Paw Dance
###
a stealth‑grade, post‑quantum SSH VPN
###
Pawdance is a tool that uses OpenSSH you already trust into a fully working Layer‑3 VPN.
Pawdance can also fuction as transparent vpn if needed. Good for prodcution, when accsess to server is required and its network. why use third party vpns if you have ssh?
###
No fixed packet signature, and censorship resistance
###
WireGuard and SSTP send a recognisable first‑flight; OpenVPN’s TLS ClientHello can be fingerprinted.
SSH randomises its initial IV and padding, so every session’s first packet length is different, defeating simple length‑based fingerprints.
###
Stealthy
###
http://witch.valdikss.org.ru/ test detected as internet modem.
###
###
## Important one‑time step on the server
OpenSSH must be told to allow tunnel devices.
Edit the daemon config **manually** and restart the service:
```bash
sudo vim /etc/ssh/sshd_config
# ──────────────────────────────────────────────
PermitTunnel yes # add this line (or PermitTunnel point-to-point)
# ──────────────────────────────────────────────
sudo systemctl restart sshd
```
## Installation client and server
```bash
# run installer on each side
sudo bash install.sh
```
The installer simply copies `pawdance` into `/usr/local/bin/`
## 1 – Prepare the client
```bash
# generate a template
pawdance make-config --role client -o pawdance-client.conf
# edit it
vim pawdance-client.conf
```
Example **client** config:
```bash
# pawdance client example config
ROLE="client"
# How to reach the server
CONNECT_MODE="dns" # dns | ip | auto
REMOTE_HOST="vps.your.domain"
# REMOTE_CONNECT_IP4="203.0.113.42"
# REMOTE_CONNECT_IP6="2001:db8::42"
CONNECT_PREFER="ipv4" # auto | ipv4 | ipv6
REMOTE_USER="stinky"
# Tunnel interface
TUN_INDEX="1"
TUN_DEV="tun${TUN_INDEX}"
LOCAL_IP4="10.0.1.2/24"
REMOTE_IP4="10.0.1.1"
LOCAL_IP6="2001:db8:1::2/64"
REMOTE_IP6="2001:db8:1::1"
MTU="1500"
# Optional: post‑quantum crypto overrides
SSH_KEX="mlkem768x25519-sha256"
SSH_CIPHERS="chacha20-poly1305@openssh.com"
SSH_MACS="hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com"
# Push whole‑internet routes through the tunnel?
DEFAULT_ROUTE_IPV4="true"
DEFAULT_ROUTE_IPV6="true"
```
---
## 2 – Prepare the server
```bash
pawdance make-config --role server -o srv-config.conf
vim srv-config.conf
```
Example **server** config:
```bash
ROLE="server"
TUN_INDEX="1"
TUN_DEV="tun${TUN_INDEX}"
LOCAL_IP4="10.0.1.1/24"
LOCAL_IP6="2001:db8:1::1/64"
MTU="1500"
# allow VPN clients to access other networks?
VPN_FORWARD="true" # adds iptables/ip6tables FORWARD rules
# keep this true (required for routing)
IP_FORWARD="true" # sets net.ipv4.ip_forward + net.ipv6.conf.all.forwarding
```
---
## 3 – Bring the tunnel up
### On the server
```bash
sudo pawdance up --config srv-config.conf
```
server is now ready. client can connect.
### On the client
```bash
sudo pawdance up --config pawdance-client.conf
```
First run may prompt for:
* *“Are you sure you want to continue connecting (yes/no)?”*
* SSH password or pass‑phrase (unless key‑based auth already set up)
Once authenticated:
```bash
ip addr show tun1 # should list 10.0.1.2/24
ping 10.0.1.1 # ping the server’s tunnel IP
curl ifconfig.me # should show the VPS public IP if default routed
```
---
## 4 – Tear down
```bash
# either side:
sudo pawdance down --config .conf
```
This removes:
* per‑family default routes
* passthrough routes to the SSH endpoint
* the TUN interface
* any iptables/ip6tables **FORWARD** rules added by Pawdance
(Kernel forwarding sysctls remain as you set them.)
---
### Why Pawdance is stealthier than “normal” VPNs
1. **Looks like vanilla SSH** — no OpenVPN/WireGuard/IPsec signatures.
3. **Randomised first‑packet length** — SSH padding defeats length‑marker DPI.
4. **Nothing new listening** — only your hardened sshd.
5. **PQ‑safe handshake** — same post‑quantum KEX most modern OpenSSH clients now use.
---