nooshdaroo 0.2.0

Protocol Shape-Shifting SOCKS Proxy - Dynamic protocol emulation for encrypted proxy traffic
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383

# Nooshdaroo Key Generation Guide

Simple guide to generating encryption keys for Nooshdaroo's encrypted transport.

## Quick Start (3 Easy Steps)

### Step 1: Generate Keys

```bash
nooshdaroo genkey
```

This displays:
- 🔒 Private key (keep secret!)
- ✅ Public key (share with peers)
- 📋 Ready-to-copy configuration examples

### Step 2: Copy Configuration

Copy the displayed server and client configs to your TOML files.

### Step 3: Run Nooshdaroo

```bash
# On server
nooshdaroo server --config server.toml

# On client
nooshdaroo client --config client.toml
```

**Done!** Your traffic is now encrypted end-to-end.

---

## Automatic Config Generation

Generate ready-to-use configuration files automatically:

```bash
nooshdaroo genkey \
  --server-config server.toml \
  --client-config client.toml \
  --server-addr myserver.com:8443
```

This creates:
- `server.toml` with private key (permissions: 600)
- `client.toml` with server's public key

Then just run:
```bash
# Server
nooshdaroo server --config server.toml

# Client
nooshdaroo client --config client.toml
```

---

## Command Options

### Basic Usage

```bash
nooshdaroo genkey
```

Generates a keypair and displays configuration examples.

### Save to Files

```bash
nooshdaroo genkey \
  --server-config server.toml \
  --client-config client.toml
```

Automatically creates both config files.

### Customize Addresses

```bash
nooshdaroo genkey \
  --server-config server.toml \
  --client-config client.toml \
  --server-bind "0.0.0.0:9000" \
  --client-bind "127.0.0.1:1080" \
  --server-addr "vpn.example.com:9000"
```

### Choose Encryption Pattern

```bash
nooshdaroo genkey \
  --pattern kk \
  --server-config server.toml \
  --client-config client.toml
```

Available patterns:
- `nk` - Server authentication (recommended)
- `xx` - Anonymous encryption
- `kk` - Mutual authentication

---

## Examples

### Example 1: Development Setup

```bash
# Generate configs for local testing
nooshdaroo genkey \
  --server-config dev-server.toml \
  --client-config dev-client.toml \
  --server-addr "localhost:8443"

# Run server
nooshdaroo server --config dev-server.toml

# Run client (in another terminal)
nooshdaroo client --config dev-client.toml
```

### Example 2: Production Deployment

```bash
# On your local machine
nooshdaroo genkey \
  --server-config production-server.toml \
  --client-config production-client.toml \
  --server-addr "vpn.mycompany.com:8443" \
  --pattern nk

# Securely copy server config to production server
scp production-server.toml user@vpn.mycompany.com:/etc/nooshdaroo/server.toml

# On production server
sudo nooshdaroo server --config /etc/nooshdaroo/server.toml

# On your laptop
nooshdaroo client --config production-client.toml
```

### Example 3: Mutual Authentication

```bash
# Generate server keys
nooshdaroo genkey \
  --server-config server.toml \
  --pattern kk

# Save server's public key
SERVER_PUB=$(grep remote_public_key server.toml | cut -d'"' -f2)

# Generate client keys
nooshdaroo genkey \
  --client-config client.toml \
  --pattern kk

# Save client's public key
CLIENT_PUB=$(grep remote_public_key client.toml | cut -d'"' -f2)

# Manually add keys to configs
# Add CLIENT_PUB to server.toml's remote_public_key
# Add SERVER_PUB to client.toml's remote_public_key
```

---

## Security Best Practices

### ✅ DO

- **Keep private keys secret** - Never share or commit to git
-**Use 600 permissions** - `chmod 600 server.toml`
-**Different keys per environment** - Separate dev/staging/prod keys
-**Rotate keys regularly** - Every 90 days recommended
-**Backup keys securely** - Encrypted storage only
-**Use strong patterns** - Prefer NK or KK over XX

### ❌ DON'T

- **Don't commit to git** - Add `*.toml` to `.gitignore`
-**Don't reuse keys** - Generate new keys for each deployment
-**Don't use HTTP** - Always transfer configs over SSH/HTTPS
-**Don't use weak patterns** - XX is vulnerable to MITM
-**Don't share private keys** - Even with "trusted" people

