4 GoVPN is simple secure virtual private network daemon, written entirely
5 on @url{http://golang.org/, Go programming language}.
7 Reviewability, high 128-bit security margin and
8 @url{https://en.wikipedia.org/wiki/Deep_packet_inspection, DPI}
9 censorship resistance in mind in free software solution are the main
10 goals for that daemon. Most modern widespread protocols and their
11 implementations in software are too complex to be reviewed, analyzed and
14 State off art cryptography technologies includes:
15 @url{http://cr.yp.to/snuffle.html, Salsa20} stream encryption,
16 @url{http://143.53.36.235:8080/tea.htm, XTEA} PRP,
17 @url{http://cr.yp.to/mac.html, Poly1305} message authentication,
18 @url{https://en.wikipedia.org/wiki/PBKDF2} password-based key derivation
19 function based on @url{https://en.wikipedia.org/wiki/SHA-2, SHA-512}
21 @url{https://en.wikipedia.org/wiki/Encrypted_key_exchange,
22 Diffie-Hellman Augmented Encrypted Key Exchange}
23 (DH-A-EKE) powered by @url{http://cr.yp.to/ecdh.html, Curve25519} and
24 @url{http://ed25519.cr.yp.to/, Ed25519} signatures.
26 @url{https://en.wikipedia.org/wiki/Zero-knowledge_password_proof, zero-knowledge}
27 mutual authentication with key exchange stage is invulnerable
28 to man-in-the-middle attacks.
29 @url{https://en.wikipedia.org/wiki/Forward_secrecy, Perfect forward secrecy}
30 property guarantee that compromising of long-term authentication
31 pre-shared key can not lead to previously captured traffic decrypting.
32 Compromising of peers password file on server side won't allow attacker
33 to masquerade as the client, because of asymmetric @strong{verifiers}
34 usage, resistant to dictionary attacks. Rehandshaking ensures session
35 keys rotation. MAC authentication with one-time keys protects against
36 @url{https://en.wikipedia.org/wiki/Replay_attack, replay attacks}.
38 Server can work with several clients simultaneously. Each client is
39 @strong{identified} by 128-bit key, that does not leak during handshake
40 and each client stays @strong{anonymous} for MiTM and DPI. All settings
41 are applied per-peer separately.
43 Optional ability to hide payload packets lengths by appending
44 @strong{noise} to them during transmission. Ability to generate constant
45 packet rate traffic (@strong{CPR}) that will hide even the fact of
46 packets appearance, their timestamps.
48 The only platform specific requirement is TAP network interface support.
49 API to that kind of device is different, OS dependent and non portable.
50 So only a few operating systems is officially supported. Author has no
51 proprietary software to work with, so currently there is lack of either
52 popular Microsoft Windows or Apple OS X support.
56 Copylefted free software: licensed under
57 @url{https://www.gnu.org/licenses/gpl-3.0.html, GPLv3+}
59 Works with @url{https://en.wikipedia.org/wiki/TAP_(network_driver), TAP}
60 network interfaces on top of UDP entirely
62 @url{https://www.gnu.org/, GNU}/Linux and
63 @url{http://www.freebsd.org/, FreeBSD} support
65 @item Encrypted and authenticated payload transport
66 @item Relatively fast handshake
67 @item Password-authenticated key exchange
68 @item Server-side password verifiers are secure against dictionary attacks
69 @item Attacker can not masquerade a client even with password files compromising
70 @item Replay attack protection
71 @item Perfect forward secrecy property
72 @item Mutual two-side authentication
73 @item Zero knowledge authentication
74 @item Built-in rehandshake and heartbeat features
75 @item Several simultaneous clients support
76 @item Per-client configuration options
77 @item Hiding of payload packets length with noise
78 @item Hiding of payload packets timestamps with constant packet rate traffic
79 @item Optional built-in HTTP-server for retrieving information about
80 known connected peers in @url{http://json.org/, JSON} format