несбалансированный протокол согласования ключей с двусторонней
аутентификацией сторон (PAKE DH A-EKE). Зашифрованный, аутентифицируемый
транспортный протокол передачи данных, скрывающий длины сообщений и их
-временные характеристики. Свойство совершенной прямой секретности.
-Устойчивость к: внесетевым (offline) атакам по словарю, атакам
-повторного воспроизведения (replay), компрометации клиентских парольных
-фраз на стороне сервера. Встроенные функции сердцебиения (heartbeat),
-пересогласования ключей, статистика реального времени. Возможность
-работы поверх UDP, TCP и HTTP прокси. Совместимость с IPv4 и IPv6.
-Поддержка GNU/Linux и FreeBSD.
+временные характеристики. Опциональный нешифрованный режим, который
+всё-равно обеспечивает конфиденциальность и аутентичность данных.
+Свойство совершенной прямой секретности. Устойчивость к: внесетевым
+(offline) атакам по словарю, атакам повторного воспроизведения (replay),
+компрометации клиентских парольных фраз на стороне сервера. Встроенные
+функции сердцебиения (heartbeat), пересогласования ключей, статистика
+реального времени. Возможность работы поверх UDP, TCP и HTTP прокси.
+Совместимость с IPv4 и IPv6. Поддержка GNU/Linux и FreeBSD.
GoVPN это свободное программное обеспечением: условия распространения
находятся в файле COPYING.
-Домашняя страница: http://govpn.info/ -> http://www.cypherpunks.ru/govpn/
+Домашняя страница: http://www.cypherpunks.ru/govpn/ (http://govpn.info/)
также доступна как скрытый сервис Tor: http://vabu56j2ep2rwv3b.onion/govpn/
Пожалуйста все вопросы касающиеся использования GoVPN, отчёты об ошибках
и патчи отправляйте в govpn-devel почтовую рассылку:
-https://lists.cypherpunks.ru/mailman/listinfo/govpn-devel/
+https://lists.cypherpunks.ru/pipermail/govpn-devel/
Исходный код для разработчика находится в Git репозитории:
http://git.cypherpunks.ru/cgit.cgi/govpn.git/
cp -f doc/govpn.info $(INFODIR)
chmod 644 $(INFODIR)/govpn.info
mkdir -p $(SHAREDIR)
- cp -f utils/newclient.sh utils/storekey.sh $(SHAREDIR)
- chmod 755 $(SHAREDIR)/newclient.sh $(SHAREDIR)/storekey.sh
+ cp -f utils/newclient.sh $(SHAREDIR)
+ chmod 755 $(SHAREDIR)/newclient.sh
mkdir -p $(DOCDIR)
cp -f -L AUTHORS INSTALL NEWS README README.RU THANKS $(DOCDIR)
chmod 644 $(DOCDIR)/*
@node О демоне
+@cindex About (russian)
+@cindex Description (russian)
+@cindex О демоне
+@cindex Описание
+@cindex Вступление
@unnumbered Подробнее о демоне GoVPN
GoVPN это простой демон виртуальных частных сетей, код которого нацелен
на лёгкость чтения и анализа, безопасность, устойчивость к DPI/цензуре.
@itemize
+
@item
Свободное программное обеспечение, копилефт: лицензировано под условиями
@url{https://www.gnu.org/licenses/gpl-3.0.ru.html, GPLv3+}.
+
@item
Быстрый сильный @ref{PAKE, аутентифицируемый по парольной фразе}
несбалансированный протокол @ref{Handshake, согласования ключей} с
двусторонней аутентификацией сторон и нулевым неразглашением (PAKE DH
A-EKE (Diffie-Hellman Augmented Encrypted Key Exchange)).
+
@item
@ref{Verifier structure, Несбалансированные аутентификационные токены}
устойчивые к внесетевым (offline) атакам по словарю. Используют
усиленный по CPU и памяти алгоритм хэширования. Злоумышленник не может
замаскироваться под клиента даже скомпрометировав базу данных токенов
сервера.
+
@item
Зашифрованный и аутентифицируемый @ref{Transport, транспортный протокол}
передачи данных с 128-бит @ref{Developer, порогом безопасности} и
современной криптографией.
+
@item
Опциональный @ref{Encless, нешифрованный режим}: функции шифрования не
применяются для исходящего трафика, вместо них кодирование всё-равно
обеспечивающее конфиденциальность. Юрисдикции и суды не могут вас
вынудить выдать ключи шифрования или привлечь за использование
шифрования.
+
@item
Цензуроустойчивые сообщения транспорта и рукопожатия: неотличимые от
шума с опциональным скрытием размеров сообщений.
