govpn is simple high-performance secure virtual private network daemon.
It uses DH-EKE for mutual zero-knowledge authentication and
-authenticated encrypted transport.
+authenticated encrypted transport. It runs under GNU/Linux and FreeBSD.
DESCRIPTION
CONSOLE OUTPUT LEGEND
-B -- bad UDP packet (some system error)
+B -- bad or timeouted UDP packet (maybe network is inactive)
T -- bad tag on packet (MiTM, unordered packet)
R -- invalid sequence number (MiTM, unordered packet)
[HS?] -- unknown handshake message
[S?] -- invalid handshake stage is trying to perform (MiTM, duplicate packet)
[OK] -- handshake's stage passed
+EXAMPLE USAGE
+
+Let's assume that there is some insecure link between your computer and
+WiFi-reachable gateway. You have got preconfigured wlan0 network
+interface with 192.168.0/24 network. You want to create virtual
+encrypted and authenticated 172.16.0/24 network and use it as a default
+transport. MTU for that wlan0 is 1500 bytes. GoVPN will say that maximum
+MTU for the link is 1476, however it does not take in account TAP's
+Ethernet frame header length, that in my case is 14 bytes long (1476 - 14).
+
+ gateway% ip addr add 192.168.0.1/24 dev wlan0
+ gateway% tunctl -t tap10
+ gateway% ip link set mtu 1462 dev tap10
+ gateway% ip addr add 172.16.0.1/24 dev tap10
+ gateway% ip link set up dev tap10
+ gateway% govpn -key KEY -iface tap10 -bind 192.168.0.1:1194
+
+ pc% ip addr add 192.168.0.2/24 dev wlan0
+ pc% tunctl -t tap10
+ pc% ip link set mtu 1462 dev tap10
+ pc% ip addr add 172.16.0.2/24 dev tap10
+ pc% ip link set up dev tap10
+ pc% ip route add default via 172.16.0.1
+ pc% while :; do govpn -key KEY -iface tap10 -remote 192.168.0.1:1194; done
+
+If client won't finish handshake during -timeout, then it will exit.
+If no packets are received from remote side during timeout, then daemon
+will stop sending packets to the client and client will exit. In every
+cases you have to rehandshake again.
+
TECHNICAL INTERNALS
Encryption: Salsa20