-So, the entire UDP payload is encrypted using a symmetric cipher (blowfish in CBC mode).
-2 bytes of salt (random data) are added in front of the actual VPN packet,
-so that two VPN packets with (almost) the same content do not seem to be
-the same for eavesdroppers.
-2 bytes of salt may not seem much, but you can encrypt 65536 identical packets
-now without an attacker being able to see that they were identical.
-Given a MTU of 1500 this means 96 Megabyte of data.
-
-There is no @emph{extra} provision against replay attacks or alteration of packets.
-However, the VPN packets, normally UDP or TCP packets themselves, contain
-checksums and sequence numbers.
-Since those checksums and sequence numbers are encrypted,
-they automatically become @emph{cryptographically secure}.
-The kernel will handle any checksum errors and duplicate packets.
-
+So, the entire VPN packet is encrypted using a symmetric cipher. A 32 bits
+sequence number is added in front of the actual VPN packet, to act as a unique
+IV for each packet and to prevent replay attacks. A message authentication code
+is added to the UDP packet to prevent alteration of packets. By default the
+first 4 bytes of the digest are used for this, but this can be changed using
+the MACLength configuration variable.