4 See also this page @ref{Новости, on russian}.
9 @item Fixed seldom possible segmentation fault on the server during
11 @item Dependant cryptographic libraries are updated.
17 @item Fixed fatal bug in nonce generation code, appeared in 7.1 version.
18 Everyone @strong{have to} update.
24 @item Fixed bug in client's identity generation and detection code:
25 simultaneous clients may be incorrectly identified, preventing their
26 connection establishing and allowing DPI to detect GoVPN packets.
32 @item (X)Salsa20 is replaced with ChaCha20. Theoretically it should be
33 faster and more secure. Previous versions are not compatible with it!
34 @item Ability to use TUN-interfaces under GNU/Linux. FreeBSD has already
35 supported them without any modifications.
41 @item Argon2d is replaced with Balloon hashing. Found Argon2 libraries
42 written on pure Go have various problems. Moreover Argon2i should be
43 used instead, but it has some possible
44 @url{http://eprint.iacr.org/2016/027, cryptographic defects}. So it is
45 replaced with much more simpler (and seems even cryptographically
46 better) @url{https://crypto.stanford.edu/balloon/, Balloon hashing}.
52 @item @option{-version} option added, printing program version.
58 @item Client reconnects in the loop when connection is lost. Optionally
59 you can disable that behaviour: client will exit immediately, as it
66 @item Optional ability to use syslog for logging, with
67 @url{https://tools.ietf.org/html/rfc5424, RFC 5424}-like
69 @item XTEA algorithm is not used anymore for nonce obfuscation, but
70 BLAKE2b-MAC instead. Encryptionless mode now really does not depend on
77 @item TAP interface name and remote peer's address are passed to up- and
78 down- scripts through environment variables.
79 @item Update Argon2 library to use version 1.3 of the algorithm.
85 @item Added up/down example script for replacing default route (thanks
87 @item Fixed documentation bug: @file{.info} was not installing.
93 @item Ability to work on 32-bit platforms. @emph{sync/atomic} library
94 has some specific issues that caused panics on previous versions.
100 @item Added optional time synchronization requirement.
101 It will add timestamps in handshake PRP authentication, disallowing to
102 repeat captured packet and get reply from the server, making it visible
109 @item Fixed minor bug with @command{newclient.sh} that caught
110 "Passphrase:" prompt and inserted it into example YAML output.
111 Just replaced stdout output to stderr for that prompt.
117 @item Ability to read passphrases directly from the terminal (user's
118 input) without using of keyfiles. @command{storekey.sh} utility removed.
124 @item Server is configured using @url{http://yaml.org/, YAML} file. It
125 is very convenient to have comments and templates, comparing to JSON.
126 @item Incompatible with previous versions replacement of @emph{HSalsa20}
127 with @emph{BLAKE2b} in handshake code.
133 @item New optional encryptionless mode of operation.
134 Technically no encryption functions are applied for outgoing packets, so
135 you can not be forced to reveal your encryption keys or sued for
137 @item MTUs are configured on per-user basis.
138 @item Simplified payload padding scheme, saving one byte of data.
139 @item Ability to specify TAP interface name explicitly without any
140 up-scripts for convenience.
141 @item @command{govpn-verifier} utility also can use EGD.
147 @item Fixed non-critical bug when server may fail if up-script is not
148 executed successfully.
154 @item @url{https://password-hashing.net/#argon2, Argon2d} is used instead
155 of PBKDF2 for password verifier hashing.
156 @item Client's identity is stored inside the verifier, so it simplifies
157 server-side configuration and the code.
163 @item Handshake messages can be noised: their messages lengths are
164 hidden. Now they are indistinguishable from transport messages.
165 @item Parallelized clients processing on the server side.
166 @item Much higher overall performance.
167 @item Single JSON file server configuration.
173 @item Ability to use TCP network transport.
174 Server can listen on both UDP and TCP sockets.
175 @item Ability to use HTTP proxies (through CONNECT method)
176 for accessing the server. Server can also emulate HTTP proxy behaviour.
177 @item Updated Poly1305 library with ARM-related bugfixes.
178 @item Go 1.5+ version is highly recommended because of performance
185 @item Ability to use external EGD-compatible PRNGs. Now you are
186 able to use GoVPN even on systems with the bad @file{/dev/random},
187 providing higher quality entropy from external sources.
188 @item Removed @option{-noncediff} option. It is replaced with in-memory
189 storage of seen nonces, thus eliminating possible replay attacks at all
190 without performance degradation related to inbound packets reordering.
196 @item Compatibility with an old GNU Make 3.x. Previously only BSD Make
197 and GNU Make 4.x were supported.
198 @item @file{/dev/urandom} is used for correct client identity generation
199 under GNU/Linux systems. Previously @file{/dev/random} can produce less
200 than required 128-bits of random.
206 @item Deterministic building: dependent libraries source code commits
207 are fixed in our makefiles.
208 @item No Internet connection is needed for building the source code: all
209 required libraries are included in release tarballs.
210 @item FreeBSD Make compatibility. GNU Make is not necessary anymore.
217 Diffie-Hellman public keys are encoded with Elligator algorithm when
218 sending over the wire, making them indistinguishable from the random
219 strings, preventing detection of successful decryption try when guessing
220 passwords (that are used to create DSA public keys). But this will
221 consume twice entropy for DH key generation in average.
228 EKE protocol is replaced by Augmented-EKE and static symmetric (both
229 sides have it) pre-shared key replaced with server-side verifier. This
230 requires, 64 more bytes in handshake traffic, Ed25519 dependency with
231 corresponding sign/verify computations, PBKDF2 dependency and its
232 usage on the client side during handshake.
234 A-EKE with PBKDF2-based verifiers is resistant to dictionary attacks,
235 can use human memorable passphrases instead of static keys and
236 server-side verifiers can not be used for authentication (compromised
237 server does not leak client's authentication keys/passphrases).
240 Changed transport message structure: added payload packet's length.
241 This will increase transport overhead for two bytes, but heartbeat
242 packets became smaller
245 Ability to hide underlying packets lengths by appending noise, junk
246 data during transmission. Each packet can be fill up-ed to its
250 Ability to hide underlying packets appearance rate, by generating
251 Constant Packet Rate traffic. This includes noise generation too.
253 Per-peer @option{-timeout}, @option{-noncediff}, @option{-noise} and
254 @option{-cpr} configuration options for server.
260 @item Added ability to optionally run built-in HTTP-server responding
261 with JSON of all known connected peers information. Real-time client's
263 @item Documentation is explicitly licenced under GNU FDL 1.3+.
269 @item Handshake packets became indistinguishable from the random. Now
270 all GoVPN's traffic is the noise for men in the middle.
272 @item Handshake messages are smaller (16% traffic reduce).
274 @item Adversary now can not create malicious fake handshake packets that
275 will force server to generate private DH key, preventing entropy
276 consuming and resource heavy computations.
282 @item Fixed several possible channel deadlocks.
288 @item Fixed Linux-related building.
294 @item Added clients identification.
295 @item Simultaneous several clients support by server.
296 @item Per-client up/down scripts.
302 @item Nonce obfuscation/encryption.
308 @item Performance optimizations.
314 @item Heartbeat feature.
315 @item Rehandshake feature.
316 @item up- and down- optional scripts.
322 @item FreeBSD support.