racks/pawdance
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions
pawdance/README.md
racks 3bd8792e49 Update README.md
2025-07-25 17:15:10 +02:00

204 lines
5.6 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<img align="right" height="216" src="https://cloud.protogen.engineering/public.php/dav/files/6PPN3gmR75Ccqmc/" />
<br clear="bottom">
<br clear="bottom">
<br clear="bottom">
<h1 align="left">Paw Dance</h1>
###
<p align="left">paws to paws, a stealthgrade, postquantum SSH VPN</p>
###
<p align="left">Pawdance is a tool that uses OpenSSH you already trust into a fully working Layer3 VPN.</p>
<p align="left">Pawdance can also fuction as transparent vpn if needed. Good for prodcution, when accsess to server is required and its network. why use third party vpns if you have ssh?</p>
###
<h4 align="left">No fixed packet signature, but strong censorship resistance</h4>
###
<p align="left">WireGuard and SSTP send a recognisable firstflight; OpenVPNs TLS ClientHello can be fingerprinted.<br>SSH randomises its initialIV and padding, so every sessions first packet length is different, defeating simple lengthbased fingerprints.</p>
###
<h4 align="left">Stealthy</h4>
###
<p align="left">http://witch.valdikss.org.ru/ test detected as internet modem.</p>
###
<div align="left">
<img height="400" src="https://cloud.protogen.engineering/public.php/dav/files/CFCC6qL2JR2jfNY" />
</div>
###
## Important onetime step on the server
OpenSSH must be told to allow tunnel devices.
Edit the daemon config **manually** and restart the service:
```bash
sudo vim /etc/ssh/sshd_config
# ──────────────────────────────────────────────
PermitTunnel yes # add this line (or PermitTunnel point-to-point)
# ──────────────────────────────────────────────
sudo systemctl restart sshd
```
## Installation client and server
```bash
# run installer on each side
sudo bash install.sh
```
The installer simply copies `pawdance` into `/usr/local/bin/`
## 1 Prepare the client
```bash
# generate a template
pawdance make-config --role client -o pawdance-client.conf
# edit it
vim pawdance-client.conf
```
Example **client** config:
```bash
# ---------------------------------------------------------------------------
# pawdance
# ---------------------------------------------------------------------------
ROLE="client" # client or server
CONNECT_MODE="auto" # dns|ip|auto
REMOTE_HOST="vpn.example.com" # used when dns/auto
# REMOTE_CONNECT_IP4="203.0.113.42" # used when ip/auto with no REMOTE_HOST.
# REMOTE_CONNECT_IP6="2001:db8::42"
CONNECT_PREFER="auto" # auto|ipv4|ipv6
# --- SSH authentication -----------------------------------------------------
REMOTE_USER="youruser"
SSH_KEY_MODE="false" # true = pass explicit key; false = default chain
SSH_KEY="/home/alice/.ssh/id_ed25519" # only if SSH_KEY_MODE=true
# --- Tunnel parameters ------------------------------------------------------
TUN_INDEX="1"
TUN_DEV="tun${TUN_INDEX}"
LOCAL_IP4="10.0.1.2/24"
REMOTE_IP4="10.0.1.1"
LOCAL_IP6="2001:db8:1::2/64"
REMOTE_IP6="2001:db8:1::1"
MTU="1500"
# --- Crypto preferences -----------------------------------------
SSH_KEX="mlkem768x25519-sha256"
SSH_CIPHERS="chacha20-poly1305@openssh.com"
SSH_MACS="hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com"
# use remote server as vpn for all traffic.
# if set to false, vpn becomes transparent.
DEFAULT_ROUTE_IPV4="true"
DEFAULT_ROUTE_IPV6="true"
```
## 2 Prepare the server
```bash
pawdance make-config --role server -o srv-config.conf
vim srv-config.conf
```
Example **server** config:
```bash
# ---------------------------------------------------------------------------
# pawdance
# ---------------------------------------------------------------------------
ROLE="server"
# --- Tunnel parameters ------------------------------------------------------
TUN_INDEX="1"
TUN_DEV="tun${TUN_INDEX}"
LOCAL_IP4="10.0.1.1/24"
LOCAL_IP6="2001:db8:1::1/64"
MTU="1500"
# allow clients to accsess networks on the server?
VPN_FORWARD="true" # iptables/ip6tables FORWARD rules
#keep this to true. It is required for the tunnel to work.
# this enables net.ipv4.ip_forward + net.ipv6.conf.all.forwarding
IP_FORWARD="true"
```
## 3 Bring the tunnel up
### On the server
```bash
sudo pawdance up --config srv-config.conf
```
server is now ready. client can connect.
### On the client
```bash
sudo pawdance up --config pawdance-client.conf
```
First run may prompt for:
* *“Are you sure you want to continue connecting (yes/no)?”*
* SSH password or passphrase (unless keybased auth already set up)
Once authenticated:
```bash
ip addr show tun1 # should list 10.0.1.2/24
ping 10.0.1.1 # ping the servers tunnel IP
curl ifconfig.me # should show the VPS public IP if default routed
```
## 4 Tear down
```bash
# either side:
sudo pawdance down --config <yourconfig>.conf
```
This removes:
* perfamily default routes
* passthrough routes to the SSH endpoint
* the TUN interface
* any iptables/ip6tables **FORWARD** rules added by Pawdance
(Kernel forwarding sysctls remain as you set them.)
useful if script was terminated forcefully. Or you wanna remove tun from server.
---
### Why Pawdance is stealthier than “normal” VPNs
1. **Looks like vanilla SSH** — no OpenVPN/WireGuard/IPsec signatures.
3. **Randomised firstpacket length** — SSH padding defeats lengthmarker DPI.
4. **Nothing new listening** — only your hardened sshd.
5. **PQsafe handshake** — same postquantum KEX most modern OpenSSH clients now use.
---
Reference in a new issue View git blame Copy permalink