---

## Troubleshooting

### "Permission denied" when reading config

**Problem**: Config file has wrong permissions

**Solution**:
```bash
chmod 600 server.toml
```

### "Failed to write config"

**Problem**: No write permission in directory

**Solution**:
```bash
# Write to home directory instead
nooshdaroo genkey \
  --server-config ~/server.toml \
  --client-config ~/client.toml
```

### Keys don't match between server and client

**Problem**: Used different keypairs for server and client

**Solution**: Generate once and use same keys:
```bash
# Generate keys
nooshdaroo genkey > keys.txt

# Extract and use in both configs
# Private key → server.toml
# Public key → client.toml
```

### Need to regenerate keys

**Problem**: Lost keys or need to rotate

**Solution**:
```bash
# Generate new keys
nooshdaroo genkey \
  --server-config new-server.toml \
  --client-config new-client.toml

# Replace old configs
mv new-server.toml server.toml
mv new-client.toml client.toml

# Restart services
```

---

## Advanced Usage

### Generate Multiple Keypairs

```bash
# For production
nooshdaroo genkey --server-config prod-server.toml \
                  --client-config prod-client.toml \
                  --server-addr "prod.example.com:8443"

# For staging
nooshdaroo genkey --server-config staging-server.toml \
                  --client-config staging-client.toml \
                  --server-addr "staging.example.com:8443"

# For development
nooshdaroo genkey --server-config dev-server.toml \
                  --client-config dev-client.toml \
                  --server-addr "localhost:8443"
```

### Extract Keys for Scripting

```bash
# Generate and extract keys
OUTPUT=$(nooshdaroo genkey)

# Extract private key (for server)
PRIVATE_KEY=$(echo "$OUTPUT" | grep "PRIVATE KEY" -A 2 | tail -1 | tr -d '│ ')

# Extract public key (for client)
PUBLIC_KEY=$(echo "$OUTPUT" | grep "PUBLIC KEY" -A 2 | tail -1 | tr -d '│ ')

# Use in scripts
echo "Server key: $PRIVATE_KEY"
echo "Client key: $PUBLIC_KEY"
```

### Verify Generated Configs

```bash
# Generate configs
nooshdaroo genkey \
  --server-config server.toml \
  --client-config client.toml

# Test server config (dry-run)
nooshdaroo server --config server.toml --help

# Test client config
nooshdaroo client --config client.toml --help
```

---

## Integration with CI/CD

### GitHub Actions Example

```yaml
name: Deploy Nooshdaroo

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Generate keys
        run: |
          nooshdaroo genkey \
            --server-config server.toml \
            --client-config client.toml \
            --server-addr ${{ secrets.SERVER_ADDR }}

      - name: Deploy server config
        run: |
          scp server.toml ${{ secrets.SSH_USER }}@${{ secrets.SERVER_IP }}:/etc/nooshdaroo/

      - name: Store client config
        uses: actions/upload-artifact@v3
        with:
          name: client-config
          path: client.toml
```

### Docker Example

```dockerfile
FROM nooshdaroo:latest

# Generate keys at build time
RUN nooshdaroo genkey \
    --server-config /etc/nooshdaroo/server.toml \
    --pattern nk

CMD ["nooshdaroo", "server", "--config", "/etc/nooshdaroo/server.toml"]
```

---

## FAQ

**Q: Can I use the same key for multiple clients?**

A: With NK pattern, yes - the server's public key can be shared with all clients. But each client connects anonymously.

**Q: How do I rotate keys without downtime?**

A: Not yet supported. Plan for brief downtime during key rotation.

**Q: What if I lose my private key?**

A: You must generate new keys. There's no recovery - this is by design for security.

**Q: Can I manually create keys?**

A: Not recommended. Use `nooshdaroo genkey` to ensure proper format and encoding.

**Q: How long are the keys?**

A: 32 bytes (256 bits) encoded as 44-character base64 strings.

---

## Help

For more information:
- 📖 Read **NOISE_TRANSPORT.md** for encryption details
- 🔍 Check **examples/** directory for sample configs
- 💬 Report issues at https://github.com/sinarabbaani/Nooshdaroo/issues

---

**Generated keys are cryptographically secure and ready for production use!** 🔒