Greetings!

GoVPN relies on Elligator2 transformation for zero-knowledge password
authentication. And it uses github.com/agl/ed25519 library for that.
Seems that it contains some possible bias in the output, as
https://github.com/tankf33der pointed me at:
https://github.com/agl/ed25519/issues/27
It does not compromise confidentiality and authenticity of connections,
but it makes the handshake password not so zero-knowledgable.

Currently I have not found easy replacements for Elligator2
implementation. However that flow should not be the practical
problem in real life.

-- 
Sergey Matveev (http://www.stargrave.org/)
OpenPGP: CF60 E89A 5923 1E76 E263  6422 AE1A 8109 E498 57EF