5 govpn is simple high-performance secure virtual private network daemon.
6 It uses DH-EKE for mutual zero-knowledge authentication and
7 authenticated encrypted transport. It runs under GNU/Linux and FreeBSD.
11 All packets captured on network interface are encrypted, authenticated
12 and sent to remote server, that writes them to his interface, and vice
13 versa. Client and server use pre-shared authentication key (PSK).
14 Because of stateless UDP nature, after some timeout of inactivity peers
15 forget about each other and have to retry handshake process again. As a
16 rule, there are enough time-to-time traffic in ordinary Ethernet
17 networks to heartbeat connection.
19 Handshake is used to mutually authenticate peers, exchange common secret
20 per-session encryption key and checks UDP transport availability.
22 Because of UDP and authentication overhead: each packet grows in size
23 during transmission, so you have to lower you maximum transmission unit
24 (MTU) on network interface.
26 High security and high performance are the goals for that daemon. It
27 uses fast cryptography algorithms with 128bit security margin, strong
28 mutual zero-knowledge authentication and perfect-forward secrecy
29 property. An attacker can not know anything from captured traffic, even
30 if pre-shared key is compromised.
35 * Perfect-forward secrecy (if long-term pre-shared keys are compromised,
36 no captured traffic can be decrypted anyway)
37 * Mutual two-side authentication (noone will send real network interface
38 data unless the other side is authenticated)
39 * Zero-knowledge authentication (pre-shared key is not transmitted in
40 any form between the peers, not even it's hash value)
41 * Higher performance in some cases
42 * Fully IPv6 compatible
46 B -- bad or timeouted UDP packet (maybe network is inactive)
47 T -- bad tag on packet (MiTM, unordered packet)
48 R -- invalid sequence number (MiTM, unordered packet)
49 [HS?] -- unknown handshake message
50 w -- successful write to remote peer
51 r -- successful read from remote peer
52 [HS1], [HS2], [HS3], [HS4] -- handshake packet stage
53 [rS?] -- invalid server's random authentication number received (MiTM, bad PSK)
54 [rC?] -- invalid client's random authentication number received (MiTM, bad PSK)
55 [S?] -- invalid handshake stage is trying to perform (MiTM, duplicate packet)
56 [OK] -- handshake's stage passed
60 Let's assume that there is some insecure link between your computer and
61 WiFi-reachable gateway. You have got preconfigured wlan0 network
62 interface with 192.168.0/24 network. You want to create virtual
63 encrypted and authenticated 172.16.0/24 network and use it as a default
64 transport. MTU for that wlan0 is 1500 bytes. GoVPN will say that maximum
65 MTU for the link is 1476, however it does not take in account TAP's
66 Ethernet frame header length, that in my case is 14 bytes long (1476 - 14).
68 GNU/Linux IPv4 client-server example:
70 server% ip addr add 192.168.0.1/24 dev wlan0
71 server% tunctl -t tap10
72 server% ip link set mtu 1462 dev tap10
73 server% ip addr add 172.16.0.1/24 dev tap10
74 server% ip link set up dev tap10
75 server% govpn -key KEY -iface tap10 -bind 192.168.0.1:1194
77 client% ip addr add 192.168.0.2/24 dev wlan0
78 client% tunctl -t tap10
79 client% ip link set mtu 1462 dev tap10
80 client% ip addr add 172.16.0.2/24 dev tap10
81 client% ip link set up dev tap10
82 client% ip route add default via 172.16.0.1
83 client% while :; do govpn -key KEY -iface tap10 -remote 192.168.0.1:1194; done
85 FreeBSD IPv6 client-server example:
87 server% ifconfig em0 inet6 fe80::1/64
88 server% ifconfig tap10 create
89 server% ifconfig tap10 inet6 fc00::1/96 mtu 1462 up
90 server% govpn -key KEY -face tap10 -bind fe80::1%em0
92 client% ifconfig me0 inet6 -ifdisabled auto_linklocal
93 client% ifconfig tap10
94 client% ifconfig tap10 inet6 fc00::2/96 mtu 1462 up
95 client% route -6 add default fc00::1
96 client% while :; do govpn -key KEY -iface tap10 -remote [fe80::1%me0]:1194; done
98 If client won't finish handshake during -timeout, then it will exit.
99 If no packets are received from remote side during timeout, then daemon
100 will stop sending packets to the client and client will exit. In all
101 cases you have to rehandshake again.