+
@item
Свойство @url{https://ru.wikipedia.org/wiki/Perfect_forward_secrecy,
совершенной прямой секретности} (perfect forward secrecy).
+
@item
Защита от атак повторного воспроизведения (replay) (используя
одноразовые MAC).
+
@item
Встроенные функции пересогласования ключей (ротация сессионных ключей) и
сердцебиения (heartbeat).
+
@item
Возможность скрывать размеры пакетов путём @ref{Noise, зашумления} данных.
+
@item
Возможность скрывать временные характеристики полезной нагрузки путём
@ref{CPR, постоянного по скорости} трафика.
+
@item
Совместимость с @url{http://egd.sourceforge.net/, EGD} (демон сборки
энтропии) генераторами псевдослучайных чисел.
+
@item
Поддержка нескольких клиентов одновременно с специфичной для каждого
конфигурацией. Клиенты имеют заранее установленный @ref{Identity,
идентификатор}, невидимый третьим лицам (они анонимны для них).
+
@item
Использует @url{https://ru.wikipedia.org/wiki/TUN/TAP, TAP} низлежащие
сетевые интерфейсы.
+
@item
Может работать поверх @ref{Network, UDP и TCP} или HTTP @ref{Proxy,
прокси} для доступа к серверу.
+
@item
Полностью IPv4 и IPv6 совместимый.
+
@item
Опциональный встроенный HTTP-сервер для получения @ref{Stats,
статистики} о подключённых клиентах в режиме реального времени в
@url{http://json.org/, JSON} формате.
+
@item
Сервер конфигурируется используя @url{http://yaml.org/, YAML} файл.
+
@item
Написан на языке @url{https://golang.org/, Go} с простым кодом,
ориентированным на лёгкость чтения и анализа.
+
@item
Поддержка @url{https://www.gnu.org/, GNU}/Linux и
@url{https://www.freebsd.org/, FreeBSD}.
+
@end itemize
+@cindex About
+@cindex Description
+@cindex Introduction
+
GoVPN is simple free software virtual private network daemon,
aimed to be reviewable, secure and
@url{https://en.wikipedia.org/wiki/Deep_packet_inspection, DPI}/censorship-resistant.
@itemize
+
@item
Copylefted free software: licenced under
@url{https://www.gnu.org/licenses/gpl-3.0.html, GPLv3+}.
+
@item
Fast strong @ref{PAKE, passphrase authenticated} augmented
@ref{Handshake, key agreement protocol} with zero-knowledge mutual peers
authentication (PAKE DH A-EKE (Diffie-Hellman Augmented Encrypted Key
Exchange)).
+
@item
@ref{Verifier structure, Augmented authentication tokens} resistant to
offline dictionary attacks. They use CPU and memory hardened hashing
algorithm. An attacker can not masquerade a client even with server
passphrase verifiers compromising.
+
@item
Encrypted and authenticated @ref{Transport, payload transport}
with 128-bit @ref{Developer, security margin} state-of-the-art
cryptography.
+
@item
Optional @ref{Encless, encryptionless mode} of operation: no encryption
functions are applied for outgoing traffic, but still confidentiality
preserving encoding. Jurisdictions and courts can not either force you
to reveal encryption keys or sue for encryption usage.
+
@item
Censorship resistant handshake and transport messages: fully
indistinguishable from the noise with optionally hidden packets length.
+
@item
@url{https://en.wikipedia.org/wiki/Forward_secrecy, Perfect forward secrecy}
property.
+
@item
Replay attack protection (using one-time MACs).
+
@item
Built-in rehandshake (session key rotation) and heartbeat features.
+
@item
Ability to hide packets length with the @ref{Noise, noise} data.
+
@item
Ability to hide payload timestamps with @ref{CPR, constant packet rate}
traffic.
+
@item
Compatible with @url{http://egd.sourceforge.net/, EGD} (entropy
gathering daemon) PRNGs.
+
@item
Several simultaneous clients support with per-client configuration
options. Clients have pre-established @ref{Identity, identity} invisible
for third-parties (they are anonymous).
+
@item
Uses @url{https://en.wikipedia.org/wiki/TAP_(network_driver), TAP}
underlying network interfaces.
+
@item
Can use @ref{Network, UDP and TCP} or HTTP @ref{Proxy, proxies}
for accessing the server.
+
@item
Fully IPv4 and IPv6 compatible.
+
@item
Optional built-in HTTP-server for retrieving real-time
@ref{Stats, statistics} information about known connected peers in
@url{http://json.org/, JSON} format.
+
@item
Server is configured through the @url{http://yaml.org/, YAML} file.
