VPN daemon written in Go: GoVPN

ID N0WHERE:27697
Type n0where
Reporter N0where
Modified 2015-03-13T19:06:18


GoVPN is simple secure virtual private network daemon. It uses Diffie-Hellman Encrypted Key Exchange (DH-EKE) for mutual zero-knowledge peers authentication and authenticated encrypted data transport. It is written entirely in Go programming language .

All packets captured on a network interface are encrypted, authenticated and sent to remote server which then writes them to its interface – and vice versa. Client and server use pre-shared authentication key (PSK) and 128-bit identification key.

Because of stateless UDP nature, after some time of inactivity peers forget about each other and have to perform handshake process again, therefore background heartbeat process will be ran.

Handshake is used to mutually authenticate peers, exchange common secret per-session encryption key and check UDP transport availability.

Because of UDP and authentication overhead: each packet grows in size during transmission, and because of this you have to lower you maximum transmission unit (MTU) on virtual network interface.

Providing high security is the goal for this daemon. It uses fast cryptography algorithms with 128bit security margin, strong mutual zero-knowledge authentication and perfect-forward secrecy property. An attacker can not know anything about payload (except it’s size and time) from captured traffic, even if pre-shared key is compromised. Re-handshake is performed by client on every 4 GiB of transfered data.

VPN daemon golang VPN daemon Each client also has its own identification key and server works with all of them independently. Identification key is not secret, but it is encrypted (obfuscated) during transmission.

  • Works with TAP network interfaces on top of UDP entirely
  • GNU /Linux and FreeBSD support
  • IPv6 compatible
  • Encrypted and authenticated transport
  • Relatively fast handshake
  • Replay attack protection
  • Perfect forward secrecy (if long-term pre-shared keys are compromised, no captured traffic can be decrypted anyway)
  • Mutual two-side authentication (noone will send real network interface data unless the other side is authenticated)
  • Zero knowledge authentication (pre-shared key is not transmitted in any form between the peers, not even it’s hash value)
  • Built-in rehandshake and heartbeat features
  • Several simultaneous clients support

Building VPN daemon from source code

Although GoVPN is written on Go programming language, Make is recommended. Texinfo is used for building documentation. Software depends on golang.org/x/crypto Go libraries.

You can obtain source code either by cloning development branches from Git repository: git clone https://github.com/stargrave/govpn.git , or by downloading prepared tarballs.

You have to verify archives integrity and check the signature in order to to be sure that you have trusted, untampered software. For binary integrity and authentication The GNU Privacy Guard is used. You must download signature provided with the tarball:

gpg --verify govpn-1.5.tar.xz.sig govpn-1.5.tar.xz

You must also import signing public keys. They are provided on developers site. Be sure that you are reading them from the trusted source.

You need to set up $GOPATH properly first. For example you can clone the repository or decompress tarball and set the path like this:

% mkdir -p govpn/src
% git clone https://github.com/stargrave/govpn govpn/src/govpn
% tar xfC govpn-1.5.tar.xz govpn/src && mv govpn/src/govpn-1.5 govpn/src/govpn
% export GOPATH=$(pwd)/govpn:$GOPATH

After that you can just type make and all necessary Go libraries will be installed and client/server binaries are built in the current directory:

% cd govpn/src/govpn
% make
[or gmake under FreeBSD]

Source && Download

VPN daemon govpn download VPN daemon VPN daemon VPN daemon