fix error loading image in log

2025-10-07 00:05:30 +02:00

5.5 KiB

Raw Permalink Blame History

Paw Dance

paws to paws, a stealth‑grade, post‑quantum SSH VPN

Pawdance is a tool that uses OpenSSH you already trust into a fully working Layer‑3 VPN.

Pawdance can also fuction as transparent vpn if needed. Good for prodcution, when accsess to server is required and its network. why use third party vpns if you have ssh?

No fixed packet signature, but strong censorship resistance

WireGuard and SSTP send a recognisable first‑flight; OpenVPN’s TLS ClientHello can be fingerprinted.
SSH randomises its initial IV and padding, so every session’s first packet length is different, defeating simple length‑based fingerprints.

Stealthy

http://witch.valdikss.org.ru/ test detected as internet modem.

Important one‑time step on the server

OpenSSH must be told to allow tunnel devices.
Edit the daemon config manually and restart the service:

sudo vim /etc/ssh/sshd_config         
# ──────────────────────────────────────────────
PermitTunnel yes                         # add this line (or PermitTunnel point-to-point)
# ──────────────────────────────────────────────

sudo systemctl restart sshd

Installation client and server

# run installer on each side
sudo bash install.sh

The installer simply copies pawdance into /usr/local/bin/

1 – Prepare the client

# generate a template
pawdance make-config --role client -o pawdance-client.conf

# edit it
vim pawdance-client.conf

Example client config:

# ---------------------------------------------------------------------------
# pawdance
# ---------------------------------------------------------------------------
ROLE="client"              # client or server

CONNECT_MODE="auto"         # dns|ip|auto
REMOTE_HOST="vpn.example.com"   # used when dns/auto
# REMOTE_CONNECT_IP4="203.0.113.42"   # used when ip/auto with no REMOTE_HOST.
# REMOTE_CONNECT_IP6="2001:db8::42"
CONNECT_PREFER="auto"       # auto|ipv4|ipv6

# --- SSH authentication -----------------------------------------------------
REMOTE_USER="youruser"
SSH_KEY_MODE="false"        # true = pass explicit key; false = default chain
SSH_KEY="/home/alice/.ssh/id_ed25519" # only if SSH_KEY_MODE=true

# --- Tunnel parameters ------------------------------------------------------
TUN_INDEX="1"
TUN_DEV="tun${TUN_INDEX}"
LOCAL_IP4="10.0.1.2/24"
REMOTE_IP4="10.0.1.1"
LOCAL_IP6="2001:db8:1::2/64"
REMOTE_IP6="2001:db8:1::1"
MTU="1500"

# --- Crypto preferences -----------------------------------------
SSH_KEX="mlkem768x25519-sha256"
SSH_CIPHERS="chacha20-poly1305@openssh.com"
SSH_MACS="hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com"

# use remote server as vpn for all traffic.
# if set to false, vpn becomes transparent.
DEFAULT_ROUTE_IPV4="true"
DEFAULT_ROUTE_IPV6="true"

2 – Prepare the server

pawdance make-config --role server -o srv-config.conf
vim srv-config.conf

Example server config:

# ---------------------------------------------------------------------------
# pawdance
# ---------------------------------------------------------------------------
ROLE="server"

# --- Tunnel parameters ------------------------------------------------------
TUN_INDEX="1"
TUN_DEV="tun${TUN_INDEX}"
LOCAL_IP4="10.0.1.1/24"
LOCAL_IP6="2001:db8:1::1/64"
MTU="1500"

# allow clients to accsess networks on the server?
VPN_FORWARD="true"  # iptables/ip6tables FORWARD rules

#keep this to true. It is required for the tunnel to work.
# this enables net.ipv4.ip_forward + net.ipv6.conf.all.forwarding
IP_FORWARD="true"

3 – Bring the tunnel up

On the server

sudo pawdance up --config srv-config.conf

server is now ready. client can connect.

On the client

sudo pawdance up --config pawdance-client.conf

First run may prompt for:

“Are you sure you want to continue connecting (yes/no)?”
SSH password or pass‑phrase (unless key‑based auth already set up)

Once authenticated:

ip addr show tun1          # should list 10.0.1.2/24
ping 10.0.1.1              # ping the server’s tunnel IP
curl ifconfig.me           # should show the VPS public IP if default routed

4 – Tear down

# either side:
sudo pawdance down --config <your‑config>.conf

This removes:

per‑family default routes
passthrough routes to the SSH endpoint
the TUN interface
any iptables/ip6tables FORWARD rules added by Pawdance

(Kernel forwarding sysctls remain as you set them.) useful if script was terminated forcefully. Or you wanna remove tun from server.

Why Pawdance is stealthier than “normal” VPNs

Looks like vanilla SSH — no OpenVPN/WireGuard/IPsec signatures.
Randomised first‑packet length — SSH padding defeats length‑marker DPI.
Nothing new listening — only your hardened sshd.
PQ‑safe handshake — same post‑quantum KEX most modern OpenSSH clients now use.

5.5 KiB Raw Permalink Blame History Unescape Escape