govpn

package module
v0.0.0-...-d646b5f Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 11, 2022 License: GPL-3.0 Imports: 32 Imported by: 0

README 

GoVPN это простой демон виртуальных частных сетей, код которого нацелен
на лёгкость чтения и анализа, безопасность, устойчивость к DPI/цензуре,
написан на Go и является свободным программным обеспечением.

Он использует быстрый сильный аутентифицируемый по парольной фразе
несбалансированный протокол согласования ключей с двусторонней
аутентификацией сторон (PAKE DH A-EKE). Зашифрованный, аутентифицируемый
транспортный протокол передачи данных, скрывающий длины сообщений и их
временные характеристики. Опциональный нешифрованный режим, который
всё равно обеспечивает конфиденциальность и аутентичность данных.
Свойство совершенной прямой секретности. Устойчивость к: внесетевым
(offline) атакам по словарю, атакам повторного воспроизведения (replay),
компрометации клиентских парольных фраз на стороне сервера. Встроенные
функции сердцебиения (heartbeat), пересогласования ключей, статистика
реального времени. Возможность работы поверх UDP, TCP и HTTP прокси.
Совместимость с IPv4 и IPv6. Поддержка GNU/Linux и FreeBSD.

GoVPN это свободное программное обеспечением: условия распространения
находятся в файле COPYING.

Домашняя страница: http://www.govpn.info/

Пожалуйста все вопросы касающиеся использования GoVPN, отчёты об ошибках
и патчи отправляйте в govpn-devel почтовую рассылку:
https://lists.cypherpunks.ru/pipermail/govpn-devel/

Исходный код для разработчика находится в Git репозитории:
https://git.cypherpunks.ru/cgit.cgi/govpn.git/

Для дополнительной информации пожалуйста читайте или doc/govpn.info
или doc/govpn.texi.

Documentation

Overview

Simple secure, DPI/censorship-resistant free software VPN daemon.

Index

Constants

View Source 
const (
	TimeoutDefault = 60
	EtherSize      = 14
	MTUMax         = 9000 + EtherSize + 1
	MTUDefault     = 1500 + EtherSize + 1

	ENV_IFACE  = "GOVPN_IFACE"
	ENV_REMOTE = "GOVPN_REMOTE"
)
View Source 
const (
	RSize = 8
	SSize = 32
)
View Source 
const (
	NonceSize       = 8
	NonceBucketSize = 256
	TagSize         = poly1305.TagSize
	// S20BS is ChaCha20's internal blocksize in bytes
	S20BS = 64
	// Maximal amount of bytes transfered with single key (4 GiB)
	MaxBytesPerKey uint64 = 1 << 32
	// Heartbeat rate, relative to Timeout
	TimeoutHeartbeat = 4
	// Minimal valid packet length
	MinPktLength = 1 + 16 + 8
	// Padding byte
	PadByte = byte(0x80)
)
View Source 
const (
	DefaultS = 1 << 20 / 32
	DefaultT = 1 << 4
	DefaultP = 2
)
View Source 
const (
	EnclessEnlargeSize = aont.HSize + aont.RSize*cnw.EnlargeFactor
)
View Source 
const (
	IDSize = 128 / 8
)
View Source 
const (
	RWTimeout = 10 * time.Second
)
View Source 
const (
	Warranty = `` /* 565-byte string literal not displayed */

)

Variables

View Source 
var (
	Rand = rand.Reader
)
View Source 
var (
	Version string = "UNKNOWN"
)

Functions

func AddTimeSync 

func AddTimeSync(ts int, data []byte)

If timeSync > 0, then XOR timestamp with the data.

func BothPrintf 

func BothPrintf(f string, v ...interface{})

Call both default log.Printf and syslog-related one.

func EGDInit 

func EGDInit(path string)

func EnclessDecode 

func EnclessDecode(authKey *[32]byte, nonce *[16]byte, in []byte) ([]byte, error)

Decode EnclessEncode-ed data.

func EnclessEncode 

func EnclessEncode(authKey *[32]byte, nonce *[16]byte, in []byte) ([]byte, error)

Confidentiality preserving (but encryptionless) encoding.

