Update README.md

2025-07-25 12:44:29 +02:00 · 2025-07-25 12:44:29 +02:00 · c2e0d0b71e
commit c2e0d0b71e
parent ed15229d09
1 changed files with 191 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -6,6 +6,196 @@
 <h1 align="left">Paw Dance</h1>
 <p align="left">Hello World!!</p>
 ###
 <p align="left">a stealth‑grade, post‑quantum SSH VPN</p>
 ###
 <p align="left">Pawdance is a tool that uses OpenSSH you already trust into a fully working Layer‑3 VPN.</p>
 <p align="left">Pawdance can also fuction as transparent vpn if needed. Good for prodcution, when accsess to server is required and its network. why use third party vpns if you have ssh?</p>
 ###
 <h4 align="left">No fixed packet signature, and censorship resistance</h4>
 ###
 <p align="left">WireGuard and SSTP send a recognisable first‑flight; OpenVPN’s TLS ClientHello can be fingerprinted.<br>SSH randomises its initial IV and padding, so every session’s first packet length is different, defeating simple length‑based fingerprints.</p>
 ###
 <h4 align="left">Stealthy</h4>
 ###
 <p align="left">http://witch.valdikss.org.ru/ test detected as internet modem.</p>
 ###
 <div align="left">
  <img height="400" src="https://cloud.protogen.engineering/public.php/dav/files/CFCC6qL2JR2jfNY"  />
 </div>
 ###
 ## Important one‑time step on the server
 OpenSSH must be told to allow tunnel devices.  
 Edit the daemon config **manually** and restart the service:
 ```bash
 sudo vim /etc/ssh/sshd_config         
 # ──────────────────────────────────────────────
 PermitTunnel yes                         # add this line (or PermitTunnel point-to-point)
 # ──────────────────────────────────────────────
 sudo systemctl restart sshd
 ```
 ## Installation client and server
 ```bash
 # run installer on each side
 sudo bash install.sh
 ```
 The installer simply copies `pawdance` into `/usr/local/bin/`
 ## 1 – Prepare the client
 ```bash
 # generate a template
 pawdance make-config --role client -o pawdance-client.conf
 # edit it
 vim pawdance-client.conf
 ```
 Example **client** config:
 ```bash
 # pawdance client example config
 ROLE="client"
 # How to reach the server
 CONNECT_MODE="dns"           # dns | ip | auto
 REMOTE_HOST="vps.your.domain"
 # REMOTE_CONNECT_IP4="203.0.113.42"
 # REMOTE_CONNECT_IP6="2001:db8::42"
 CONNECT_PREFER="ipv4"         # auto | ipv4 | ipv6
 REMOTE_USER="stinky"
 # Tunnel interface
 TUN_INDEX="1"
 TUN_DEV="tun${TUN_INDEX}"
 LOCAL_IP4="10.0.1.2/24"
 REMOTE_IP4="10.0.1.1"
 LOCAL_IP6="2001:db8:1::2/64"
 REMOTE_IP6="2001:db8:1::1"
 MTU="1500"
 # Optional: post‑quantum crypto overrides
 SSH_KEX="mlkem768x25519-sha256"
 SSH_CIPHERS="chacha20-poly1305@openssh.com"
 SSH_MACS="hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com"
 # Push whole‑internet routes through the tunnel?
 DEFAULT_ROUTE_IPV4="true"
 DEFAULT_ROUTE_IPV6="true"
 ```
 ---
 ## 2 – Prepare the server
 ```bash
 pawdance make-config --role server -o srv-config.conf
 vim srv-config.conf
 ```
 Example **server** config:
 ```bash
 ROLE="server"
 TUN_INDEX="1"
 TUN_DEV="tun${TUN_INDEX}"
 LOCAL_IP4="10.0.1.1/24"
 LOCAL_IP6="2001:db8:1::1/64"
 MTU="1500"
 # allow VPN clients to access other networks?
 VPN_FORWARD="true"   # adds iptables/ip6tables FORWARD rules
 # keep this true (required for routing)
 IP_FORWARD="true"    # sets net.ipv4.ip_forward + net.ipv6.conf.all.forwarding
 ```
 ---
 ## 3 – Bring the tunnel up
 ### On the server
 ```bash
 sudo pawdance up --config srv-config.conf
 ```
 server is now ready. client can connect.
 ### On the client
 ```bash
 sudo pawdance up --config pawdance-client.conf
 ```
 First run may prompt for:
 * *“Are you sure you want to continue connecting (yes/no)?”*  
 * SSH password or pass‑phrase (unless key‑based auth already set up)
 Once authenticated:
 ```bash
 ip addr show tun1          # should list 10.0.1.2/24
 ping 10.0.1.1              # ping the server’s tunnel IP
 curl ifconfig.me           # should show the VPS public IP if default routed
 ```
 ---
 ## 4 – Tear down
 ```bash
 # either side:
 sudo pawdance down --config <your‑config>.conf
 ```
 This removes:
 * per‑family default routes  
 * passthrough routes to the SSH endpoint  
 * the TUN interface  
 * any iptables/ip6tables **FORWARD** rules added by Pawdance  
 (Kernel forwarding sysctls remain as you set them.)
 ---
 ### Why Pawdance is stealthier than “normal” VPNs
 1. **Looks like vanilla SSH** — no OpenVPN/WireGuard/IPsec signatures. 
 3. **Randomised first‑packet length** — SSH padding defeats length‑marker DPI.  
 4. **Nothing new listening** — only your hardened sshd.  
 5. **PQ‑safe handshake** — same post‑quantum KEX most modern OpenSSH clients now use.
 ---