High-Level Interfaces
RP(1) General Commands Manual RP(1)

rphigh-level interface to rosenpass

rp [explain] [verbose] genkey ... | pubkey ... | exchange ...

rp [...] genkey PRIVATE_KEYS_DIR


rp [...] exchange PRIVATE_KEYS_DIR [dev <device>] [listen <ip>:<port>] [peer PUBLIC_KEYS_DIR [endpoint <ip>:<port>] [persistent-keepalive <interval>] [allowed-ips <ip1>/<cidr1>[,<ip2>/<cidr2>] ...]] ...

The rp program is used to build a VPN with WireGuard and Rosenpass.

The optional [explain] and [verbose] options can be used to obtain further help or to enable a detailed view on the operations, respectively.

Creates a new directory with appropriate permissions and generates all the necessary private keys required for a peer to participate in a rosenpass connection.
Creates a fresh directory at PUBLIC_KEYS_DIR, which contains the extracted public keys from the private keys generated by genkey and located inside PRIVATE_KEYS_DIR.
exchange PRIVATE_KEYS_DIR [dev <device>] [listen <ip>:<port>] [PEERS]
Starts the VPN on interface device, listening on the provided IP and port combination, allowing connections from PEERS.

The rp utility exits 0 on success, and >0 if an error occurs.

In this example, we will assume that the server has an interface bound to, that accepts incoming connections on port 9999/UDP for Rosenpass and port 10000/UDP for WireGuard.

To create a VPN connection, start by generating secret keys on both hosts.

rp genkey server.rosenpass-secret
rp genkey client.rosenpass-secret

Extract the public keys:

rp pubkey server.rosenpass-secret server.rosenpass-public
rp pubkey client.rosenpass-secret client.rosenpass-public

Copy the "-public" directories to the other peers and then start the VPN. On the server:

sudo rp exchange server.rosenpass-secret dev rosenpass0 listen \
    peer client.rosenpass-public allowed-ips fe80::/64

On the client:

sudo rp exchange client.rosenpass-secret dev rosenpass 0 \
    peer server.rosenpass-public endpoint allowed-ips fe80::/64

Assign IP addresses:

sudo ip a add fe80::1/64 dev rosenpass0 # Server
sudo ip a add fe80::2/64 dev rosenpass0 # Client

Test the connection by pinging the server on the client machine:

ping fe80::1%rosenpass0 # Client

You can watch how rosenpass replaces the WireGuard PSK with the following:

watch -n 0.2 'wg show all; wg show all preshared-keys'

rosenpass(1), wg(1)

Rosenpass was created by Karolin Varner, Benjamin Lipp, Wanja Zaeske, Marei Peischl, Stephan Ajuvo, and Lisa Schmidt.

This manual page was written by Emil Engler

The bugs are tracked at https://github.com/rosenpass/rosenpass/issues.

January 3, 2024 Debian