4 See also this page @ref{Новости, on russian}.
9 @item Fixed fatal bug in nonce generation code, appeared in 7.1 version.
10 Everyone @strong{have to} update.
16 @item Fixed bug in client's identity generation and detection code:
17 simultaneous clients may be incorrectly identified, preventing their
18 connection establishing and allowing DPI to detect GoVPN packets.
24 @item (X)Salsa20 is replaced with ChaCha20. Theoretically it should be
25 faster and more secure. Previous versions are not compatible with it!
26 @item Ability to use TUN-interfaces under GNU/Linux. FreeBSD has already
27 supported them without any modifications.
33 @item Argon2d is replaced with Balloon hashing. Found Argon2 libraries
34 written on pure Go have various problems. Moreover Argon2i should be
35 used instead, but it has some possible
36 @url{http://eprint.iacr.org/2016/027, cryptographic defects}. So it is
37 replaced with much more simpler (and seems even cryptographically
38 better) @url{https://crypto.stanford.edu/balloon/, Balloon hashing}.
44 @item @option{-version} option added, printing program version.
50 @item Client reconnects in the loop when connection is lost. Optionally
51 you can disable that behaviour: client will exit immediately, as it
58 @item Optional ability to use syslog for logging, with
59 @url{https://tools.ietf.org/html/rfc5424, RFC 5424}-like
61 @item XTEA algorithm is not used anymore for nonce obfuscation, but
62 BLAKE2b-MAC instead. Encryptionless mode now really does not depend on
69 @item TAP interface name and remote peer's address are passed to up- and
70 down- scripts through environment variables.
71 @item Update Argon2 library to use version 1.3 of the algorithm.
77 @item Added up/down example script for replacing default route (thanks
79 @item Fixed documentation bug: @file{.info} was not installing.
85 @item Ability to work on 32-bit platforms. @emph{sync/atomic} library
86 has some specific issues that caused panics on previous versions.
92 @item Added optional time synchronization requirement.
93 It will add timestamps in handshake PRP authentication, disallowing to
94 repeat captured packet and get reply from the server, making it visible
101 @item Fixed minor bug with @command{newclient.sh} that caught
102 "Passphrase:" prompt and inserted it into example YAML output.
103 Just replaced stdout output to stderr for that prompt.
109 @item Ability to read passphrases directly from the terminal (user's
110 input) without using of keyfiles. @command{storekey.sh} utility removed.
116 @item Server is configured using @url{http://yaml.org/, YAML} file. It
117 is very convenient to have comments and templates, comparing to JSON.
118 @item Incompatible with previous versions replacement of @emph{HSalsa20}
119 with @emph{BLAKE2b} in handshake code.
125 @item New optional encryptionless mode of operation.
126 Technically no encryption functions are applied for outgoing packets, so
127 you can not be forced to reveal your encryption keys or sued for
129 @item MTUs are configured on per-user basis.
130 @item Simplified payload padding scheme, saving one byte of data.
131 @item Ability to specify TAP interface name explicitly without any
132 up-scripts for convenience.
133 @item @command{govpn-verifier} utility also can use EGD.
139 @item Fixed non-critical bug when server may fail if up-script is not
140 executed successfully.
146 @item @url{https://password-hashing.net/#argon2, Argon2d} is used instead
147 of PBKDF2 for password verifier hashing.
148 @item Client's identity is stored inside the verifier, so it simplifies
149 server-side configuration and the code.
155 @item Handshake messages can be noised: their messages lengths are
156 hidden. Now they are indistinguishable from transport messages.
157 @item Parallelized clients processing on the server side.
158 @item Much higher overall performance.
159 @item Single JSON file server configuration.
165 @item Ability to use TCP network transport.
166 Server can listen on both UDP and TCP sockets.
167 @item Ability to use HTTP proxies (through CONNECT method)
168 for accessing the server. Server can also emulate HTTP proxy behaviour.
169 @item Updated Poly1305 library with ARM-related bugfixes.
170 @item Go 1.5+ version is highly recommended because of performance
177 @item Ability to use external EGD-compatible PRNGs. Now you are
178 able to use GoVPN even on systems with the bad @file{/dev/random},
179 providing higher quality entropy from external sources.
180 @item Removed @option{-noncediff} option. It is replaced with in-memory
181 storage of seen nonces, thus eliminating possible replay attacks at all
182 without performance degradation related to inbound packets reordering.
188 @item Compatibility with an old GNU Make 3.x. Previously only BSD Make
189 and GNU Make 4.x were supported.
190 @item @file{/dev/urandom} is used for correct client identity generation
191 under GNU/Linux systems. Previously @file{/dev/random} can produce less
192 than required 128-bits of random.
198 @item Deterministic building: dependent libraries source code commits
199 are fixed in our makefiles.
200 @item No Internet connection is needed for building the source code: all
201 required libraries are included in release tarballs.
202 @item FreeBSD Make compatibility. GNU Make is not necessary anymore.
209 Diffie-Hellman public keys are encoded with Elligator algorithm when
210 sending over the wire, making them indistinguishable from the random
211 strings, preventing detection of successful decryption try when guessing
212 passwords (that are used to create DSA public keys). But this will
213 consume twice entropy for DH key generation in average.
220 EKE protocol is replaced by Augmented-EKE and static symmetric (both
221 sides have it) pre-shared key replaced with server-side verifier. This
222 requires, 64 more bytes in handshake traffic, Ed25519 dependency with
223 corresponding sign/verify computations, PBKDF2 dependency and its
224 usage on the client side during handshake.
226 A-EKE with PBKDF2-based verifiers is resistant to dictionary attacks,
227 can use human memorable passphrases instead of static keys and
228 server-side verifiers can not be used for authentication (compromised
229 server does not leak client's authentication keys/passphrases).
232 Changed transport message structure: added payload packet's length.
233 This will increase transport overhead for two bytes, but heartbeat
234 packets became smaller
237 Ability to hide underlying packets lengths by appending noise, junk
238 data during transmission. Each packet can be fill up-ed to its
242 Ability to hide underlying packets appearance rate, by generating
243 Constant Packet Rate traffic. This includes noise generation too.
245 Per-peer @option{-timeout}, @option{-noncediff}, @option{-noise} and
246 @option{-cpr} configuration options for server.
252 @item Added ability to optionally run built-in HTTP-server responding
253 with JSON of all known connected peers information. Real-time client's
255 @item Documentation is explicitly licenced under GNU FDL 1.3+.
261 @item Handshake packets became indistinguishable from the random. Now
262 all GoVPN's traffic is the noise for men in the middle.
264 @item Handshake messages are smaller (16% traffic reduce).
266 @item Adversary now can not create malicious fake handshake packets that
267 will force server to generate private DH key, preventing entropy
268 consuming and resource heavy computations.
274 @item Fixed several possible channel deadlocks.
280 @item Fixed Linux-related building.
286 @item Added clients identification.
287 @item Simultaneous several clients support by server.
288 @item Per-client up/down scripts.
294 @item Nonce obfuscation/encryption.
300 @item Performance optimizations.
306 @item Heartbeat feature.
307 @item Rehandshake feature.
308 @item up- and down- optional scripts.
314 @item FreeBSD support.