@node FAQ
+@cindex FAQ
+@cindex Frequently Asked Questions
@unnumbered Frequently Asked Questions
@table @asis
+@cindex TLS
@item Why do not you use TLS?
It is complicated protocol. It uses Authenticate-then-Encrypt ordering
of algorithms -- it is not secure. Moreover its libraries are huge and
hard to read, review and analyze.
+@cindex SSH
@item Why do not you use SSH?
Its first protocol versions used A-a-E ordering, however later ones
supports even ChaCha20-Poly1305 algorithms. But its source code is not
so trivial and rather big to read and review. OpenSSH does not support
strong zero-knowledge password authentication.
+@cindex IPsec
@item Why do not you use IPsec?
It is rather good protocol, supported by all modern OSes. But it lacks
strong zero-knowledge password authentication and, again, its code is
authentication, high cryptographic protocol security, and most of this
software is written in C -- it is hard to write right on it.
+@cindex Why Go
+@cindex Go
@item Why GoVPN is written on Go?
Go is very easy to read, review and support. It makes complex code
writing a harder task. It provides everything needed to the C language:
You need to trust only yourself, not hardware token or some other
storage device. It is convenient.
+@cindex Network configuration
@item Why all network configuration must be done manually?
Because there are so many use-cases and setups, so many various
protocols, that either I support all of them, or use complicated
protocol setups like PPP, or just give right of the choice to the
administrator. VPN is only just a layer.
+@cindex Windows
+@cindex Microsoft Windows
+@cindex Apple OS X
+@cindex OS X
@item Why there is no either OS X or Windows support?
Any closed source proprietary systems do not give ability to control the
computer. You can not securely use cryptography-related stuff without
keys. PFS property is per-session level: it won't protect from leaking
the session key from the memory.
+@cindex Anonymity
+@cindex Anonymous clients
@item What do you mean by saying that clients are anonymous?
That third-party can not differentiate one client from another looking
at the traffic (transport and handshake).
+@cindex Censorship
+@cindex Censorship resistance
+@cindex DPI resistance
@item What do you mean by censorship resistance?
Unability to distinguish either is it GoVPN-traffic is passing by, or
just @code{cat /dev/urandom | nc somehost}. If you can not differentiate
attention that this mode is traffic and resource hungry and currently
operate only in TCP mode.
+@item Do you think encryptionless mode with all those random data helps in court?
+If anything that can not be read by anyone is considered encryption,
+then no, encryptionless mode won't help you. Imagine that either you are
+talking on another foreign language, or just use another date encoding
+scheme.
+
@item When should I use @ref{Noise, noise} option?
In most cases you won't need it without @ref{CPR, constant packer rate}
turned on. Without CPR and noise options GoVPN traffic (like TLS, IPsec,
going on in the network. With CPR option enabled you can tell either
somebody is online, or not -- nothing less, nothing more.
+@cindex DoS
@item Can I DoS (denial of service) the daemon?
Each transport packet is authenticated first with the very fast UMAC
algorithm -- in most cases resource consumption of TCP/UDP layers will
when an encrypted client's @ref{Identity, identity} is found: it uses
fast PRP without any entropy usage.
+@cindex Why YAML
+@item Why YAML for configuration?
+There are not so many well-known formats that allow commenting, easy
+editing by human (XML is not human friendly at all, JSON is more or
+less). Probably the most useful feature is YAML's templates: it is very
+convenient for storing many clients sharing the same options in the
+configuration file.
+
@end table