| install.sh | ||
| pawdance | ||
| README.md | ||
| uninstall.sh | ||
Paw Dance
paws to paws, a stealth‑grade, post‑quantum SSH VPN
Pawdance is a tool that uses OpenSSH you already trust into a fully working Layer‑3 VPN.
Pawdance can also fuction as transparent vpn if needed. Good for prodcution, when accsess to server is required and its network. why use third party vpns if you have ssh?
No fixed packet signature, but strong censorship resistance
WireGuard and SSTP send a recognisable first‑flight; OpenVPN’s TLS ClientHello can be fingerprinted.
SSH randomises its initial IV and padding, so every session’s first packet length is different, defeating simple length‑based fingerprints.
Stealthy
http://witch.valdikss.org.ru/ test detected as internet modem.
Important one‑time step on the server
OpenSSH must be told to allow tunnel devices.
Edit the daemon config manually and restart the service:
sudo vim /etc/ssh/sshd_config
# ──────────────────────────────────────────────
PermitTunnel yes # add this line (or PermitTunnel point-to-point)
# ──────────────────────────────────────────────
sudo systemctl restart sshd
Installation client and server
# run installer on each side
sudo bash install.sh
The installer simply copies pawdance into /usr/local/bin/
1 – Prepare the client
# generate a template
pawdance make-config --role client -o pawdance-client.conf
# edit it
vim pawdance-client.conf
Example client config:
# pawdance client example config
ROLE="client"
# How to reach the server
CONNECT_MODE="dns" # dns | ip | auto
REMOTE_HOST="vps.your.domain"
# REMOTE_CONNECT_IP4="203.0.113.42"
# REMOTE_CONNECT_IP6="2001:db8::42"
CONNECT_PREFER="ipv4" # auto | ipv4 | ipv6
REMOTE_USER="stinky"
# Tunnel interface
TUN_INDEX="1"
TUN_DEV="tun${TUN_INDEX}"
LOCAL_IP4="10.0.1.2/24"
REMOTE_IP4="10.0.1.1"
LOCAL_IP6="2001:db8:1::2/64"
REMOTE_IP6="2001:db8:1::1"
MTU="1500"
# Optional: post‑quantum crypto overrides
SSH_KEX="mlkem768x25519-sha256"
SSH_CIPHERS="chacha20-poly1305@openssh.com"
SSH_MACS="hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com"
# Push whole‑internet routes through the tunnel?
DEFAULT_ROUTE_IPV4="true"
DEFAULT_ROUTE_IPV6="true"
2 – Prepare the server
pawdance make-config --role server -o srv-config.conf
vim srv-config.conf
Example server config:
ROLE="server"
TUN_INDEX="1"
TUN_DEV="tun${TUN_INDEX}"
LOCAL_IP4="10.0.1.1/24"
LOCAL_IP6="2001:db8:1::1/64"
MTU="1500"
# allow VPN clients to access other networks?
VPN_FORWARD="true" # adds iptables/ip6tables FORWARD rules
# keep this true (required for routing)
IP_FORWARD="true" # sets net.ipv4.ip_forward + net.ipv6.conf.all.forwarding
3 – Bring the tunnel up
On the server
sudo pawdance up --config srv-config.conf
server is now ready. client can connect.
On the client
sudo pawdance up --config pawdance-client.conf
First run may prompt for:
- “Are you sure you want to continue connecting (yes/no)?”
- SSH password or pass‑phrase (unless key‑based auth already set up)
Once authenticated:
ip addr show tun1 # should list 10.0.1.2/24
ping 10.0.1.1 # ping the server’s tunnel IP
curl ifconfig.me # should show the VPS public IP if default routed
4 – Tear down
# either side:
sudo pawdance down --config <your‑config>.conf
This removes:
- per‑family default routes
- passthrough routes to the SSH endpoint
- the TUN interface
- any iptables/ip6tables FORWARD rules added by Pawdance
(Kernel forwarding sysctls remain as you set them.)
Why Pawdance is stealthier than “normal” VPNs
- Looks like vanilla SSH — no OpenVPN/WireGuard/IPsec signatures.
- Randomised first‑packet length — SSH padding defeats length‑marker DPI.
- Nothing new listening — only your hardened sshd.
- PQ‑safe handshake — same post‑quantum KEX most modern OpenSSH clients now use.