+
@item
Written on @url{https://golang.org/, Go} programming language with
simple code that can be read and reviewed.
+
@item
@url{https://www.gnu.org/, GNU}/Linux and
@url{https://www.freebsd.org/, FreeBSD} support.
+
@end itemize
@node Client
+@cindex Client
+@cindex Client part
+@cindex Client configuration
+@cindex Client side
+@cindex Configuring client
+@cindex govpn-client
@section Client part
Except for common @code{-stats}, @code{-egd} options client has the
Our client's @ref{Verifier}.
@item -key
-Path to the file with the passphrase. See @ref{Verifier} for
-how to enter passphrase from stdin silently and store it in the file.
+Path to the file with the passphrase. If omitted, then you will be asked
+to enter it in the terminal.
@item -timeout
@ref{Timeout} setting in seconds.
@node Contacts
+@cindex Contacts
+@cindex Feedback
+@cindex Support
+@cindex Help
+@cindex Maillist
@unnumbered Contacts
Please send questions regarding the use of GoVPN, bug reports and patches to
@node CPR
+@cindex CPR
+@cindex Constant Packet Rate
@subsection Constant Packet Rate
Constant Packet Rate is used to hide fact of underlying payload packets
@node Developer
+@cindex Developer manual
+@cindex Developer
+@cindex Cryptography
@unnumbered Developer manual
Pay attention how to get @ref{Sources, development source code}.
@node Tarballs
+@cindex Download
+@cindex Tarball
+@cindex Prepared tarballs
@section Prepared tarballs
You can obtain releases source code prepared tarballs from the links below:
@multitable {XXXXX} {XXXX KiB} {link sign} {xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}
@headitem Version @tab Size @tab Tarball @tab SHA256 checksum
+@item 5.1 @tab 287 KiB
+@tab @url{download/govpn-5.1.tar.xz, link} @url{download/govpn-5.1.tar.xz.sig, sign}
+@tab @code{0d456c5683287dca31f8c3302eb9a9329feab82bc1fbdb0098fca991513536d1}
+
@item 5.0 @tab 237 KiB
@tab @url{download/govpn-5.0.tar.xz, link} @url{download/govpn-5.0.tar.xz.sig, sign}
@tab @code{cc186a3b800279b6f5a7c86d61b250c24cf97235f6c3e1bb05a6cb60251085c6}
@node EGD
+@cindex EGD
+@cindex Entropy Gathering Daemon
+@cindex Entropy
@subsection Entropy Gathering Daemon
Overall security mainly depends on client side:
@node Encless
+@cindex Encryptionless
+@cindex Encryptionless mode
+@cindex Chaffing-and-Winnowing
+@cindex AONT
+@cindex All-Or-Nothing-Transformation
+@cindex OAEP
+@cindex SAEP+
@subsection Encryptionless mode
Some jurisdictions can force user to reveal his encryption keys. However
@node Example
+@cindex Example
+@cindex Example usage
+@cindex Tutorial
@section Example usage
Let's assume that there is some insecure link between your computer and
@strong{Prepare the client}. Generate client's verifier for Alice as an
example:
+@cindex newclient.sh
+
@verbatim
client% ./utils/newclient.sh Alice
-Enter passphrase:
+Passphrase:
Your client verifier is: $argon2d$m=4096,t=128,p=1$bwR5VjeCYIQaa8SeaI3rqg
Place the following YAML configuration entry on the server's side:
up: /path/to/up.sh
iface: or TAP interface name
verifier: $argon2d$m=4096,t=128,p=1$bwR5VjeCYIQaa8SeaI3rqg$KCNIqfS4DGsBTtVytamAzcISgrlEWvNxan1UfBrFu10
-
-Verifier was generated with:
-
- ./utils/storekey.sh /tmp/passphrase
- govpn-verifier -key /tmp/passphrase
@end verbatim
@strong{Prepare the server}. Add this entry to @code{peers.yaml}
@strong{Prepare network on GNU/Linux IPv4 server}:
@example
-server% umask 077
server% ip addr add 192.168.0.1/24 dev wlan0
server% tunctl -t tap10
server% ip addr add 172.16.0.1/24 dev tap10
@strong{Prepare network on GNU/Linux IPv4 client}:
@example
-client% umask 066
-client% utils/storekey.sh key.txt
client% ip addr add 192.168.0.2/24 dev wlan0
client% tunctl -t tap10
client% ip addr add 172.16.0.2/24 dev tap10
@strong{Run client daemon itself}:
@example
client% govpn-client \
- -key key.txt \
-verifier '$argon2d$m=4096,t=128,p=1$bwR5VjeCYIQaa8SeaI3rqg' \
-iface tap10 \
-remote 192.168.0.1:1194
client% ifconfig tap10 inet6 fc00::2/96 up
client% route -6 add default fc00::1
client% govpn-client \
- -key key.txt \
-verifier '$argon2d$m=4096,t=128,p=1$bwR5VjeCYIQaa8SeaI3rqg' \
-iface tap10 \
-remote "[fe80::1%me0]":1194
@node ЧАВО
+@cindex FAQ (russian)
+@cindex ЧАВО
+@cindex Часто задаваемые вопросы
@unnumbered Часто задаваемые вопросы
@table @asis
высокоэнтропийный ключ. Вам нужно доверять только себе, не аппаратному
токену или другому устройству хранения. Это удобно.
