` 且密钥为 `my-secret` 的节点连接到该 EasyTier 节点。
 
 ## 配置 systemd 自启动
@@ -46,7 +83,29 @@ LimitNOFILE=1048576
 
 配置好的 service unit 供参考：
 
-```shell
+::: code-group
+
+```ini [配置文件方式]
+# cat /etc/systemd/system/easytier.service
+
+[Unit]
+Description=EasyTier Service
+After=network.target syslog.target
+Wants=network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/easytier-core -c /etc/easytier/public-server.toml
+Restart=always
+RestartSec=3
+LimitNOFILE=1048576
+Environment=TOKIO_CONSOLE=1
+
+[Install]
+WantedBy=multi-user.target
+```
+
+```ini [命令行参数方式]
 # cat /etc/systemd/system/easytier.service
 
 [Unit]
@@ -56,7 +115,7 @@ Wants=network.target
 
 [Service]
 Type=simple
-ExecStart=/usr/local/bin/easytier-core --hostname <your-hostname> --network-name <your-network> --network-secret <your-secret> 
+ExecStart=/usr/local/bin/easytier-core --hostname <your-hostname> --network-name <your-network> --network-secret <your-secret>
 Restart=always
 RestartSec=3
 LimitNOFILE=1048576
@@ -66,6 +125,18 @@ Environment=TOKIO_CONSOLE=1
 WantedBy=multi-user.target
 ```
 
+:::
+
+如果使用配置文件方式，可将 EasyTier 配置保存为 `/etc/easytier/public-server.toml`：
+
+```toml
+hostname = "<your-hostname>"
+
+[network_identity]
+network_name = "<your-network>"
+network_secret = "<your-secret>"
+```
+
 ## 配置 fail2ban
 
 如您贡献了公共服务器，可能会遇到这样的问题：大量的节点尝试连接到您的服务器，但是无法建立连接
diff --git a/guide/network/install-as-a-systemd-service.md b/guide/network/install-as-a-systemd-service.md
index 35f0992..eac345d 100644
--- a/guide/network/install-as-a-systemd-service.md
+++ b/guide/network/install-as-a-systemd-service.md
@@ -2,9 +2,25 @@
 
 在支持 systemd 的 Linux 发行版中，可以通过以下步骤将服务配置为随系统启动：
 
-1. 创建新的服务文件 `/etc/systemd/system/easytier.service`，并根据需要修改 `ExecStart` 后面的命令行参数。
+1. 创建新的服务文件 `/etc/systemd/system/easytier.service`。推荐将 EasyTier 的网络配置放到 TOML 文件中；如果你更习惯直接写参数，也可以继续使用命令行方式。
 
-```shell
+::: code-group
+
+```ini [配置文件方式]
+[Unit]
+Description=EasyTier Service
+After=network.target syslog.target
+Wants=network.target
+
+[Service]
+Type=simple
+ExecStart=/root/easytier-core -c /etc/easytier/config.toml
+
+[Install]
+WantedBy=multi-user.target
+```
+
+```ini [命令行参数方式]
 [Unit]
 Description=EasyTier Service
 After=network.target syslog.target
@@ -18,6 +34,21 @@ ExecStart=/root/easytier-core --ipv4 x.x.x.x --network-name xxx --network-secret
 WantedBy=multi-user.target
 ```
 
+:::
+
+如果使用配置文件方式，可将 EasyTier 配置保存为 `/etc/easytier/config.toml`：
+
+```toml
+ipv4 = "x.x.x.x"
+
+[network_identity]
+network_name = "xxx"
+network_secret = "yyy"
+
+[[peer]]
+uri = "tcp://peer_host:11010"
+```
+
 2. 保存文件后，在命令行中执行以下命令以启用服务：
 
 ```sh
@@ -31,4 +62,4 @@ systemctl start easytier.service
 systemctl stop easytier.service
 ```
 
-请注意，使用 `systemctl` 命令替代 `service` 命令是更现代的做法，建议在支持 systemd 的系统中使用。
\ No newline at end of file
+请注意，使用 `systemctl` 命令替代 `service` 命令是更现代的做法，建议在支持 systemd 的系统中使用。
diff --git a/guide/network/kcp-proxy.md b/guide/network/kcp-proxy.md
index ab191f1..8308d71 100644
--- a/guide/network/kcp-proxy.md
+++ b/guide/network/kcp-proxy.md
@@ -32,10 +32,21 @@ graph LR
 
