PQConnect
Intro
For users
For sysadmins
Compatibility
Security
Cryptography
Changes
Papers
PQConnect: For users

These are instructions for setting up the PQConnect client software. This automatically protects outgoing connections from your machine to servers that support PQConnect.

Prerequisites: root on a Linux machine (Arch, Debian, Gentoo, Raspbian, Ubuntu); wget and sudo already installed. The software does not support other operating systems yet, sorry.

Quick start

Here is how to download, install, and run the PQConnect client software. Start a root shell and run the following commands:

cd /root
wget -m https://www.pqconnect.net/pqconnect-latest-version.txt
version=$(cat www.pqconnect.net/pqconnect-latest-version.txt)
wget -m https://www.pqconnect.net/pqconnect-$version.tar.gz
tar -xzf www.pqconnect.net/pqconnect-$version.tar.gz
cd pqconnect-$version
scripts/install-pqconnect
scripts/start-client-under-systemd

That's it: you're now running PQConnect.

Quick test

Try curl https://www.pqconnect.net/test.html; or click on https://www.pqconnect.net/test.html from a browser running on the same machine. Your machine running PQConnect will say Looks like you're connecting with PQConnect. Congratulations!, where a machine without PQConnect would say Looks like you aren't connecting with PQConnect.

Also try connecting to a non-PQConnect server (for example, https://testwithout.pqconnect.net) to see that non-PQConnect connections work normally.

Detailed test

If you have dig installed: Try dig +short www.pqconnect.net. Your machine running PQConnect will say

pq1u1hy1ujsuk258krx3ku6wd9rp96kfxm64mgct3s3j26udp57dbu1.pqconnect.net.
10.43.0.2

(or possibly another 10.* address) where a machine without PQConnect would say

pq1u1hy1ujsuk258krx3ku6wd9rp96kfxm64mgct3s3j26udp57dbu1.pqconnect.net.
131.155.69.126

(where 131.155.69.126 is the actual www.pqconnect.net IP address).

Try ping -nc 30 www.pqconnect.net. Your machine will print bytes from lines such as

64 bytes from 10.43.0.2: icmp_seq=2 ttl=64 time=120 ms

again showing a 10.* address.

If you have a network sniffer such as tcpdump installed, start sniffing the network for packets to and from IP address 131.155.69.126:

tcpdump -Xln host 131.155.69.126 > tcpdump-log &

Use wget to retrieve a web page via HTTP, first without PQConnect and then with PQConnect:

wget -O test1.html http://testwithout.pqconnect.net/test.html
wget -O test2.html http://www.pqconnect.net/test.html

Then kill the tcpdump job and scroll through the tcpdump-log output. You will see that the first connection uses TCP packets to and from 131.155.69.126.80, meaning port 80 of IP address 131.155.69.126, with an obviously unencrypted request (search for GET and you will see GET /test.html, Host: testwithout.pqconnect.net, etc.) and an obviously unencrypted response, while the second connection uses encrypted UDP packets to and from port 42424 of IP address 131.155.69.126.

Non-systemd alternatives

Running the client under systemd is currently recommended because it applies some sandboxing, but you can instead run

scripts/run-client &

to more directly run the client. Logs are then saved in pqconnect-log in the same directory. If the computer reboots, the client will not restart unless you run scripts/run-client again.

Version: This is version 2025.03.22 of the "For users" web page.