Build post-quantum-secure VPNs with WireGuard!

Post-Quantum Secure

Rosenpass is a key-exchange protocol using techniques that are secure against attacks from quantum computers. It achieves the same security guarantees as WireGuard, using two strong post-quantum key exchange methods – Classic McEliece and Kyber.

Works with WireGuard

Rosenpass keeps WireGuard security intact and adds on to it; Rosenpass handles post-quantum security, WireGuard handles pre-quantum security.

Free and Open Source

Rosenpass is Free and Open Source Software under the Apache 2.0 and MIT license and developed by hackers and researchers.

Quick Start

Supported Systems

We provide packages for Nix, Arch Linux, and Alpine Linux.

Since Rosenpass was released not too long ago, packaging is an ongoing process. You can find the latest information about all the Linux distributions we support on Repology.

Even if your distribution is not listed here, you can always compile Rosenpass yourself or download a pre-built, statically linked binary from our GitHub release page. You can also find OCI container images (Docker, Podman, etc.) there. While we only offer x86_64 builds, there's no principle reason limiting Rosenpass to x86_64, and you can compile it for any architecture in Linux, or MacOS, that is supported by liboqs.

How to install Rosenpass on your Linux distribution

(arch AUR)		$ aura -A rosenpass-git
(arch pacman)	$ pacman -S rosenpass
(NixOS)			$ nix-env -iA nixos.rosenpass nixos.rosenpass-tools
(nix-flake)		$ nix profile install github:rosenpass/rosenpass#rosenpass
(cargo)			$ cargo install rosenpass
(alpine)		$ apk add rosenpass

To find more information on the available command line parameters, you can use these tools:

rp help
rosenpass help

How to set up your Rosenpass enhanced WireGuard VPN

Note: Technically, there's no difference between both hosts, but we named them server (pink) and client (orange) in this example to make it easier to comprehend.

  1. Start by generating secret keys on both hosts.
  2. Note: These will be stored in newly created server.rosenpass-secret and client.rosenpass-secret directories.

    user@server:~$ rp genkey server.rosenpass-secret

    user@client:~$ rp genkey client.rosenpass-secret

  3. Extract the public keys
  4. Note: As above, these will be stored in newly created server.rosenpass-public and client.rosenpass-public directories.

    user@server:~$ rp pubkey server.rosenpass-secret server.rosenpass-public

    user@client:~$ rp pubkey client.rosenpass-secret client.rosenpass-public

  5. Copy each -public directory to the other peer
  6. user@server:~$ scp -r server.rosenpass-public user@client:/path/to/directory

    user@client:~$ scp -r client.rosenpass-public user@server:/path/to/directory

    Congrats! Your basic setup is complete!

    How to launch your Rosenpass-enhanced WireGuard VPN

  7. Start the VPN
  8. user@server:~$ sudo rp exchange server.rosenpass-secret dev rosenpass0 listen \
    peer client.rosenpass-public allowed-ips fe80::/64

    user@client:~$ sudo rp exchange client.rosenpass-secret dev rosenpass0 \
    peer server.rosenpass-public endpoint allowed-ips fe80::/64

  9. Assign IP addresses
  10. user@server:~$ sudo ip a add fe80::1/64 dev rosenpass0

    user@client:~$ sudo ip a add fe80::2/64 dev rosenpass0

    Just to be sure: Verify the magic!

  11. Test the connection by pinging the server on the client machine
  12. user@client:~$ ping fe80::1%rosenpass0

  13. You can watch how Rosenpass replaces the WireGuard PSK with the following command
  14. watch -n 0.2 'wg show all; wg show all preshared-keys'

    All done!

    Rosenpass will now generate a new PSK key for WireGuard about every two minutes and keep your VPN connection secure against post-quantum computer attacks.

We provide in-depth ressources in our Documentation section.

If you have further questions, please feel free to get in touch. We maintain a public Rosenpass Matrix chatroom, as well as several inboxes, for public inquiries, development questions, and general interest. Feature requests can also be opened at our GitHub pages


The Rosenpass software is subject to the Apache License Version 2.0, January 2004 and the MIT License with attribution

The content of this website, except for photographic material, is published under a Creative Commons license:
Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)
Photographic material is published under this separate Creative Commons License:
Attribution-NonCommercial-NoDerivs 4.0 International (CC BY-NC-ND 4.0 Deed)