 假设想将 A 节点上的 TCP 流量代理为 KCP 协议，只需要在 A 节点上启动 EasyTier 时指定 `--enable-kcp-proxy` 参数即可。
 
-```sh
+::: code-group
+
+```sh [命令行参数]
 sudo easytier-core --enable-kcp-proxy
 ```
 
+```toml [配置文件]
+[flags]
+enable_kcp_proxy = true
+```
+
+:::
+
+将上面的配置保存为 `config.toml` 后，可通过 `sudo easytier-core -c ./config.toml` 启动。
+
 - `--enable-kcp-proxy` 启用 KCP 代理功能。
 
 KCP 代理会保证版本兼容性，如果发现对端节点不支持 KCP 代理，会自动切换回 TCP 协议。
@@ -45,10 +56,22 @@ KCP 代理会保证版本兼容性，如果发现对端节点不支持 KCP 代
 
 KCP 代理默认使用内核的网络栈，可能由于系统防火墙设置导致无法正常工作。可以尝试结合 `--use-smoltcp` 参数，切换到用户态网络栈。
 
-```sh
+::: code-group
+
+```sh [命令行参数]
 sudo easytier-core --enable-kcp-proxy --use-smoltcp
 ```
 
+```toml [配置文件]
+[flags]
+enable_kcp_proxy = true
+use_smoltcp = true
+```
+
+:::
+
+将上面的配置保存为 `config.toml` 后，可通过 `sudo easytier-core -c ./config.toml` 启动。
+
 - `--use-smoltcp` 切换到用户态网络栈。
 
 
@@ -58,10 +81,21 @@ sudo easytier-core --enable-kcp-proxy --use-smoltcp
 
 以简介中的例子为例，如果不希望 B 节点接收 KCP 流量，可以在 B 节点上启动 EasyTier 时指定以下命令：
 
-```sh
+::: code-group
+
+```sh [命令行参数]
 sudo easytier-core --disable-kcp-input
 ```
 
+```toml [配置文件]
+[flags]
+disable_kcp_input = true
+```
+
+:::
+
+将上面的配置保存为 `config.toml` 后，可通过 `sudo easytier-core -c ./config.toml` 启动。
+
 - `--disable-kcp-input` 禁用 KCP 入站流量。
 
 这样即使 A 节点启用了 KCP 代理，A 节点发往 B 节点的流量依然使用 TCP 协议。
@@ -71,10 +105,22 @@ sudo easytier-core --disable-kcp-input
 
 假设节点 A 是路由器，A 下的子网访问 EasyTier 其他节点本身或者其他代理子网时，也可以使用 KCP 代理，但是需要 A 节点使用用户态网络栈即 `--use-smoltcp` 参数。
 
-```sh
+::: code-group
+
+```sh [命令行参数]
 sudo easytier-core --enable-kcp-proxy --use-smoltcp
 ```
 
+```toml [配置文件]
+[flags]
+enable_kcp_proxy = true
+use_smoltcp = true
+```
+
+:::
+
+将上面的配置保存为 `config.toml` 后，可通过 `sudo easytier-core -c ./config.toml` 启动。
+
 否则仍会使用 TCP 协议。
 
 
@@ -102,16 +148,38 @@ EasyTier v2.3.2 版本引入了 QUIC 代理的支持，原理与 KCP 代理类
 
 QUIC 代理可以通过在链接发起端通过 `--enable-quic-proxy` 参数启用。
 
-```sh
+::: code-group
+
+```sh [命令行参数]
 sudo easytier-core --enable-quic-proxy
 ```
 
+```toml [配置文件]
+[flags]
+enable_quic_proxy = true
+```
+
+:::
+
+将上面的配置保存为 `config.toml` 后，可通过 `sudo easytier-core -c ./config.toml` 启动。
+
 接收端的 QUIC 代理可以通过 `--disable-quic-input` 参数禁用。
 
-```sh
+::: code-group
+
+```sh [命令行参数]
 sudo easytier-core --disable-quic-input
 ```
 