+@cindex Настройка сети
@item Почему вся настройка сети делается вручную?
Потому-что существует так много вариантов использования, конфигураций и
установок, что или я поддерживаю их всех, или использую громоздкие
уровне сессии: оно не спасёт если сессионный ключ скомпрометирован из
памяти.
+@cindex Анонимность
+@cindex Анонимные клиенты
@item Что вы подразумеваете когда говорите что клиенты анонимны?
Что третьей лицо не может отличить одного клиента от другого, смотря на
трафик (транспортный или рукопожатия).
+@cindex Цензуроустойчивость
@item Что вы подразумеваете под цензуроустойчивостью?
Невозможность определить GoVPN ли это трафик или просто
@code{cat /dev/urandom | nc somehost}. Если вы не можете отличить один
виду, что этот режим требователен к ресурсам и трафику и пока работает
только в TCP режиме.
+@item Вы думаете нешифрованный режим с его случайными данными поможет в суде?
+Если всё что не может быть прочитано кем-угодно считается шифрованием,
+то нет, этот режим вам не поможет. Представьте что вы говорите на другом
+иностранном языке или просто используете другую схему кодирования данных.
+
@item Когда я должен использовать @ref{Noise, noise} опцию?
В большинстве случаев она вам не нужна без включённого
@ref{CPR, постоянного по скорости трафика} (CPR). Без CPR и шума, в
обрабатывается только если зашифрованный @ref{Identity, идентификатор}
клиента найден: он использует быстрый PRP без потребления энтропии.
+@item Почему YAML для конфигурации?
+Есть не так много хорошо известных форматов позволяющих комментировать,
+легко редактировать людьми (XML совсем не дружелюбен к человеку, JSON
+более менее). Возможно самое важное свойство это шаблоны YAML: очень
+удобно сохранить много клиентов, имеющих схожие настройки, в одном
+конфигурационном файле.
+
@end table
@node FAQ
+@cindex FAQ
+@cindex Frequently Asked Questions
@unnumbered Frequently Asked Questions
@table @asis
+@cindex TLS
@item Why do not you use TLS?
It is complicated protocol. It uses Authenticate-then-Encrypt ordering
of algorithms -- it is not secure. Moreover its libraries are huge and
hard to read, review and analyze.
+@cindex SSH
@item Why do not you use SSH?
Its first protocol versions used A-a-E ordering, however later ones
supports even ChaCha20-Poly1305 algorithms. But its source code is not
so trivial and rather big to read and review. OpenSSH does not support
strong zero-knowledge password authentication.
+@cindex IPsec
@item Why do not you use IPsec?
It is rather good protocol, supported by all modern OSes. But it lacks
strong zero-knowledge password authentication and, again, its code is
authentication, high cryptographic protocol security, and most of this
software is written in C -- it is hard to write right on it.
+@cindex Why Go
+@cindex Go
@item Why GoVPN is written on Go?
Go is very easy to read, review and support. It makes complex code
writing a harder task. It provides everything needed to the C language:
You need to trust only yourself, not hardware token or some other
storage device. It is convenient.
+@cindex Network configuration
@item Why all network configuration must be done manually?
Because there are so many use-cases and setups, so many various
protocols, that either I support all of them, or use complicated
protocol setups like PPP, or just give right of the choice to the
administrator. VPN is only just a layer.
+@cindex Windows
+@cindex Microsoft Windows
+@cindex Apple OS X
+@cindex OS X
@item Why there is no either OS X or Windows support?
Any closed source proprietary systems do not give ability to control the
computer. You can not securely use cryptography-related stuff without
keys. PFS property is per-session level: it won't protect from leaking
the session key from the memory.
+@cindex Anonymity
+@cindex Anonymous clients
@item What do you mean by saying that clients are anonymous?
That third-party can not differentiate one client from another looking
at the traffic (transport and handshake).
