Next: , Previous: , Up: Top  


Overview

GoVPN is simple secure virtual private network daemon. It uses Diffie-Hellman Encrypted Key Exchange (DH-EKE) for mutual zero-knowledge peers authentication and authenticated encrypted data transport.

All packets captured on network interface are encrypted, authenticated and sent to remote server, that writes them to his interface, and vice versa. Client and server use pre-shared authentication key (PSK) and 128-bit identification key.

Because of stateless UDP nature, after some timeout of inactivity peers forget about each other and have to retry handshake process again, therefore background heartbeat process will be ran.

Handshake is used to mutually authenticate peers, exchange common secret per-session encryption key and check UDP transport availability.

Because of UDP and authentication overhead: each packet grows in size during transmission, so you have to lower you maximum transmission unit (MTU) on virtual network interface.

High security is the goal for that daemon. It uses fast cryptography algorithms with 128bit security margin, strong mutual zero-knowledge authentication and perfect-forward secrecy property. An attacker can not know anything about payload (except it’s size and time) from captured traffic, even if pre-shared key is compromised. Rehandshake is performed by client every 4 GiB of transfered data.

Each client also has it’s own identification key and server works with all of them independently. Identification key is not secret, but it is encrypted (obfuscated) during transmission.


Next: , Previous: , Up: Top