govpn

README

GoVPN is simple secure free software virtual private network daemon,
written on Go programming language. It uses Diffie-Hellman Encrypted Key
Exchange (DH-EKE) for mutual zero-knowledge peers authentication and
authenticated encrypted data transport. Other features include:
IPv4/IPv6, rehandshake, heartbeat, pre-shared keys (PSK), perfect
forward secrecy (PFS). GNU/Linux and FreeBSD support.

Home page: http://www.cypherpunks.ru/govpn/

Send bug reports, questions and patches to govpn-devel@lists.cypherpunks.ru
mailing list. Visit https://lists.cypherpunks.ru/mailman/listinfo/govpn-devel
for subscription and archive access information.

Development Git source code repository currently is located on:
https://github.com/stargrave/govpn

GoVPN is free software: see the file COPYING for copying conditions.

For futher information please read either doc/govpn.info or doc/govpn.texi.

Documentation

Overview

Simple secure free software virtual private network daemon

Index

• Constants
• Variables
• func ConnListen(conn *net.UDPConn) (chan *UDPPkt, []byte, chan struct{})
• func IsValidHandshakePkt(pkt []byte) bool
• func KeyRead(path string) *[KeySize]byte
• func PeersInit(path string)
• func ScriptCall(path, ifaceName string) ([]byte, error)
• type Handshake
  • func HandshakeNew(addr *net.UDPAddr) *Handshake
  • func HandshakeStart(conn *net.UDPConn, addr *net.UDPAddr, id *PeerId, key *[32]byte) *Handshake
  • func (h *Handshake) Client(conn *net.UDPConn, key *[KeySize]byte, data []byte) *Peer
  • func (h *Handshake) Server(conn *net.UDPConn, data []byte) *Peer
• type Peer
  • func (p *Peer) EthProcess(ethPkt []byte, conn *net.UDPConn, ready chan struct{})
  • func (p *Peer) String() string
  • func (p *Peer) UDPProcess(udpPkt []byte, tap *TAP, ready chan struct{}) bool
• type PeerId
  • func IDDecode(raw string) *PeerId
  • func (id PeerId) String() string
• type TAP
  • func NewTAP(ifaceName string) (*TAP, error)
  • func TAPListen(ifaceName string) (*TAP, chan []byte, chan struct{}, chan struct{}, error)
  • func (t *TAP) Write(data []byte)
• type UDPPkt

Constants

const (
	NonceSize = 8
	KeySize   = 32
	// S20BS is Salsa20's internal blocksize in bytes
	S20BS         = 64
	HeartbeatSize = 12
	// Maximal amount of bytes transfered with single key (4 GiB)
	MaxBytesPerKey = 4294967296
)

const (
	IDSize = 128 / 8
)

Variables

var (
	MTU       int
	Timeout   int
	Noncediff int
	Version   string
)

var (
	PeersPath string
	IDsCache  cipherCache
)

var (
	HeartbeatMark = []byte("\x00\x00\x00HEARTBEAT")
	Emptiness     = make([]byte, KeySize)
)

Functions

func ConnListen

func ConnListen(conn *net.UDPConn) (chan *UDPPkt, []byte, chan struct{})

Create UDP listening goroutine. This function takes already listening UDP socket and a buffer where all UDP packet data will be saved, channel where information about remote address and number of written bytes are stored, and a channel used to tell that buffer is ready to be overwritten.

func IsValidHandshakePkt

func IsValidHandshakePkt(pkt []byte) bool

Check if it is valid handshake-related message. Minimal size and last 16 zero bytes.

func KeyRead

func KeyRead(path string) *[KeySize]byte

Read authentication key from the file. Key is 64 hexadecimal chars long.

func PeersInit

func PeersInit(path string)

Initialize (pre-cache) available peers info.

func ScriptCall

func ScriptCall(path, ifaceName string) ([]byte, error)

Call external program/script. You have to specify path to it and (inteface name as a rule) something that will be the first argument when calling it. Function will return it's output and possible error.

Types

type Handshake

type Handshake struct {
	LastPing time.Time
	Id       PeerId
	// contains filtered or unexported fields
}

func HandshakeNew

func HandshakeNew(addr *net.UDPAddr) *Handshake

Create new handshake state.

func HandshakeStart

func HandshakeStart(conn *net.UDPConn, addr *net.UDPAddr, id *PeerId, key *[32]byte) *Handshake

Start handshake's procedure from the client. It is the entry point for starting the handshake procedure. You have to specify outgoing conn address, remote's addr address, our own identification and an encryption key. First handshake packet will be sent immediately.

func (*Handshake) Client

func (h *Handshake) Client(conn *net.UDPConn, key *[KeySize]byte, data []byte) *Peer

Process handshake message on the client side. This function is intended to be called on client's side. Our outgoing conn connection, authentication key and received data are required. Client does not work with identities, as he is the only one, so key is a requirement. If this is the final handshake message, then new Peer object will be created and used as a transport. If no mutually authenticated Peer is ready, then return nil.

func (*Handshake) Server

func (h *Handshake) Server(conn *net.UDPConn, data []byte) *Peer

Process handshake message on the server side. This function is intended to be called on server's side. Our outgoing conn connection and received data are required. If this is the final handshake message, then new Peer object will be created and used as a transport. If no mutually authenticated Peer is ready, then return nil.

type Peer

type Peer struct {
	Addr        *net.UDPAddr
	Id          PeerId
	Key         *[KeySize]byte // encryption key
	NonceOur    uint64         // nonce for our messages
	NonceRecv   uint64         // latest received nonce from remote peer
	NonceCipher *xtea.Cipher   // nonce cipher
	LastPing    time.Time
	LastSent    time.Time

	Bytes int
	// contains filtered or unexported fields
}

func (*Peer) EthProcess

func (p *Peer) EthProcess(ethPkt []byte, conn *net.UDPConn, ready chan struct{})

Process incoming Ethernet packet. ethPkt is received data, conn is our outgoing connection. ready channel is TAPListen's synchronization channel used to tell him that he is free to receive new packets. Encrypted and authenticated packets will be sent to remote Peer side immediately.

func (*Peer) String

func (p *Peer) String() string

func (*Peer) UDPProcess

func (p *Peer) UDPProcess(udpPkt []byte, tap *TAP, ready chan struct{}) bool

Process incoming UDP packet. udpPkt is received data, related to the peer tap interface and ConnListen'es synchronization channel used to tell him that he is free to receive new packets. Authenticated and decrypted packets will be written to the interface immediately (except heartbeat ones).

type PeerId

type PeerId [IDSize]byte

func IDDecode

func IDDecode(raw string) *PeerId

Decode identification string. It must be 32 hexadecimal characters long. If it is not the valid one, then return nil.

func (PeerId) String

func (id PeerId) String() string

type TAP

type TAP struct {
	Name string
	// contains filtered or unexported fields
}

func NewTAP

func NewTAP(ifaceName string) (*TAP, error)

func TAPListen

func TAPListen(ifaceName string) (*TAP, chan []byte, chan struct{}, chan struct{}, error)

Create TAP listening goroutine. This function takes required TAP interface name, opens it and allocates a buffer where all frame data will be written, channel where information about number of read bytes is sent to, synchronization channel (external processes tell that read buffer can be used again) and possible channel opening error.

func (*TAP) Write

func (t *TAP) Write(data []byte)

type UDPPkt

type UDPPkt struct {
	Addr *net.UDPAddr
	Size int
}