+@cindex Censorship
+@cindex Censorship resistance
+@cindex DPI resistance
@item What do you mean by censorship resistance?
Unability to distinguish either is it GoVPN-traffic is passing by, or
just @code{cat /dev/urandom | nc somehost}. If you can not differentiate
attention that this mode is traffic and resource hungry and currently
operate only in TCP mode.
+@item Do you think encryptionless mode with all those random data helps in court?
+If anything that can not be read by anyone is considered encryption,
+then no, encryptionless mode won't help you. Imagine that either you are
+talking on another foreign language, or just use another date encoding
+scheme.
+
@item When should I use @ref{Noise, noise} option?
In most cases you won't need it without @ref{CPR, constant packer rate}
turned on. Without CPR and noise options GoVPN traffic (like TLS, IPsec,
going on in the network. With CPR option enabled you can tell either
somebody is online, or not -- nothing less, nothing more.
+@cindex DoS
@item Can I DoS (denial of service) the daemon?
Each transport packet is authenticated first with the very fast UMAC
algorithm -- in most cases resource consumption of TCP/UDP layers will
when an encrypted client's @ref{Identity, identity} is found: it uses
fast PRP without any entropy usage.
+@cindex Why YAML
+@item Why YAML for configuration?
+There are not so many well-known formats that allow commenting, easy
+editing by human (XML is not human friendly at all, JSON is more or
+less). Probably the most useful feature is YAML's templates: it is very
+convenient for storing many clients sharing the same options in the
+configuration file.
+
@end table
* In the media: Media.
* TODO::
* Copying conditions::
+* Concept index::
@end menu
@include about.ru.texi
@insertcopying
@verbatiminclude fdl.txt
+
+@node Concept index
+@unnumbered Concept index
+
+@printindex cp
+
@bye
@node Handshake
+@cindex Handshake
+@cindex Handshake protocol
+@cindex Diffie-Hellman
+@cindex ed25519
+@cindex curve25519
+@cindex Elligator
+@cindex Perfect Forward Secrecy
+@cindex PFS
+@cindex IDtag
+@cindex Shared key
+@cindex DH-EKE
+@cindex DH
+@cindex EKE
+@cindex A-EKE
+@cindex DH-A-EKE
@section Handshake protocol
@verbatiminclude handshake.utxt
@node Identity
+@cindex Client identity
+@cindex Identity
@subsection Identity
Client's identity is 128-bit string. It is not secret, so can be
@node Installation
+@cindex Installation
+@cindex Getting GoVPN
+@cindex Requirements
+@cindex Dependencies
+@cindex Ports
+@cindex Packages
+@cindex FreeBSD
+@cindex AUR
+@cindex Texinfo
@unnumbered Installation
Possibly GoVPN already exists in your distribution:
@node Integrity
+@cindex Integrity
+@cindex Tarball integrity
+@cindex PGP
+@cindex Public key
@section Tarballs integrity check
You @strong{have to} verify downloaded archives integrity and check
@node Media
+@cindex In the media
+@cindex Articles
@unnumbered In the media
@itemize
@node MTU
+@cindex MTU
+@cindex Maximum Transmission Unit
@subsection Maximum Transmission Unit
MTU option tells what maximum transmission unit is expected to get from
@node Network
+@cindex Transport
+@cindex Network transport
+@cindex TCP
+@cindex UDP
@subsection Network transport
You can use either UDP or TCP underlying network transport protocols.
@node News
+@cindex Releases
+@cindex News
@unnumbered News
@table @strong
+@item Release 5.2
+@cindex Release 5.2
+@itemize
+@item Ability to read passphrases directly from the terminal (user's
+input) without using of keyfiles. @code{storekey.sh} utility removed.
+@end itemize
+
@item Release 5.1
+@cindex Release 5.1
@itemize
@item Server is configured using @url{http://yaml.org/, YAML} file. It
is very convenient to have comments and templates, comparing to JSON.
@end itemize
@item Release 5.0
+@cindex Release 5.0
@itemize
@item New optional @ref{Encless, encryptionless mode} of operation.
Technically no encryption functions are applied for outgoing packets, so
@end itemize
@item Release 4.2
+@cindex Release 4.2
@itemize
@item Fixed non-critical bug when server may fail if up-script is not
executed successfully.
@end itemize
@item Release 4.1
+@cindex Release 4.1
@itemize
@item @url{https://password-hashing.net/#argon2, Argon2d} is used instead
of PBKDF2 for password verifier hashing.
@end itemize
@item Release 4.0
+@cindex Release 4.0
@itemize
@item Handshake messages can be noised: their messages lengths are
hidden. Now they are indistinguishable from transport messages.
