@node FAQ
+@cindex FAQ
+@cindex Frequently Asked Questions
@unnumbered Frequently Asked Questions
@table @asis
+@cindex TLS
@item Why do not you use TLS?
It is complicated protocol. It uses Authenticate-then-Encrypt ordering
of algorithms -- it is not secure. Moreover its libraries are huge and
hard to read, review and analyze.
+@cindex SSH
@item Why do not you use SSH?
Its first protocol versions used A-a-E ordering, however later ones
supports even ChaCha20-Poly1305 algorithms. But its source code is not
so trivial and rather big to read and review. OpenSSH does not support
strong zero-knowledge password authentication.
+@cindex IPsec
@item Why do not you use IPsec?
It is rather good protocol, supported by all modern OSes. But it lacks
strong zero-knowledge password authentication and, again, its code is
authentication, high cryptographic protocol security, and most of this
software is written in C -- it is hard to write right on it.
+@cindex Why Go
+@cindex Go
@item Why GoVPN is written on Go?
Go is very easy to read, review and support. It makes complex code
writing a harder task. It provides everything needed to the C language:
You need to trust only yourself, not hardware token or some other
storage device. It is convenient.
+@cindex Network configuration
@item Why all network configuration must be done manually?
Because there are so many use-cases and setups, so many various
protocols, that either I support all of them, or use complicated
protocol setups like PPP, or just give right of the choice to the
administrator. VPN is only just a layer.
+@cindex Windows
+@cindex Microsoft Windows
+@cindex Apple OS X
+@cindex OS X
@item Why there is no either OS X or Windows support?
Any closed source proprietary systems do not give ability to control the
computer. You can not securely use cryptography-related stuff without
keys. PFS property is per-session level: it won't protect from leaking
the session key from the memory.
+@cindex Anonymity
+@cindex Anonymous clients
@item What do you mean by saying that clients are anonymous?
That third-party can not differentiate one client from another looking
at the traffic (transport and handshake).
+@cindex Censorship
+@cindex Censorship resistance
+@cindex Censorship resistant
+@cindex DPI resistant
+@cindex DPI resistance
+@cindex DPI
@item What do you mean by censorship resistance?
Unability to distinguish either is it GoVPN-traffic is passing by, or
just @code{cat /dev/urandom | nc somehost}. If you can not differentiate
@item When should I use @ref{Encless, encryptionless mode}?
If you are operating under jurisdiction where courts can either sue you
-for encryption usage or can force you to somehow reveal you encryption
+for encryption usage or force you to somehow reveal you encryption
keys (however new session encryption keys are generated each session).
Those courts can not demand for authentication and signing keys in most
cases. @strong{Do not} let mode's name to confuse you: it still
going on in the network. With CPR option enabled you can tell either
somebody is online, or not -- nothing less, nothing more.
+@cindex DoS
@item Can I DoS (denial of service) the daemon?
Each transport packet is authenticated first with the very fast UMAC
algorithm -- in most cases resource consumption of TCP/UDP layers will