4 See also this page @ref{Новости, on russian}.
9 @item Tiny refactoring. Go 1.9 is minimal required version.
10 @item Dependant cryptographic libraries are updated.
16 @item Fixed seldom possible segmentation fault on the server during
18 @item Dependant cryptographic libraries are updated.
24 @item Fixed fatal bug in nonce generation code, appeared in 7.1 version.
25 Everyone @strong{have to} update.
31 @item Fixed bug in client's identity generation and detection code:
32 simultaneous clients may be incorrectly identified, preventing their
33 connection establishing and allowing DPI to detect GoVPN packets.
39 @item (X)Salsa20 is replaced with ChaCha20. Theoretically it should be
40 faster and more secure. Previous versions are not compatible with it!
41 @item Ability to use TUN-interfaces under GNU/Linux. FreeBSD has already
42 supported them without any modifications.
48 @item Argon2d is replaced with Balloon hashing. Found Argon2 libraries
49 written on pure Go have various problems. Moreover Argon2i should be
50 used instead, but it has some possible
51 @url{http://eprint.iacr.org/2016/027, cryptographic defects}. So it is
52 replaced with much more simpler (and seems even cryptographically
53 better) @url{https://crypto.stanford.edu/balloon/, Balloon hashing}.
59 @item @option{-version} option added, printing program version.
65 @item Client reconnects in the loop when connection is lost. Optionally
66 you can disable that behaviour: client will exit immediately, as it
73 @item Optional ability to use syslog for logging, with
74 @url{https://tools.ietf.org/html/rfc5424, RFC 5424}-like
76 @item XTEA algorithm is not used anymore for nonce obfuscation, but
77 BLAKE2b-MAC instead. Encryptionless mode now really does not depend on
84 @item TAP interface name and remote peer's address are passed to up- and
85 down- scripts through environment variables.
86 @item Update Argon2 library to use version 1.3 of the algorithm.
92 @item Added up/down example script for replacing default route (thanks
94 @item Fixed documentation bug: @file{.info} was not installing.
100 @item Ability to work on 32-bit platforms. @emph{sync/atomic} library
101 has some specific issues that caused panics on previous versions.
107 @item Added optional time synchronization requirement.
108 It will add timestamps in handshake PRP authentication, disallowing to
109 repeat captured packet and get reply from the server, making it visible
116 @item Fixed minor bug with @command{newclient.sh} that caught
117 "Passphrase:" prompt and inserted it into example YAML output.
118 Just replaced stdout output to stderr for that prompt.
124 @item Ability to read passphrases directly from the terminal (user's
125 input) without using of keyfiles. @command{storekey.sh} utility removed.
131 @item Server is configured using @url{http://yaml.org/, YAML} file. It
132 is very convenient to have comments and templates, comparing to JSON.
133 @item Incompatible with previous versions replacement of @emph{HSalsa20}
134 with @emph{BLAKE2b} in handshake code.
140 @item New optional encryptionless mode of operation.
141 Technically no encryption functions are applied for outgoing packets, so
142 you can not be forced to reveal your encryption keys or sued for
144 @item MTUs are configured on per-user basis.
145 @item Simplified payload padding scheme, saving one byte of data.
146 @item Ability to specify TAP interface name explicitly without any
147 up-scripts for convenience.
148 @item @command{govpn-verifier} utility also can use EGD.
154 @item Fixed non-critical bug when server may fail if up-script is not
155 executed successfully.
161 @item @url{https://password-hashing.net/#argon2, Argon2d} is used instead
162 of PBKDF2 for password verifier hashing.
163 @item Client's identity is stored inside the verifier, so it simplifies
164 server-side configuration and the code.
170 @item Handshake messages can be noised: their messages lengths are
171 hidden. Now they are indistinguishable from transport messages.
172 @item Parallelized clients processing on the server side.
173 @item Much higher overall performance.
174 @item Single JSON file server configuration.
180 @item Ability to use TCP network transport.
181 Server can listen on both UDP and TCP sockets.
182 @item Ability to use HTTP proxies (through CONNECT method)
183 for accessing the server. Server can also emulate HTTP proxy behaviour.
184 @item Updated Poly1305 library with ARM-related bugfixes.
185 @item Go 1.5+ version is highly recommended because of performance
192 @item Ability to use external EGD-compatible PRNGs. Now you are
193 able to use GoVPN even on systems with the bad @file{/dev/random},
194 providing higher quality entropy from external sources.
195 @item Removed @option{-noncediff} option. It is replaced with in-memory
196 storage of seen nonces, thus eliminating possible replay attacks at all
197 without performance degradation related to inbound packets reordering.
203 @item Compatibility with an old GNU Make 3.x. Previously only BSD Make
204 and GNU Make 4.x were supported.
205 @item @file{/dev/urandom} is used for correct client identity generation
206 under GNU/Linux systems. Previously @file{/dev/random} can produce less
207 than required 128-bits of random.
213 @item Deterministic building: dependent libraries source code commits
214 are fixed in our makefiles.
215 @item No Internet connection is needed for building the source code: all
216 required libraries are included in release tarballs.
217 @item FreeBSD Make compatibility. GNU Make is not necessary anymore.
224 Diffie-Hellman public keys are encoded with Elligator algorithm when
225 sending over the wire, making them indistinguishable from the random
226 strings, preventing detection of successful decryption try when guessing
227 passwords (that are used to create DSA public keys). But this will
228 consume twice entropy for DH key generation in average.
235 EKE protocol is replaced by Augmented-EKE and static symmetric (both
236 sides have it) pre-shared key replaced with server-side verifier. This
237 requires, 64 more bytes in handshake traffic, Ed25519 dependency with
238 corresponding sign/verify computations, PBKDF2 dependency and its
239 usage on the client side during handshake.
241 A-EKE with PBKDF2-based verifiers is resistant to dictionary attacks,
242 can use human memorable passphrases instead of static keys and
243 server-side verifiers can not be used for authentication (compromised
244 server does not leak client's authentication keys/passphrases).
247 Changed transport message structure: added payload packet's length.
248 This will increase transport overhead for two bytes, but heartbeat
249 packets became smaller
252 Ability to hide underlying packets lengths by appending noise, junk
253 data during transmission. Each packet can be fill up-ed to its
257 Ability to hide underlying packets appearance rate, by generating
258 Constant Packet Rate traffic. This includes noise generation too.
260 Per-peer @option{-timeout}, @option{-noncediff}, @option{-noise} and
261 @option{-cpr} configuration options for server.
267 @item Added ability to optionally run built-in HTTP-server responding
268 with JSON of all known connected peers information. Real-time client's
270 @item Documentation is explicitly licenced under GNU FDL 1.3+.
276 @item Handshake packets became indistinguishable from the random. Now
277 all GoVPN's traffic is the noise for men in the middle.
279 @item Handshake messages are smaller (16% traffic reduce).
281 @item Adversary now can not create malicious fake handshake packets that
282 will force server to generate private DH key, preventing entropy
283 consuming and resource heavy computations.
289 @item Fixed several possible channel deadlocks.
295 @item Fixed Linux-related building.
301 @item Added clients identification.
302 @item Simultaneous several clients support by server.
303 @item Per-client up/down scripts.
309 @item Nonce obfuscation/encryption.
315 @item Performance optimizations.
321 @item Heartbeat feature.
322 @item Rehandshake feature.
323 @item up- and down- optional scripts.
329 @item FreeBSD support.