+```toml [配置文件]
+[flags]
+disable_quic_input = true
+```
+
+:::
+
+将上面的配置保存为 `config.toml` 后，可通过 `sudo easytier-core -c ./config.toml` 启动。
+
 发送端和接收端可以通过 `easytier-cli proxy` 命令查看 QUIC 代理的链接状态。
 
 ```bash
diff --git a/guide/network/magic-dns.md b/guide/network/magic-dns.md
index c4360f3..d3247a4 100644
--- a/guide/network/magic-dns.md
+++ b/guide/network/magic-dns.md
@@ -2,6 +2,21 @@
 
 EasyTier 支持类似 Tailscale 的魔法 DNS 功能，允许用户通过域名访问其他节点，无需记住虚拟 IP 地址。只要在启动时加入 `--accept-dns` 参数即可启用魔法 DNS 功能。
 
+::: code-group
+
+```sh [命令行参数]
+easytier-core --accept-dns true
+```
+
+```toml [配置文件]
+[flags]
+accept_dns = true
+```
+
+:::
+
+将上面的配置保存为 `config.toml` 后，可通过 `easytier-core -c ./config.toml` 启动。
+
 魔法 DNS 默认使用 `100.100.100.101` 作为 DNS 服务器地址，可以 `ping` 该地址测试魔法 DNS 是否成功启用。
 
 假设魔法 DNS 启用成功，节点 A 的主机名为 `node-a`，则其他节点可以通过 `node-a.et.net` 访问节点 A。
diff --git a/guide/network/network-to-network.md b/guide/network/network-to-network.md
index 4c22122..821f581 100644
--- a/guide/network/network-to-network.md
+++ b/guide/network/network-to-network.md
@@ -31,7 +31,9 @@ id2 -.无需 EasyTier 访问对方子网.-> id1
 
 节点 A
 
-```bash
+::: code-group
+
+```bash [命令行参数]
 # 启动 EasyTier 并代理 192.168.1.0/24 网段，并使用公共服务器帮助组网
 easytier-core -i 10.144.144.1 -n 192.168.1.0/24 -p tcp://<共享节点IP>:11010 --network-name n2n_test
 
@@ -41,9 +43,47 @@ iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
 iptables -A FORWARD -d 192.168.1.0/24 -j ACCEPT
 ```
 
+```toml [配置文件]
+ipv4 = "10.144.144.1"
+
+[network_identity]
+network_name = "n2n_test"
+network_secret = ""
+
+[[proxy_network]]
+cidr = "192.168.1.0/24"
+
+[[peer]]
+uri = "tcp://<共享节点IP>:11010"
+```
+
+:::
+
+将上面的 EasyTier 配置保存为 `node-a.toml` 后，可通过 `easytier-core -c ./node-a.toml` 启动；`sysctl` 和 `iptables` 命令仍需单独执行。
+
 节点 B
 
-```bash
+::: code-group
+
+```bash [命令行参数]
 # 启动 EasyTier 并代理 10.1.1.0/24 网段，并使用公共服务器帮助组网
 easytier-core -i 10.144.144.2 -n 10.1.1.0/24 -p tcp://<共享节点IP>:11010 --network-name n2n_test
 ```
+
+```toml [配置文件]
+ipv4 = "10.144.144.2"
+
+[network_identity]
+network_name = "n2n_test"
+network_secret = ""
+
+[[proxy_network]]
+cidr = "10.1.1.0/24"
+
+[[peer]]
+uri = "tcp://<共享节点IP>:11010"
+```
+
+:::
+
+将上面的配置保存为 `node-b.toml` 后，可通过 `easytier-core -c ./node-b.toml` 启动。
diff --git a/guide/network/networking-without-public-ip.md b/guide/network/networking-without-public-ip.md
index d92398a..4368715 100644
--- a/guide/network/networking-without-public-ip.md
+++ b/guide/network/networking-without-public-ip.md
@@ -8,16 +8,50 @@ EasyTier 支持共享公网节点进行组网。目前已部署共享的公网
 
 以双节点为例，节点 A 执行：
 
-```sh
+::: code-group
+
+```sh [命令行参数]
 sudo easytier-core -i 10.144.144.1 --network-name abc --network-secret abc -p tcp://<共享节点IP>:11010
 ```
 
+```toml [配置文件]
+ipv4 = "10.144.144.1"
+
+[network_identity]
+network_name = "abc"
+network_secret = "abc"
+
+[[peer]]
+uri = "tcp://<共享节点IP>:11010"
+```
+
+:::
+
+将上面的配置保存为 `node-a.toml` 后，可通过 `sudo easytier-core -c ./node-a.toml` 启动。
+
 节点 B 执行
 