It uses Chaffing-and-Winnowing technology (it is neither encryption nor steganography) over All-Or-Nothing-Transformed data. nonce is 64-bit nonce. Output data will be EnclessEnlargeSize larger. It also consumes 64-bits of entropy.

func KeyRead 

func KeyRead(path string) (string, error)

Read the key either from text file (if path is specified), or from the terminal.

func PeerTapProcessor 

func PeerTapProcessor(peer *Peer, tap *TAP, terminator chan struct{})

func Printf 

func Printf(f string, v ...interface{})

Call either syslog-related logger.Printf if SyslogEnabled, default log.Printf otherwise.

func ScriptCall 

func ScriptCall(path, ifaceName, remoteAddr string) ([]byte, error)

Call external program/script. You have to specify path to it and (inteface name as a rule) something that will be the first argument when calling it. Function will return it's output and possible error.

func SliceZero 

func SliceZero(data []byte)

Zero each byte.

func StatsProcessor 

func StatsProcessor(statsPort net.Listener, peers *sync.Map)

StatsProcessor is assumed to be run in background. It accepts connection on statsPort, reads anything one send to them and show information about known peers in serialized JSON format. peers argument is a reference to the map with references to the peers as values. Map is used here because of ease of adding and removing elements in it.

func SyslogEnable 

func SyslogEnable()

Enable logging to syslog, instead of default stdout log.

func VersionGet 

func VersionGet() string

Types

type EGDRand 

type EGDRand string

func (EGDRand) Read 

func (egdPath EGDRand) Read(b []byte) (int, error)

Read n bytes from EGD, blocking mode.

type Handshake 

type Handshake struct {
	LastPing time.Time
	Conf     *PeerConf
	// contains filtered or unexported fields
}

func HandshakeStart 

func HandshakeStart(addr string, conn io.Writer, conf *PeerConf) *Handshake

Start handshake's procedure from the client. It is the entry point for starting the handshake procedure. First handshake packet will be sent immediately.

func NewHandshake 

func NewHandshake(addr string, conn io.Writer, conf *PeerConf) *Handshake

Create new handshake state.

func (*Handshake) Client 

func (h *Handshake) Client(data []byte) *Peer

Process handshake message on the client side. This function is intended to be called on client's side. If this is the final handshake message, then new Peer object will be created and used as a transport. If no mutually authenticated Peer is ready, then return nil.

func (*Handshake) Server 

func (h *Handshake) Server(data []byte) *Peer

Process handshake message on the server side. This function is intended to be called on server's side. If this is the final handshake message, then new Peer object will be created and used as a transport. If no mutually authenticated Peer is ready, then return nil.

func (*Handshake) Zero 

func (h *Handshake) Zero()

Zero handshake's memory state

type MACAndTimeSync 

type MACAndTimeSync struct {
	// contains filtered or unexported fields
}

type MACCache 

type MACCache struct {
	// contains filtered or unexported fields
}

func NewMACCache 

func NewMACCache() *MACCache

func (*MACCache) Find 

func (mc *MACCache) Find(data []byte) *PeerID

Try to find peer's identity (that equals to MAC) by taking first blocksize sized bytes from data at the beginning as plaintext and last bytes as cyphertext.

func (*MACCache) Update 

func (mc *MACCache) Update(peers *map[PeerID]*PeerConf)

Remove disappeared keys, add missing ones with initialized MACs.

type Peer 

type Peer struct {
	// Statistics (they are at the beginning for correct int64 alignment)
	BytesIn         uint64
	BytesOut        uint64
	BytesPayloadIn  uint64
	BytesPayloadOut uint64
	FramesIn        uint64
	FramesOut       uint64
	FramesUnauth    uint64
	FramesDup       uint64
	HeartbeatRecv   uint64
	HeartbeatSent   uint64

	// Basic
	Addr string
	ID   *PeerID
	Conn io.Writer `json:"-"`

	// Traffic behaviour
	NoiseEnable bool
	CPR         int
	CPRCycle    time.Duration `json:"-"`
	Encless     bool
	MTU         int

	// Timers
	Timeout     time.Duration `json:"-"`
	Established time.Time
	LastPing    time.Time

