@node Overview
@unnumbered Overview

GoVPN is simple secure virtual private network daemon, written entirely
on @url{http://golang.org/, Go programming language}.

Reviewability, high 128-bit security margin and
@url{https://en.wikipedia.org/wiki/Deep_packet_inspection, DPI}
censorship resistance in mind in free software solution are the main
goals for that daemon. Most modern widespread protocols and their
implementations in software are too complex to be reviewed, analyzed and
modified.

State off art cryptography technologies includes:
@url{http://cr.yp.to/snuffle.html, Salsa20} stream encryption,
@url{http://143.53.36.235:8080/tea.htm, XTEA} PRP,
@url{http://cr.yp.to/mac.html, Poly1305} message authentication,
@url{https://en.wikipedia.org/wiki/PBKDF2} password-based key derivation
function based on @url{https://en.wikipedia.org/wiki/SHA-2, SHA-512}
hash function,
@url{https://en.wikipedia.org/wiki/Encrypted_key_exchange,
Diffie-Hellman Augmented Encrypted Key Exchange}
(DH-A-EKE) powered by @url{http://cr.yp.to/ecdh.html, Curve25519},
@url{http://ed25519.cr.yp.to/, Ed25519} signatures and
@url{http://elligator.cr.yp.to/, Elligator} curve-point encoding.
Strong
@url{https://en.wikipedia.org/wiki/Zero-knowledge_password_proof, zero-knowledge}
mutual authentication with key exchange stage is invulnerable
to man-in-the-middle attacks.
@url{https://en.wikipedia.org/wiki/Forward_secrecy, Perfect forward secrecy}
property guarantee that compromising of long-term authentication
pre-shared key can not lead to previously captured traffic decrypting.
Compromising of peers password file on server side won't allow attacker
to masquerade as the client, because of asymmetric @strong{verifiers}
usage, resistant to dictionary attacks. Rehandshaking ensures session
keys rotation. MAC authentication with one-time keys protects against
@url{https://en.wikipedia.org/wiki/Replay_attack, replay attacks}.

Server can work with several clients simultaneously. Each client is
@strong{identified} by 128-bit key, that does not leak during handshake
and each client stays @strong{anonymous} for MiTM and DPI. All settings
are applied per-peer separately.

Optional ability to hide payload packets lengths by appending
@strong{noise} to them during transmission. Ability to generate constant
packet rate traffic (@strong{CPR}) that will hide even the fact of
packets appearance, their timestamps.

The only platform specific requirement is TAP network interface support.
API to that kind of device is different, OS dependent and non portable.
So only a few operating systems is officially supported. Author has no
proprietary software to work with, so currently there is lack of either
popular Microsoft Windows or Apple OS X support.

@itemize @bullet
@item
Copylefted free software: licensed under
@url{https://www.gnu.org/licenses/gpl-3.0.html, GPLv3+}
@item
Works with @url{https://en.wikipedia.org/wiki/TAP_(network_driver), TAP}
network interfaces on top of UDP entirely
@item
@url{https://www.gnu.org/, GNU}/Linux and
@url{http://www.freebsd.org/, FreeBSD} support
@item IPv6 compatible
@item Encrypted and authenticated payload transport
@item Relatively fast handshake
@item Password-authenticated key exchange
@item Server-side password verifiers are secure against dictionary attacks
@item Attacker can not masquerade a client even with password files compromising
@item Replay attack protection
@item Perfect forward secrecy property
@item Mutual two-side authentication
@item Zero knowledge authentication
@item Built-in rehandshake and heartbeat features
@item Several simultaneous clients support
@item Per-client configuration options
@item Hiding of payload packets length with noise
@item Hiding of payload packets timestamps with constant packet rate traffic
@item Optional built-in HTTP-server for retrieving information about
known connected peers in @url{http://json.org/, JSON} format
@end itemize