@node FAQ
+@cindex FAQ
+@cindex Frequently Asked Questions
@unnumbered Frequently Asked Questions
@table @asis
+@cindex TLS
@item Why do not you use TLS?
It is complicated protocol. It uses Authenticate-then-Encrypt ordering
of algorithms -- it is not secure. Moreover its libraries are huge and
hard to read, review and analyze.
+@cindex SSH
@item Why do not you use SSH?
Its first protocol versions used A-a-E ordering, however later ones
supports even ChaCha20-Poly1305 algorithms. But its source code is not
so trivial and rather big to read and review. OpenSSH does not support
strong zero-knowledge password authentication.
+@cindex IPsec
@item Why do not you use IPsec?
It is rather good protocol, supported by all modern OSes. But it lacks
strong zero-knowledge password authentication and, again, its code is
authentication, high cryptographic protocol security, and most of this
software is written in C -- it is hard to write right on it.
+@cindex Why Go
+@cindex Go
@item Why GoVPN is written on Go?
Go is very easy to read, review and support. It makes complex code
writing a harder task. It provides everything needed to the C language:
You need to trust only yourself, not hardware token or some other
storage device. It is convenient.
+@cindex Network configuration
@item Why all network configuration must be done manually?
Because there are so many use-cases and setups, so many various
protocols, that either I support all of them, or use complicated
protocol setups like PPP, or just give right of the choice to the
administrator. VPN is only just a layer.
+@cindex Windows
+@cindex Microsoft Windows
+@cindex Apple OS X
+@cindex OS X
@item Why there is no either OS X or Windows support?
Any closed source proprietary systems do not give ability to control the
computer. You can not securely use cryptography-related stuff without
keys. PFS property is per-session level: it won't protect from leaking
the session key from the memory.
+@cindex Anonymity
+@cindex Anonymous clients
@item What do you mean by saying that clients are anonymous?
That third-party can not differentiate one client from another looking
at the traffic (transport and handshake).
+@cindex Censorship
+@cindex Censorship resistance
+@cindex Censorship resistant
+@cindex DPI resistant
+@cindex DPI resistance
+@cindex DPI
@item What do you mean by censorship resistance?
Unability to distinguish either is it GoVPN-traffic is passing by, or
just @code{cat /dev/urandom | nc somehost}. If you can not differentiate
one kind of traffic from another, then your only option is to forbid all
kinds of it.
+@item When should I use @ref{Encless, encryptionless mode}?
+If you are operating under jurisdiction where courts can either sue you
+for encryption usage or force you to somehow reveal you encryption
+keys (however new session encryption keys are generated each session).
+Those courts can not demand for authentication and signing keys in most
+cases. @strong{Do not} let mode's name to confuse you: it still
+provides confidentiality and authenticity of transmitted data! But pay
+attention that this mode is traffic and resource hungry and currently
+operate only in TCP mode.
+
@item When should I use @ref{Noise, noise} option?
In most cases you won't need it without @ref{CPR, constant packer rate}
turned on. Without CPR and noise options GoVPN traffic (like TLS, IPsec,
going on in the network. With CPR option enabled you can tell either
somebody is online, or not -- nothing less, nothing more.
+@cindex DoS
@item Can I DoS (denial of service) the daemon?
Each transport packet is authenticated first with the very fast UMAC
algorithm -- in most cases resource consumption of TCP/UDP layers will