	// Receiver
	BusyR sync.Mutex `json:"-"`

	// TCP-related
	NonceExpect []byte `json:"-"`

	// Transmitter
	BusyT sync.Mutex `json:"-"`
	// contains filtered or unexported fields
}

func (*Peer) EthProcess 

func (p *Peer) EthProcess(data []byte)

Process incoming Ethernet packet. ready channel is TAPListen's synchronization channel used to tell him that he is free to receive new packets. Encrypted and authenticated packets will be sent to remote Peer side immediately.

func (*Peer) PktProcess 

func (p *Peer) PktProcess(data []byte, tap io.Writer, reorderable bool) bool

func (*Peer) String 

func (p *Peer) String() string

func (*Peer) Zero 

func (p *Peer) Zero()

Zero peer's memory state.

type PeerConf 

type PeerConf struct {
	ID          *PeerID       `yaml:"-"`
	Name        string        `yaml:"name"`
	Iface       string        `yaml:"iface"`
	MTU         int           `yaml:"mtu"`
	Up          string        `yaml:"up"`
	Down        string        `yaml:"down"`
	TimeoutInt  int           `yaml:"timeout"`
	Timeout     time.Duration `yaml:"-"`
	Noise       bool          `yaml:"noise"`
	CPR         int           `yaml:"cpr"`
	Encless     bool          `yaml:"encless"`
	TimeSync    int           `yaml:"timesync"`
	VerifierRaw string        `yaml:"verifier"`

	// This is passphrase verifier
	Verifier *Verifier `yaml:"-"`
	// This field exists only on client's side
	DSAPriv *[ed25519.PrivateKeySize]byte `yaml:"-"`
}

type PeerID 

type PeerID [IDSize]byte

func (PeerID) MarshalJSON 

func (id PeerID) MarshalJSON() ([]byte, error)

func (PeerID) String 

func (id PeerID) String() string

type TAP 

type TAP struct {
	Name string
	Sink chan []byte
	// contains filtered or unexported fields
}

func NewTAP 

func NewTAP(ifaceName string, mtu int) (*TAP, error)

func TAPListen 

func TAPListen(ifaceName string, mtu int) (*TAP, error)

func (*TAP) Write 

func (t *TAP) Write(data []byte) (n int, err error)

type Verifier 

type Verifier struct {
	S   int
	T   int
	P   int
	ID  *PeerID
	Pub *[ed25519.PublicKeySize]byte
}

func VerifierFromString 

func VerifierFromString(input string) (*Verifier, error)

Parse either short or long verifier form.

func VerifierNew 

func VerifierNew(s, t, p int, id *PeerID) *Verifier

Generate new verifier for given peer, with specified password and hashing parameters.

func (*Verifier) LongForm 

func (v *Verifier) LongForm() string

Long verifier string form -- it is useful for the server. Includes public key.

func (*Verifier) PasswordApply 

func (v *Verifier) PasswordApply(password string) *[ed25519.PrivateKeySize]byte

Apply the password: create Ed25519 keypair based on it, save public key in verifier.

func (*Verifier) ShortForm 

func (v *Verifier) ShortForm() string

Short verifier string form -- it is useful for the client. Does not include public key.

Source Files

View all Source files

Directories

Path Synopsis
All-Or-Nothing-Transform, based on OAEP.
 All-Or-Nothing-Transform, based on OAEP.
cmd
govpn-client
Simple secure, DPI/censorship-resistant free software VPN daemon client.
 Simple secure, DPI/censorship-resistant free software VPN daemon client.
govpn-server
Simple secure, DPI/censorship-resistant free software VPN daemon.
 Simple secure, DPI/censorship-resistant free software VPN daemon.
govpn-verifier
Verifier generator and validator for GoVPN VPN daemon.
 Verifier generator and validator for GoVPN VPN daemon.
Chaffing-and-Winnowing.
 Chaffing-and-Winnowing.
internal
chacha20
Package ChaCha20 implements the core ChaCha20 function as specified in https://tools.ietf.org/html/rfc7539#section-2.3.
 Package ChaCha20 implements the core ChaCha20 function as specified in https://tools.ietf.org/html/rfc7539#section-2.3.
subtle
Package subtle implements functions that are often useful in cryptographic code but require careful thought to use correctly.
 Package subtle implements functions that are often useful in cryptographic code but require careful thought to use correctly.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.