1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
|
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<style type="text/css">
html{overflow-y:scroll;background-color:#042424}
body{font-family:"Noto Sans","Droid Sans","DejaVu Sans","Arial",sans-serif;line-height:1.5}
tt,code{background-color:#f0f0f0;font-family:"Noto Sans Mono","Droid Sans Mono","DejaVu Sans Mono","Courier New",monospace,sans-serif;font-size:1em;}
pre{margin-left:3em}
p,ul,ol,blockquote,pre{font-size:1.0em;line-height:1.6}
li p{font-size:1.0em}
blockquote p{font-size:1.0em}
h1{font-size:1.5em}
h2{font-size:1.3em}
h3{font-size:1.0em}
h1 a{text-decoration:none}
table{border-collapse:collapse}
th,td{border:1px solid black}
table a{text-decoration:none}
table tr{font-size:1.0em;line-height:1.6em}
table tr{font-size:1.0em;line-height:1.5}
tbody tr:nth-child(12n+1){background-color:#f0ffff}
tbody tr:nth-child(12n+2){background-color:#f0ffff}
tbody tr:nth-child(12n+3){background-color:#f0ffff}
tbody tr:nth-child(12n+4){background-color:#f0ffff}
tbody tr:nth-child(12n+5){background-color:#f0ffff}
tbody tr:nth-child(12n+6){background-color:#f0ffff}
tbody tr:nth-child(12n+7){background-color:#fffff0}
tbody tr:nth-child(12n+8){background-color:#fffff0}
tbody tr:nth-child(12n+9){background-color:#fffff0}
tbody tr:nth-child(12n+10){background-color:#fffff0}
tbody tr:nth-child(12n+11){background-color:#fffff0}
tbody tr:nth-child(12n+12){background-color:#fffff0}
.headline{padding:0;font-weight:bold;font-size:1.0em;vertical-align:top;padding-bottom:0.5em;color:#ffffff;background-color:#042424}
.navt{display:block;box-sizing:border-box;-moz-box-sizing:border-box;-webkit-box-sizing:border-box;margin:0;padding:0;vertical-align:center;font-size:1.0em}
.here{background-color:#042424}
.here{color:#ffffff}
.away{background-color:#042424}
.away a{text-decoration:none;display:block;color:#ffffff}
.away a:hover,.away a:active{text-decoration:underline}
.main{padding:5px}
.main{background-color:#ffffff}
.pagetitle{font-size:1.4em;font-weight:bold}
.logo img{width:100px}
@media only screen and (min-width:512px) {
.fixed{margin:0;padding:0;width:160px;height:100%;position:fixed;overflow:auto}
.main{margin-left:170px}
}
</style>
<title>
PQConnect: For users</title>
</head>
<body>
<div class=fixed>
<div class=headline>
<div class=logo><img src=topleft.png></div>
PQConnect</div>
<div class="navt away"><a href=index.html>Intro</a>
</div><div class="navt here">For users
</div><div class="navt away"><a href=sysadmin.html>For sysadmins</a>
</div><div class="navt away"><a href=compat.html>Compatibility</a>
</div><div class="navt away"><a href=security.html>Security</a>
</div><div class="navt away"><a href=crypto.html>Cryptography</a>
</div><div class="navt away"><a href=changes.html>Changes</a>
</div><div class="navt away"><a href=papers.html>Papers</a>
</div></div>
<div class=main>
<div class=pagetitle>PQConnect: For users</div>
<p>These are instructions for setting up the PQConnect client software.
This automatically protects outgoing connections from your machine
to servers that support PQConnect.</p>
<p>Prerequisites:
root on a Linux machine (Arch, Debian, Gentoo, Raspbian, Ubuntu);
<code>wget</code> and <code>sudo</code> already installed.
The software does not support other operating systems yet, sorry.</p>
<h2><a name="quick-start">Quick start</a></h2>
<p>Here is how to download, install, and run the PQConnect client software.
