| RP(1) | General Commands Manual | RP(1) |
NAME
rp — high-level
interface to rosenpass
SYNOPSIS
rp |
[explain] [verbose] genkey ... | pubkey ... | exchange ... |
rp |
[...] genkey PRIVATE_KEYS_DIR |
rp |
[...] pubkey PRIVATE_KEYS_DIR PUBLIC_KEYS_DIR |
rp |
[...] exchange PRIVATE_KEYS_DIR [dev <device>] [listen <ip>:<port>] [peer PUBLIC_KEYS_DIR [endpoint <ip>:<port>] [persistent-keepalive <interval>] [allowed-ips <ip1>/<cidr1>[,<ip2>/<cidr2>] ...]] ... |
DESCRIPTION
The rp program is used to build a VPN with
WireGuard and Rosenpass.
The optional [explain] and [verbose] options can be used to obtain further help or to enable a detailed view on the operations, respectively.
COMMANDS
- genkey PRIVATE_KEYS_DIR
- Creates a new directory with appropriate permissions and generates all the necessary private keys required for a peer to participate in a rosenpass connection.
- pubkey PRIVATE_KEYS_DIR PUBLIC_KEYS_DIR
- Creates a fresh directory at PUBLIC_KEYS_DIR, which contains the extracted public keys from the private keys generated by genkey and located inside PRIVATE_KEYS_DIR.
- exchange PRIVATE_KEYS_DIR [dev <device>] [listen <ip>:<port>] [PEERS]
- Starts the VPN on interface device, listening on the provided IP and port combination, allowing connections from PEERS.
EXIT STATUS
The rp utility exits 0 on success,
and >0 if an error occurs.
EXAMPLES
In this example, we will assume that the server has an interface bound to 192.168.0.1, that accepts incoming connections on port 9999/UDP for Rosenpass and port 10000/UDP for WireGuard.
To create a VPN connection, start by generating secret keys on both hosts.
rp genkey server.rosenpass-secret rp genkey client.rosenpass-secret
Extract the public keys:
rp pubkey server.rosenpass-secret server.rosenpass-public rp pubkey client.rosenpass-secret client.rosenpass-public
Copy the "-public" directories to the other peers and then start the VPN. On the server:
sudo rp exchange server.rosenpass-secret dev rosenpass0 listen 192.168.0.1:9999 \
peer client.rosenpass-public allowed-ips fe80::/64
On the client:
sudo rp exchange client.rosenpass-secret dev rosenpass 0 \
peer server.rosenpass-public endpoint 192.168.0.1:9999 allowed-ips fe80::/64
Assign IP addresses:
sudo ip a add fe80::1/64 dev rosenpass0 # Server sudo ip a add fe80::2/64 dev rosenpass0 # Client
Test the connection by pinging the server on the client machine:
ping fe80::1%rosenpass0 # Client
You can watch how rosenpass replaces the WireGuard PSK with the following:
watch -n 0.2 'wg show all; wg show all preshared-keys'
SEE ALSO
AUTHORS
Rosenpass was created by Karolin Varner, Benjamin Lipp, Wanja Zaeske, Marei Peischl, Stephan Ajuvo, and Lisa Schmidt.
This manual page was written by Emil Engler
BUGS
The bugs are tracked at https://github.com/rosenpass/rosenpass/issues.
| January 3, 2024 | Debian |