-```sh
+::: code-group
+
+```sh [命令行参数]
 sudo easytier-core --ipv4 10.144.144.2 --network-name abc --network-secret abc -p tcp://<共享节点IP>:11010
 ```
 
+```toml [配置文件]
+ipv4 = "10.144.144.2"
+
+[network_identity]
+network_name = "abc"
+network_secret = "abc"
+
+[[peer]]
+uri = "tcp://<共享节点IP>:11010"
+```
+
+:::
+
+将上面的配置保存为 `node-b.toml` 后，可通过 `sudo easytier-core -c ./node-b.toml` 启动。
+
 命令执行成功后，节点 A 即可通过虚拟 IP 10.144.144.2 访问节点 B。
 
 `--ipv4 x.x.x.x` 可以替换为 `-d` 开启 DHCP 功能，由 EasyTier 根据虚拟网内已经存在的其他虚拟 IP 自动的分配本节点的 IP 地址。
diff --git a/guide/network/no-root.md b/guide/network/no-root.md
index ab7c1ee..71e2331 100644
--- a/guide/network/no-root.md
+++ b/guide/network/no-root.md
@@ -2,6 +2,21 @@
 
 由于创建 TUN 设备需要 ROOT 权限，对于一些无法获取 Root 权限的环境，EasyTier 也提供了不依赖 TUN 的使用方法。只需在启动 EasyTier 时，增加 `--no-tun` 参数即可。
 
+::: code-group
+
+```sh [命令行参数]
+easytier-core --no-tun
+```
+
+```toml [配置文件]
+[flags]
+no_tun = true
+```
+
+:::
+
+将上面的配置保存为 `config.toml` 后，可通过 `easytier-core -c ./config.toml` 启动。
+
 使用无 TUN 模式组网时，节点可以通过虚拟 IP 被访问（TCP、UDP 和 ICMP 都支持），也可以做子网代理（使用 -n 参数）。但是无法主动发起对其他节点的访问。
 
 为了在无 TUN 模式下主动访问其他节点，可使用 EasyTier 的 [SOCKS5 服务器功能](/guide/network/socks5)。
diff --git a/guide/network/p2p-optimize.md b/guide/network/p2p-optimize.md
index 84e9a0e..017d0f4 100644
--- a/guide/network/p2p-optimize.md
+++ b/guide/network/p2p-optimize.md
@@ -10,10 +10,23 @@ EasyTier 支持节点间通过 IPv4 和 IPv6 进行 P2P 通信，默认情况下
 
 也可以手动配置仅监听 IPv6 地址。 例如：
 
-```sh
+::: code-group
+
+```sh [命令行参数]
 easytier-core -l 'tcp://[::]:12345' -l 'udp://[::]:12345'
 ```
 
+```toml [配置文件]
+listeners = [
+  "tcp://[::]:12345",
+  "udp://[::]:12345",
+]
+```
+
+:::
+
+将上面的配置保存为 `config.toml` 后，可通过 `easytier-core -c ./config.toml` 启动。
+
 如果您的节点都拥有公网 IPv6 地址，并且可以入站（即被外网访问），就可以通过监听地址+默认监听端口(11010)来建立 P2P 连接。
 
 如果您的节点都拥有公网 IPv6 地址，但不可入站（即不能被外网访问），可以利用 Easytier（版本2.3.0以上） 的 IPv6 打洞功能进行 P2P 连接，默认情况下开启此功能。
@@ -60,10 +73,21 @@ IPv6 在开启 NAT66 功能后和 IPv4 NAT44 功能一样，也分为以上类
 
 某些情况下，节点拥有公网的 IP 和 端口，但 EasyTier 无法正确识别 (比如 NAT 主机)，可以使用 `--mapped-listeners` 配置公网 IP 和端口。 例如：
 
-```sh
+::: code-group
+
+```sh [命令行参数]
 easytier-core --mapped-listeners tcp://8.8.8.8:12345 -l tcp://0.0.0.0:11010
 ```
 
+```toml [配置文件]
+listeners = ["tcp://0.0.0.0:11010"]
+mapped_listeners = ["tcp://8.8.8.8:12345"]
+```
+
+:::
+
+将上面的配置保存为 `config.toml` 后，可通过 `easytier-core -c ./config.toml` 启动。
+
 该 EasyTier 实例监听本地的 11010 TCP 端口，且该端口被映射到公网的 12345 端口。其他节点会尝试连接到公网的 12345 端口。
 
 ## 关闭上网辅助工具
diff --git a/guide/network/point-to-networking.md b/guide/network/point-to-networking.md
index 9a9c0c4..2e77335 100644
--- a/guide/network/point-to-networking.md
+++ b/guide/network/point-to-networking.md
@@ -21,10 +21,23 @@ nodeA <--> nodeB <-.-> id1
 
 则节点 B 的 easytier 启动参数为（新增 -n 参数）
 
-```sh
+::: code-group
+
+```sh [命令行参数]
 sudo easytier-core --ipv4 10.144.144.2 -n 10.1.1.0/24
 ```
 