Start a root shell and run the following commands:</p>
<pre><code>cd /root
wget -m https://www.pqconnect.net/pqconnect-latest-version.txt
version=$(cat www.pqconnect.net/pqconnect-latest-version.txt)
wget -m https://www.pqconnect.net/pqconnect-$version.tar.gz
tar -xzf www.pqconnect.net/pqconnect-$version.tar.gz
cd pqconnect-$version
scripts/install-pqconnect
scripts/start-client-under-systemd
</code></pre>
<p>That's it: you're now running PQConnect.</p>
<h2><a name="quick-test">Quick test</a></h2>
<p>Try <code>curl https://www.pqconnect.net/test.html</code>;
or click on
<a href="https://www.pqconnect.net/test.html"><span class="url">https://www.pqconnect.net/test.html</span></a>
from a browser running on the same machine.
Your machine running PQConnect will say
<code>Looks like you're connecting with PQConnect. Congratulations!</code>,
where a machine without PQConnect would say
<code>Looks like you aren't connecting with PQConnect</code>.</p>
<p>Also try connecting to a non-PQConnect server
(for example, <a href="https://testwithout.pqconnect.net"><span class="url">https://testwithout.pqconnect.net</span></a>)
to see that non-PQConnect connections work normally.</p>
<h2><a name="detailed-test">Detailed test</a></h2>
<p>If you have <code>dig</code> installed:
Try <code>dig +short www.pqconnect.net</code>.
Your machine running PQConnect will say</p>
<pre><code>pq1u1hy1ujsuk258krx3ku6wd9rp96kfxm64mgct3s3j26udp57dbu1.pqconnect.net.
10.43.0.2
</code></pre>
<p>(or possibly another <code>10.*</code> address)
where a machine without PQConnect would say</p>
<pre><code>pq1u1hy1ujsuk258krx3ku6wd9rp96kfxm64mgct3s3j26udp57dbu1.pqconnect.net.
131.155.69.126
</code></pre>
<p>(where 131.155.69.126 is the actual <code>www.pqconnect.net</code> IP address).</p>
<p>Try <code>ping -nc 30 www.pqconnect.net</code>.
Your machine will print <code>bytes from</code> lines such as</p>
<pre><code>64 bytes from 10.43.0.2: icmp_seq=2 ttl=64 time=120 ms
</code></pre>
<p>again showing a <code>10.*</code> address.</p>
<p>If you have a network sniffer such as <code>tcpdump</code> installed,
start sniffing the network for packets to and from IP address 131.155.69.126:</p>
<pre><code>tcpdump -Xln host 131.155.69.126 > tcpdump-log &
</code></pre>
<p>Use <code>wget</code> to retrieve a web page via HTTP,
first without PQConnect and then with PQConnect:</p>
<pre><code>wget -O test1.html http://testwithout.pqconnect.net/test.html
wget -O test2.html http://www.pqconnect.net/test.html
</code></pre>
<p>Then kill the <code>tcpdump</code> job and scroll through the <code>tcpdump-log</code> output.
You will see that the first connection uses TCP packets
to and from <code>131.155.69.126.80</code>, meaning port 80 of IP address 131.155.69.126,
with an obviously unencrypted request
(search for <code>GET</code> and you will see <code>GET /test.html</code>, <code>Host: testwithout.pqconnect.net</code>, etc.)
and an obviously unencrypted response,
while the second connection uses
encrypted UDP packets
to and from port 42424 of IP address 131.155.69.126.</p>
<h2><a name="non-systemd">Non-systemd alternatives</a></h2>
<p>Running the client under systemd
is currently recommended
because it applies some sandboxing,
but you can instead run</p>
<pre><code>scripts/run-client &
</code></pre>
<p>to more directly run the client.
Logs are then saved in <code>pqconnect-log</code> in the same directory.
If the computer reboots,
the client will not restart
unless you run <code>scripts/run-client</code> again.</p><hr><font size=1><b>Version:</b>
This is version 2025.03.22 of the "For users" web page.
</font>
</div>
</body>
</html>
|
