Works with WireGuard
Free and Open Source
Rosenpass is a daemon, that, given a private key and a list of peers, performs a key exchange with each peer. The resulting keys are given to WireGuard using its PSK feature – WireGuard remains as secure as it was, Rosenpass adds protection against quantum computers. Rosenpass can also write the keys to files; this can be used to integrate Rosenpass with tools other than WireGuard.
rp bash program is used to build a VPN with WireGuard and Rosenpass. You can inspect how the tool integrates the
wg WireGuard frontend and the
rosenpass tool that implements our cryptography using the
$ rp explain genkey mykey #! /bin/bash set -e umask 077 mkdir -p mykey wg genkey > mykey/wgsk rosenpass keygen \ private-key mykey/pqsk \ public-key mykey/pqpk
Since Rosenpass was released very recently, packaging is an ongoing process. We will provide packages for debian, nix, arch linux, and possibly alpine. You can follow the process in the README.
(arch AUR) $ aura -A rosenpass-git (nix-flake) $ nix profile install github:rosenpass/rosenpass#rosenpass (cargo) $ cargo install rosenpass
To get more information about command line parameters used by the tools, you can ask the tools for help:
rp help rosenpass help
To create a VPN connection, start by generating secret keys on both hosts.
rp genkey server.rosenpass-secret rp genkey client.rosenpass-secret
Extract the public keys:
rp pubkey server.rosenpass-secret server.rosenpass-public rp pubkey client.rosenpass-secret client.rosenpass-public
-public directories to the other peers and then start the VPN. On the server:
sudo rp exchange server.rosenpass-secret dev rosenpass0 listen 192.168.0.1:9999 \ peer client.rosenpass-public allowed-ips fe80::/64
On the client:
sudo rp exchange client.rosenpass-secret dev rosenpass0 \ peer server.rosenpass-public endpoint 192.168.0.1:9999 allowed-ips fe80::/64
Assign IP addresses:
sudo ip a add fe80::1/64 dev rosenpass0 # Server sudo ip a add fe80::2/64 dev rosenpass0 # Client
Test the connection by pinging the server on the client machine:
ping fe80::1%rosenpass0 # Client
You can watch how Rosenpass replaces the WireGuard PSK with the following command:
watch -n 0.2 'wg show all; wg show all preshared-keys'
The Rosenpass software is subject to the Apache License Version 2.0, January 2004 and the MIT License with attribution
The content of this website is published under a Creative Commons license:
Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)