+```toml [配置文件]
+ipv4 = "10.144.144.2"
+
+[[proxy_network]]
+cidr = "10.1.1.0/24"
+```
+
+:::
+
+将上面的配置保存为 `config.toml` 后，可通过 `sudo easytier-core -c ./config.toml` 启动。
+
 子网代理信息会自动同步到虚拟网络的每个节点，各个节点会自动配置相应的路由，节点 A 可以通过如下命令检查子网代理是否生效。
 
 1. 检查路由信息是否已经同步，proxy_cidrs 列展示了被代理的子网。
@@ -50,6 +63,17 @@ sudo easytier-core --ipv4 10.144.144.2 -n 10.1.1.0/24
 easytier-core -n 10.1.1.0/24 -n 10.2.0.0/16 -n 10.3.3.3/32
 ```
 
+```toml
+[[proxy_network]]
+cidr = "10.1.1.0/24"
+
+[[proxy_network]]
+cidr = "10.2.0.0/16"
+
+[[proxy_network]]
+cidr = "10.3.3.3/32"
+```
+
 :::
 
 
@@ -81,10 +105,24 @@ easytier-core -n 10.1.1.0/24 -n 10.2.0.0/16 -n 10.3.3.3/32
 
 使用 `--manual-routes` 后，只有该参数配置的网段才会进入虚拟网，如果该参数后的列表为空，则 EasyTier 不会处理任何非虚拟网网段的流量。例如：
 
-```sh
+::: code-group
+
+```sh [命令行参数]
 sudo easytier-core --ipv4 10.144.144.2 -n 10.1.1.0/24 --manual-routes 10.1.1.0/24
 ```
 
+```toml [配置文件]
+ipv4 = "10.144.144.2"
+routes = ["10.1.1.0/24"]
+
+[[proxy_network]]
+cidr = "10.1.1.0/24"
+```
+
+:::
+
+将上面的配置保存为 `config.toml` 后，可通过 `sudo easytier-core -c ./config.toml` 启动。
+
 `--manual-routes` 可以多次指定，来配置多个网段，格式与 `-n` 参数相同。
 
 则该节点上仅会将 10.1.1.0/24 网段的流量交由虚拟网处理，其他网段的流量不会进入虚拟网。
@@ -95,7 +133,9 @@ sudo easytier-core --ipv4 10.144.144.2 -n 10.1.1.0/24 --manual-routes 10.1.1.0/2
 
 以下命令 A 节点将 `192.168.1.0/24` 映射到 `10.1.1.0/24`，B 节点将 `192.168.1.0/24` 映射到 `10.2.2.0/24`。
 
-```sh
+::: code-group
+
+```sh [命令行参数]
 # 在节点 A 上运行
 sudo easytier-core --ipv4 10.144.144.1 -n '192.168.1.0/24->10.1.1.0/24'
 
