4 GoVPN is simple secure virtual private network daemon, written entirely
5 on @url{http://golang.org/, Go programming language}.
7 Reviewability, high 128-bit security margin and
8 @url{https://en.wikipedia.org/wiki/Deep_packet_inspection, DPI}
9 censorship resistance in mind in free software solution are the main
10 goals for that daemon. Most modern widespread protocols and their
11 implementations in software are too complex to be reviewed, analyzed and
14 State off art cryptography technologies includes:
15 @url{http://cr.yp.to/snuffle.html, Salsa20} stream encryption,
16 @url{http://143.53.36.235:8080/tea.htm, XTEA} PRP,
17 @url{http://cr.yp.to/mac.html, Poly1305} message authentication,
18 @url{https://en.wikipedia.org/wiki/PBKDF2} password-based key derivation
19 function based on @url{https://en.wikipedia.org/wiki/SHA-2, SHA-512}
21 @url{https://en.wikipedia.org/wiki/Encrypted_key_exchange,
22 Diffie-Hellman Augmented Encrypted Key Exchange}
23 (DH-A-EKE) powered by @url{http://cr.yp.to/ecdh.html, Curve25519},
24 @url{http://ed25519.cr.yp.to/, Ed25519} signatures and
25 @url{http://elligator.cr.yp.to/, Elligator} curve-point encoding.
27 @url{https://en.wikipedia.org/wiki/Zero-knowledge_password_proof, zero-knowledge}
28 mutual authentication with key exchange stage is invulnerable
29 to man-in-the-middle attacks.
30 @url{https://en.wikipedia.org/wiki/Forward_secrecy, Perfect forward secrecy}
31 property guarantee that compromising of long-term authentication
32 pre-shared key can not lead to previously captured traffic decrypting.
33 Compromising of peers password file on server side won't allow attacker
34 to masquerade as the client, because of asymmetric @strong{verifiers}
35 usage, resistant to dictionary attacks. Rehandshaking ensures session
36 keys rotation. MAC authentication with one-time keys protects against
37 @url{https://en.wikipedia.org/wiki/Replay_attack, replay attacks}.
39 Server can work with several clients simultaneously. Each client is
40 @strong{identified} by 128-bit key, that does not leak during handshake
41 and each client stays @strong{anonymous} for MiTM and DPI. All settings
42 are applied per-peer separately.
44 Optional ability to hide payload packets lengths by appending
45 @strong{noise} to them during transmission. Ability to generate constant
46 packet rate traffic (@strong{CPR}) that will hide even the fact of
47 packets appearance, their timestamps.
49 The only platform specific requirement is TAP network interface support.
50 API to that kind of device is different, OS dependent and non portable.
51 So only a few operating systems is officially supported. Author has no
52 proprietary software to work with, so currently there is lack of either
53 popular Microsoft Windows or Apple OS X support.
57 Copylefted free software: licensed under
58 @url{https://www.gnu.org/licenses/gpl-3.0.html, GPLv3+}
60 Works with @url{https://en.wikipedia.org/wiki/TAP_(network_driver), TAP}
61 network interfaces on top of UDP entirely
63 @url{https://www.gnu.org/, GNU}/Linux and
64 @url{http://www.freebsd.org/, FreeBSD} support
66 @item Encrypted and authenticated payload transport
67 @item Relatively fast handshake
68 @item Password-authenticated key exchange
69 @item Server-side password verifiers are secure against dictionary attacks
70 @item Attacker can not masquerade a client even with password files compromising
71 @item Replay attack protection
72 @item Perfect forward secrecy property
73 @item Mutual two-side authentication
74 @item Zero knowledge authentication
75 @item Built-in rehandshake and heartbeat features
76 @item Several simultaneous clients support
77 @item Per-client configuration options
78 @item Hiding of payload packets length with noise
79 @item Hiding of payload packets timestamps with constant packet rate traffic
80 @item Optional built-in HTTP-server for retrieving information about
81 known connected peers in @url{http://json.org/, JSON} format