@end itemize
@item Release 3.5
+@cindex Release 3.5
@itemize
@item Ability to use @ref{Network, TCP} network transport.
Server can listen on both UDP and TCP sockets.
@end itemize
@item Release 3.4
+@cindex Release 3.4
@itemize
@item Ability to use external @ref{EGD}-compatible PRNGs. Now you are
able to use GoVPN even on systems with the bad @code{/dev/random},
@end itemize
@item Release 3.3
+@cindex Release 3.3
@itemize
@item Compatibility with an old GNU Make 3.x. Previously only BSD Make
and GNU Make 4.x were supported.
@end itemize
@item Release 3.2
+@cindex Release 3.2
@itemize
@item
Deterministic building: dependent libraries source code commits are
@end itemize
@item Release 3.1
+@cindex Release 3.1
@itemize
@item
Diffie-Hellman public keys are encoded with Elligator algorithm when
@end itemize
@item Release 3.0
+@cindex Release 3.0
@itemize
@item
EKE protocol is replaced by Augmented-EKE and static symmetric (both
@end itemize
@item Release 2.4
+@cindex Release 2.4
@itemize
@item
Added ability to optionally run built-in HTTP-server responding with
@end itemize
@item Release 2.3
+@cindex Release 2.3
@itemize
@item
Handshake packets became indistinguishable from the random.
@end itemize
@item Release 2.2
+@cindex Release 2.2
@itemize
@item Fixed several possible channel deadlocks.
@end itemize
@item Release 2.1
+@cindex Release 2.1
@itemize
@item Fixed Linux-related building.
@end itemize
@item Release 2.0
+@cindex Release 2.0
@itemize
@item Added clients identification.
@item Simultaneous several clients support by server.
@end itemize
@item Release 1.5
+@cindex Release 1.5
@itemize
@item Nonce obfuscation/encryption.
@end itemize
@item Release 1.4
+@cindex Release 1.4
@itemize
@item Performance optimizations.
@end itemize
@item Release 1.3
+@cindex Release 1.3
@itemize
@item Heartbeat feature.
@item Rehandshake feature.
@end itemize
@item Release 1.1
+@cindex Release 1.1
@itemize
@item FreeBSD support.
@end itemize
@item Release 1.0
+@cindex Release 1.0
@itemize
@item Initial stable release.
@end itemize
@node Noise
+@cindex Noise
+@cindex Timestamps
@subsection Noise
So-called noise is used to hide underlying payload packets length.
@node PAKE
+@cindex Password Authenticated Key Agreement
+@cindex PAKE
@subsection Password Authenticated Key Agreement
-Previously we used pre-shared high-entropy long-term static key for
-client-server authentication. Is is secure, but not convenient for some
-user use-cases:
+GoVPN uses strong password authentication. That means that it uses human
+memorable @strong{passphrases}, instead of some small high-entropy keys
+that must be carried with himself. Passphrases differ from passwords:
+they are long string of low-entropy characters -- they are easy to
+remember and can have high overall entropy.
+
+Strong zero-knowledge authentication means that:
@itemize
-@item Compromising of passphrase files on either server or client side
-allows attacker to masquerade himself a client.
-@item To prevent compromising of keys on the client side, one needs some
-kind of passphrase protected secure storage (like either PGP with
-decryption to the memory, or full-disk encryption).
+@item compromising of passphrase files on either server or client sides
+won't allow attackers to masquerade himself the client;
+@item no need of protected secure storage on the server's side to keep
+keys in safety.
@end itemize
-Overall security on the client side is concentrated in passphrase
-(high-entropy password), so it is convenient to use it in GoVPN
-directly, without static on-disk keys. That is why we use passphrase
-authenticated key agreement.
-
-We use "passphrase" term instead of "password". Technically there may be
-no difference between them. But as a rule passphrases are @strong{long}
-strings with low entropy characters. Because of low entropy characters,
-they are memorable. Because of their quantity, they acts as a high
-entropy source.
-
Passphrases are entered directly by the human on the client side. Server
-side stores previously shared so-called @ref{Verifier, verifier}. Verifier
-contains dictionary attack resistant password derivative. Attacker can not
-use it to act as a client.
+side stores pre-shared @ref{Verifier, verifier}, containing dictionary
+attack resistant passphrase derivative. Attacker can not use it to act
+as a client.
@node Precautions
+@cindex Dangers
+@cindex Precautions
@unnumbered Precautions
@enumerate
@item
-We use password (passphrase) authentication, so overall security fully
-depends on its strength. You @strong{should} use long, high-entropy
-passphrases. Also remember to keep passphrase in temporary file and read
-it securely as described in @ref{Verifier, verifier}.
