Build post-quantum-secure VPNs with WireGuard!
Post-Quantum Secure
Works with WireGuard
Free and Open Source
Quick Start
Supported Systems
We provide packages for Nix, Arch Linux, and Alpine Linux.
Since Rosenpass was released not too long ago, packaging is an ongoing process. You can find the latest information about all the Linux distributions we support on Repology.
Even if your distribution is not listed here, you can always compile Rosenpass yourself or download a pre-built, statically linked binary from our GitHub release page. You can also find OCI container images (Docker, Podman, etc.) there. While we only offer x86_64 builds, there's no principle reason limiting Rosenpass to x86_64, and you can compile it for any architecture in Linux, or MacOS, that is supported by liboqs.
How to install Rosenpass on your Linux distribution
(arch AUR) $ aura -A rosenpass-git
(arch pacman) $ pacman -S rosenpass
(NixOS) $ nix-env -iA nixos.rosenpass nixos.rosenpass-tools
(nix-flake) $ nix profile install github:rosenpass/rosenpass#rosenpass
(cargo) $ cargo install rosenpass
(alpine) $ apk add rosenpass
To find more information on the available command line parameters, you can use these tools:
rp help
rosenpass help
How to set up your Rosenpass enhanced WireGuard VPN
Note: Technically, there's no difference between both hosts, but we named them server (pink) and client (orange) in this example to make it easier to comprehend.
- Start by generating secret keys on both hosts
- Extract the public keys
- Copy each
-publicdirectory to the other peer
Congrats! Your basic setup is complete!
- Start the VPN
- Assign IP addresses
- Test the connection by pinging the server on the client machine
- You can watch how Rosenpass replaces the WireGuard PSK with the following command
user@server:~$ rp genkey server.rosenpass-secret
user@client:~$ rp genkey client.rosenpass-secret
user@server:~$ rp pubkey server.rosenpass-secret server.rosenpass-public
user@client:~$ rp pubkey client.rosenpass-secret client.rosenpass-public
How to launch your Rosenpass-enhanced WireGuard VPN
user@server:~$ sudo rp exchange server.rosenpass-secret dev rosenpass0 listen 192.168.0.1:9999 \
peer client.rosenpass-public allowed-ips fe80::/64
user@client:~$ sudo rp exchange client.rosenpass-secret dev rosenpass0 \
peer server.rosenpass-public endpoint 192.168.0.1:9999 allowed-ips fe80::/64
user@server:~$ sudo ip a add fe80::1/64 dev rosenpass0
user@client:~$ sudo ip a add fe80::2/64 dev rosenpass0
Just to be sure: Verify the magic!
user@client:~$ ping fe80::1%rosenpass0
watch -n 0.2 'wg show all; wg show all preshared-keys'
All done!
Rosenpass will now generate a new PSK key for WireGuard about every two minutes and keep your VPN connection secure against post-quantum computer attacks.
For the curious
rp is a convienience wrapper for the actual rosenpass programme (which handles the post-quantum secure key exchange). rp can set up both WireGuard and Rosenpass for you by:
- generating WireGuard and Rosenpass public and secret keys
- setting up the WireGuard interface
- launching a Rosenpass process
If you're interested in learning more about how rosenpass works, you can try setting everything up yourself manually. Use the explain verb to show you how to integrate Rosenpass with WireGuard:
$ rp explain genkey mykey
#! /bin/bash
set -e
umask 077
mkdir -p mykey
wg genkey > mykey/wgsk
rosenpass keygen \
private-key mykey/pqsk \
public-key mykey/pqpk
We provide more in-depth ressources in our Documentation section.
License
The Rosenpass software is subject to the Apache License Version 2.0, January 2004 and the MIT License with attribution
The content of this website, except for photographic material, is published under a Creative Commons license:
Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)
Photographic material is published under this separate Creative Commons License:
Attribution-NonCommercial-NoDerivs 4.0 International (CC BY-NC-ND 4.0 Deed)