Build post-quantum-secure VPNs with WireGuard!

Post-Quantum Secure

Rosenpass is a key-exchange protocol using techniques that are secure against attacks from quantum computers. It achieves the same security guarantees as WireGuard, using two strong post-quantum key exchange methods – Classic McEliece and Kyber.

Works with WireGuard

Rosenpass keeps WireGuard security intact and adds on to it; Rosenpass handles post-quantum security, WireGuard handles pre-quantum security.

Free and Open Source

Rosenpass is Free and Open Source Software under the Apache 2.0 and MIT license and developed by hackers and researchers.

Getting started

Getting Help

The rosenpass programme (which handles the post-quantum secure key exchange) is accompanied by a convienience wrapper called rp. It can set up both WireGuard and Rosenpass for you. Usually this means generation of WireGuard and Rosenpass public and secret keys, as well as setting up the WireGuard interface and launching a Rosenpass process. However, using the explain verb, rp can also show you how to integrate Rosenpass with WireGuard yourself!

$ rp explain genkey mykey
#! /bin/bash
set -e
umask 077
mkdir -p mykey
wg genkey > mykey/wgsk
rosenpass keygen \
  private-key mykey/pqsk \
  public-key mykey/pqpk
  • Since Rosenpass was released very recently, packaging is an ongoing process. We provide packages for Nix, Arch Linux, and Alpine Linux.
    You can see the current status here:
    Packaging status
    Furthermore, you can always compile Rosenpass yourself or download our pre-built, statically linked binaries from the GitHub release page. You can also find OCI container images (Docker, Podman, etc.) there. While we only offer x86_64 builds, there’s no principle reason limiting Rosenpass to x86_64, and you can compile it for any architecture in Linux or MacOS, that is supported by liboqs.

Here’s how you can install Rosenpass on your distribution of Linux:

(arch AUR)		$ aura -A rosenpass-git
(arch pacman)	$ pacman -S rosenpass
(NixOS)			$ nix-env -iA nixos.rosenpass nixos.rosenpass-tools
(nix-flake)		$ nix profile install github:rosenpass/rosenpass#rosenpass
(cargo)			$ cargo install rosenpass
(alpine)		$ apk add rosenpass
  • To get more information about command line parameters used by the tools, you can ask the tools for help:
rp help
rosenpass help

Set up your Rosenpass enhanced WireGuard VPN

Note: Technically there’s no difference between both hosts, but we named them server (pink) and client (orange) in this example to make it easier to comprehend.

  1. Start by generating secret keys on both hosts:


rp genkey server.rosenpass-secret


rp genkey client.rosenpass-secret
  1. Extract the public keys


rp pubkey server.rosenpass-secret server.rosenpass-public


rp pubkey client.rosenpass-secret client.rosenpass-public
  1. Copy each -public directory to the other peer and you’re done!

Launch your Rosenpass enhanced WireGuard VPN

  1. Start the VPN:

 • On the server:


sudo rp exchange server.rosenpass-secret dev rosenpass0 listen \
peer client.rosenpass-public allowed-ips fe80::/64

 • On the client:


sudo rp exchange client.rosenpass-secret dev rosenpass0 \
peer server.rosenpass-public endpoint allowed-ips fe80::/64
  1. Assign IP addresses:


sudo ip a add fe80::1/64 dev rosenpass0


sudo ip a add fe80::2/64 dev rosenpass0

Verify the magic!

  1. Test the connection by pinging the server on the client machine:


ping fe80::1%rosenpass0
  1. You can watch how Rosenpass replaces the WireGuard PSK with the following command:
watch -n 0.2 'wg show all; wg show all preshared-keys'

Rosenpass will now generate a new PSK key for WireGuard about every two minutes and keep your VPN connection secure against post-quantum computer attacks.

-> Link to Documentation


The Rosenpass software is subject to the Apache License Version 2.0, January 2004 and the MIT License with attribution

The content of this website, except for photographic material, is published under a Creative Commons license:
Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)
Photographic material is published under this separate Creative Commons License:
Attribution-NonCommercial-NoDerivs 4.0 International (CC BY-NC-ND 4.0 Deed)