+We use passphrase authentication, so overall security fully depends on
+its strength. You @strong{should} use long, high-entropy passphrases.
+Also remember to keep passphrase in temporary file and read it securely
+as described in @ref{Verifier, verifier}.
@item
You must @strong{never} use the same key for multiple clients.
@node Proxy
+@cindex Proxy
+@cindex HTTP proxy
+@cindex HTTP authentication
+@cindex CONNECT
+@cindex HTTP
@subsection Proxy
You can proxy your requests through HTTP using CONNECT method. This can
@node Server
+@cindex Server
+@cindex Server part
+@cindex Server configuration
+@cindex Server side
+@cindex govpn-server
@section Server part
Except for common @code{-stats}, @code{-egd} options server has the
@end table
+@cindex YAML
+@cindex YAML configuration
+@cindex Configuration file
Configuration file is YAML file with following example structure:
@verbatim
For example up-script can be just @code{echo tap10}, or more advanced
like the following one:
+@cindex up-script
+
@example
#!/bin/sh
$tap=$(ifconfig tap create)
@node Sources
+@cindex Sources
+@cindex Source code
+@cindex Development source code
+@cindex Git
+@cindex Repository
+@cindex Mirrors
@section Development source code
Development source code contains the latest version of the code. It may
@node Stats
+@cindex Stats
+@cindex Statistics
@subsection Statistics
Both client and server has ability to show statistics about known
@node Thanks
+@cindex Thanks
@unnumbered Thanks
Thanks for contributions and suggestions to:
@node Timeout
+@cindex Timeout
@subsection Timeout
Because of stateless UDP nature there is no way to reliably know if
@node TODO
+@cindex TODO
@unnumbered TODO
@itemize
@node Transport
+@cindex Transport
+@cindex Transport protocol
+@cindex Salsa20
+@cindex PRP
+@cindex Nonce
+@cindex Poly1305
+@cindex XTEA
+@cindex Serial
@section Transport protocol
@verbatim
@node User
+@cindex User
+@cindex User manual
@unnumbered User manual
-Announcements about updates and new releases can be found in @ref{Contacts}.
+Announcements about updates and new releases can be found in
+@ref{Contacts, contacts}.
GoVPN is split into two pieces: @ref{Client} and @ref{Server}. Each of
them work on top of @ref{Network, UDP/TCP} and TAP virtual network
nothing more. All you IP-related network management is not touched by
VPN at all. You can automate it using up and down shell scripts.
+@cindex Performance
What network performance can user expect? For example single
@emph{Intel i5-2450M 2.5 GHz} core on @emph{FreeBSD 10.2 amd64}
with @emph{Go 1.5.1} gives 786 Mbps (UDP transport) throughput.
@node Verifier
+@cindex Verifier
+@cindex govpn-verifier
@subsection Verifier
-Verifier is created using @code{govpn-verifier} utility. But currently
-Go does not provide native instruments to read passwords without echoing
-them to stdout. You can use @code{utils/storekey.sh} script to read them
-silently.
+Verifier is created using @code{govpn-verifier} utility.
@example
-% utils/storekey.sh mypass.txt
-Enter passphrase:[hello world]
-% govpn-verifier -key mypass.txt
+% govpn-verifier
+Passphrase:[hello world]
$argon2d$m=4096,t=128,p=1$bwR5VjeCYIQaa8SeaI3rqg$KCNIqfS4DGsBTtVytamAzcISgrlEWvNxan1UfBrFu10
$argon2d$m=4096,t=128,p=1$bwR5VjeCYIQaa8SeaI3rqg
@end example
option with the path to verifier file:
@example
-% govpn-verifier -key mypass.txt -verifier '$argon2d...'
+% govpn-verifier -verifier '$argon2d...'
+Passphrase:[hello world]
true
@end example
-Plaintext passphrases @strong{must} be stored on volatile memory, for
-example either in memory disk, or on encrypted filesystem with
-restrictive permissions to the file.
+Optionally you can store plaintext passphrases on volatile memory
+(memory disk, encrypted filesystem with restrictive permissions to the
+file) and provide @code{-key} option.