106 Message authentication: Poly1305
107 Password authenticated key agreement: Curve25519 based DH-EKE
108 Packet overhead: 24 bytes per packet
109 Handshake overhead: 4 UDP (2 from client, 2 from server) packets,
110 232 bytes total payload
114 SERIAL + ENC(KEY, SERIAL, DATA) + AUTH(SERIAL + ENC_DATA)
116 where SERIAL is message serial number. Odds are reserved for
117 client->server, evens are for server->client. SERIAL is used as a nonce
118 for DATA encryption: encryption key is different during each handshake,
119 so (key, nonce) pair is always used once.
121 We generate Salsa20's output using this key and nonce for each message:
122 * first 256 bits are used as a one-time key for Poly1305 authentication
123 * next 256 bits of output are ignored
124 * and all remaining ones XORed with the data, encrypting it
131 │ │ R=rand(64bit); CPrivKey=rand(256bit)
134 │ R, enc(PSK, R, CPubKey) │
135 │ ────────────────────────────────────────>
138 │ │ │ SPrivKey=rand(256bit)
142 │ │ │ K=DH(SPrivKey, CPubKey)
146 │ │ │ RS=rand(64bit); SS=rand(256bit)
149 │ enc(PSK, R+1, SPubKey); enc(K, R, RS+SS)│
150 │ <────────────────────────────────────────
153 │ │ K=DH(CPrivKey, SPubKey) │
157 │ │ RC=rand(64bit); SC=rand(256bit) │
160 │ enc(K, R+1, RS+RC+SC) │
161 │ ────────────────────────────────────────>
168 │ │ │ MasterKey=SS XOR SC
172 │ <────────────────────────────────────────
179 │ │ MasterKey=SS XOR SC │
185 * client generates CPubKey, random 64bit R that is used as a nonce
187 * R + enc(PSK, R, CPubKey) + NULLs -> Server [56 bytes]
188 * server remembers clients address, decrypt CPubKey, generates
189 SPrivKey/SPubKey, computes common shared key K (based on
190 CPubKey and SPrivKey), generates 64bit random number RS and
191 256bit random SS. PSK-encryption uses incremented R (from previous
193 * enc(PSK, SPubKey) + enc(K, RS + SS) + NULLs -> Client [88 bytes]
194 * client decrypt SPubKey, computes K, decrypts RS, SS with key K,
195 remembers SS, generates 64bit random number RC and 256bit random SC,
196 * enc(K, RS + RC + SC) + NULLs -> Server [64 bytes]
197 * server decrypt RS, RC, SC with key K, compares RS with it's own one
198 send before, computes final main encryption key S = SS XOR SC
199 * ENC(K, RC) + NULLs -> Client [24 bytes]
200 * server switches to the new client
201 * client decrypts RC and compares with it's own generated one, computes
202 final main encryption key S
204 Where PSK is 256bit pre-shared key, NULLs are 16 null-bytes. R* are
205 required for handshake randomization and two-way authentication. K key
206 is used only during handshake. NULLs are required to differentiate
207 common transport protocol messages from handshake ones. DH public keys
208 can be trivially derived from private ones.
213 * http://cr.yp.to/ecdh.html
214 * http://cr.yp.to/snuffle.html
215 * http://cr.yp.to/mac.html
216 * http://grouper.ieee.org/groups/1363/passwdPK/contributions/jablon.pdf
217 * Applied Cryptography (C) 1996 Bruce Schneier
221 * Move decryption and encryption processes into goroutines
222 * Add identity management (client can send it's identification, server has
223 on-disk id↔key plaintext database)
224 * Implement alternative Secure Remote Password protocol (it is much slower,
225 technically has more code, but human memorized passwords can be used
230 This program is free software: you can redistribute it and/or modify
231 it under the terms of the GNU General Public License as published by
232 the Free Software Foundation, either version 3 of the License, or
235 This program is distributed in the hope that it will be useful,
236 but WITHOUT ANY WARRANTY; without even the implied warranty of
237 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
238 GNU General Public License for more details.