@@ -103,6 +143,26 @@ sudo easytier-core --ipv4 10.144.144.1 -n '192.168.1.0/24->10.1.1.0/24'
 sudo easytier-core --ipv4 10.144.144.2 -n '192.168.1.0/24->10.2.2.0/24'
 ```
 
+```toml [节点 A 配置文件]
+ipv4 = "10.144.144.1"
+
+[[proxy_network]]
+cidr = "192.168.1.0/24"
+mapped_cidr = "10.1.1.0/24"
+```
+
+```toml [节点 B 配置文件]
+ipv4 = "10.144.144.2"
+
+[[proxy_network]]
+cidr = "192.168.1.0/24"
+mapped_cidr = "10.2.2.0/24"
+```
+
+:::
+
+将节点 A 和节点 B 的配置分别保存为不同的 TOML 文件，再使用 `sudo easytier-core -c ./node-a.toml` 和 `sudo easytier-core -c ./node-b.toml` 启动。
+
 虚拟网内其他节点，可以通过访问 `10.1.1.X` 来访问 A 节点代理的 `192.168.1.X`；通过访问 `10.2.2.X` 来访问 B 节点代理的 `192.168.1.X`。
 
 ::: warning 注意
diff --git a/guide/network/socks5.md b/guide/network/socks5.md
index d3de6ab..5515b83 100644
--- a/guide/network/socks5.md
+++ b/guide/network/socks5.md
@@ -3,3 +3,17 @@
 EasyTier 支持创建 SOCKS5 服务器，节点上的其他程序可以通过将代理设置为 EasyTier 的 SOCKS5 服务，即可访问虚拟网和虚拟网中的其他代理子网。
 
 SOCKS5 服务的开启参数形为 `--socks5 12333`，将此参数加入 easytier-core 启动命令后，本机的 12333 端口即可服务于 SOCKS5 客户端。目前 SOCKS5 服务端无需用户名和密码验证，可直接使用。
+
+::: code-group
+
+```sh [命令行参数]
+easytier-core --socks5 12333
+```
+
+```toml [配置文件]
+socks5_proxy = "socks5://0.0.0.0:12333"
+```
+
+:::
+
+将上面的配置保存为 `config.toml` 后，可通过 `easytier-core -c ./config.toml` 启动。
diff --git a/guide/network/use-easytier-with-wireguard-client.md b/guide/network/use-easytier-with-wireguard-client.md
index 13111b9..5e21697 100644
--- a/guide/network/use-easytier-with-wireguard-client.md
+++ b/guide/network/use-easytier-with-wireguard-client.md
@@ -31,11 +31,25 @@ ios <-.-> nodea <--> nodeb <-.-> id1
 
 在节点 A 的 `easytier-core` 命令中，加入 `--vpn-portal` 参数，指定 WireGuard 服务监听的端口，以及 WireGuard 网络使用的网段。
 
-```sh
+::: code-group
+
+```sh [命令行参数]
 # 以下参数的含义为：监听 0.0.0.0:11013 端口，WireGuard 使用 10.14.14.0/24 网段
 sudo easytier-core --ipv4 10.144.144.1 --vpn-portal wg://0.0.0.0:11013/10.14.14.0/24
 ```
 
+```toml [配置文件]
+ipv4 = "10.144.144.1"
+
+[vpn_portal_config]
+client_cidr = "10.14.14.0/24"
+wireguard_listen = "0.0.0.0:11013"
+```
+
+:::
+
+将上面的配置保存为 `node-a.toml` 后，可通过 `sudo easytier-core -c ./node-a.toml` 启动。
+
 ### 2. 获取 WireGuard 客户端配置
 
 `easytier-core` 启动成功后，使用 `easytier-cli` 获取 WireGuard 客户端的配置。
diff --git a/guide/network/web-console.md b/guide/network/web-console.md
index fe27110..dda2a2b 100644
--- a/guide/network/web-console.md
+++ b/guide/network/web-console.md
@@ -16,6 +16,10 @@ sudo ./easytier-core -w <你的用户名>
 
 > 请将 `<你的用户名>` 替换为你在 Web 控制台注册的用户名。
 
+::: tip 提示
+当前 `config_server` 不会通过 `-c config.toml` 生效，因此接入 Web 控制台时仍需通过命令行参数传入。
+:::
+
 如果终端出现类似 “连接成功” 或 “已连接服务器” 的提示，则表示 Easytier Core 已成功连接到 Web 控制台的服务器。
 
 ::: tip 提示
@@ -26,6 +30,8 @@ sudo ./easytier-core -w <你的用户名> --machine-id abc123
 ```
 
 请确保机器码在所有设备中唯一且不变。 **强烈建议 Docker 环境下手动指定机器码。**
+
+当前 `machine_id` 也应通过命令行参数传入，不要依赖 `-c config.toml` 中的配置。
 :::
 
 ::: danger 注意
@@ -36,6 +42,12 @@ sudo ./easytier-core -w <你的用户名> --machine-id abc123
 
 可以通过 `--hostname <自定义主机名>` 参数指定控制台上显示的主机名。
 
+对应的配置文件写法为：
+
+```toml
+hostname = "my-hostname"
+```
+
 :::
 
 ## 使用 Web 控制台
@@ -117,6 +129,10 @@ EasyTier的web控制台有2个版本
 ./easytier-core -w udp://127.0.0.1:22020/<你在自建web控制台上的用户名>
 ```
 
+::: tip 提示
+自建控制台场景下的 `config_server` 同样需要通过命令行参数传入，当前不能依赖 `-c config.toml` 中的配置。
+:::
+
 接下来的用法就和官方控制台一样了。
 
 ::: tip 注意