@node Verifier structure
+@cindex Verifier structure
+@cindex Argon2
+@cindex Argon2d
+@cindex Salt
@section Verifier structure
Verifier is a derivative of the password. It is resistant to
if err != nil {
log.Fatalln(err)
}
- priv := verifier.PasswordApply(govpn.StringFromFile(*keyPath))
+ key, err := govpn.KeyRead(*keyPath)
+ if err != nil {
+ log.Fatalln("Unable to read the key", err)
+ }
+ priv := verifier.PasswordApply(key)
if *encless {
if *proto != "tcp" {
log.Fatalln("Currently encryptionless mode works only with TCP")
package main
import (
- "crypto/subtle"
+ "bytes"
"flag"
"fmt"
"log"
if *egdPath != "" {
govpn.EGDInit(*egdPath)
}
+ key, err := govpn.KeyRead(*keyPath)
+ if err != nil {
+ log.Fatalln("Unable to read the key", err)
+ }
if *verifier == "" {
id := new([govpn.IDSize]byte)
if _, err := govpn.Rand.Read(id[:]); err != nil {
}
pid := govpn.PeerId(*id)
v := govpn.VerifierNew(*mOpt, *tOpt, *pOpt, &pid)
- v.PasswordApply(govpn.StringFromFile(*keyPath))
+ v.PasswordApply(key)
fmt.Println(v.LongForm())
fmt.Println(v.ShortForm())
return
log.Fatalln("Verifier does not contain public key")
}
pub := *v.Pub
- v.PasswordApply(govpn.StringFromFile(*keyPath))
- fmt.Println(subtle.ConstantTimeCompare(v.Pub[:], pub[:]) == 1)
+ v.PasswordApply(key)
+ fmt.Println(bytes.Equal(v.Pub[:], pub[:]))
}
"github.com/agl/ed25519"
"github.com/magical/argon2"
+ "golang.org/x/crypto/ssh/terminal"
)
const (
)
}
-// Read string from the file, trimming newline.
-func StringFromFile(path string) string {
- s, err := ioutil.ReadFile(path)
+// Read the key either from text file (if path is specified), or
+// from the terminal.
+func KeyRead(path string) (string, error) {
+ var p []byte
+ var err error
+ var pass string
+ if path == "" {
+ fmt.Print("Passphrase:")
+ p, err = terminal.ReadPassword(0)
+ fmt.Print("\n")
+ pass = string(p)
+ } else {
+ p, err = ioutil.ReadFile(path)
+ pass = strings.TrimRight(string(p), "\n")
+ }
if err != nil {
- log.Fatalln("Can not read string from", path, err)
+ return "", err
+ }
+ if len(pass) == 0 {
+ return "", errors.New("Empty passphrase submitted")
}
- return strings.TrimRight(string(s), "\n")
+ return pass, err
}
git clone . $tmp/govpn-$release
repos="
- src/github.com/bigeagle/water
src/github.com/agl/ed25519
- src/github.com/magical/argon2
+ src/github.com/bigeagle/water
src/github.com/dchest/blake2b
- src/golang.org/x/crypto
src/github.com/go-yaml/yaml
+ src/github.com/magical/argon2
+ src/golang.org/x/crypto
"
for repo in $repos; do
git clone $repo $tmp/govpn-$release/$repo
golang.org/x/crypto/curve25519
golang.org/x/crypto/poly1305
golang.org/x/crypto/salsa20
+golang.org/x/crypto/ssh/terminal
golang.org/x/crypto/xtea
EOF
tar cfCI - src $tmp/includes | tar xfC - $tmp
----------------8<-----------------8<-----------------8<----------------
Домашняя страница GoVPN: http://www.cypherpunks.ru/govpn/ (http://govpn.info/)
-Коротко о демоне: http://www.cypherpunks.ru/govpn/O-demone.html
также доступна как скрытый сервис Tor: http://vabu56j2ep2rwv3b.onion/govpn/
+Коротко о демоне: http://www.cypherpunks.ru/govpn/O-demone.html
Исходный код и его подпись для этой версии находится здесь:
}
username=$1
-umask 077
-passphrase=$(mktemp)
-$(dirname $0)/storekey.sh $passphrase
-verifier=$(govpn-verifier -key $passphrase)
-rm -f $passphrase
+verifier=$(govpn-verifier)
verifierS=$(echo $verifier | sed 's/^\(.*\) .*$/\1/')
verifierC=$(echo $verifier | sed 's/^.* \(.*\)$/\1/')
echo
up: /path/to/up.sh
iface: or TAP interface name
verifier: $verifierS
-
-Verifier was generated with:
-
- $(dirname $0)/storekey.sh /tmp/passphrase
- govpn-verifier -key /tmp/passphrase
EOF
+++ /dev/null
-#!/bin/sh -e
-
-[ -n "$1" ] || {
- cat <<EOF
-Read passphrase from stdin and store it in file.
-
-Usage: $0 <keyfilename>
-EOF
- exit 1
-}
-
-echo -n Enter passphrase:
-stty -echo
-read passphrase
-stty echo
-umask 077
-cat > $1 <<EOF
-$passphrase
-EOF