Below is a guide on how to install Rosenpass via pre-compiled binary files or manual compilation.
This can be used on Linux systems for which Rosenpass does not yet provide a dedicated guide, nor a package.
Currently, most users should start with the Installation via the Binary Files.
If you are using Ubuntu or Debian, please follow our dedicated guides for these distributions.
Table of Contents:
- Installation via the Binary Files: Most users can start here.
- Compile Rosenpass from Source: Some users might need to go the manual way.
- Set up a Rosenpass-enhanced WireGuard VPN: After installation, you can proceed here.
- You can compile Rosenpass yourself. This gives you the advantage of ensuring that you use Rosenpass as exactly as the source code is in Git.
- Install the dependencies. Under Debian, you can do this with the following command:
sudo apt-get --yes install libsodium-dev libclang-dev cmake pkg-config git build-essential
- If you want to use Rosenpass with WireGuard, install WireGuard. On Debian, you can do this with the following command:
sudo apt-get --yes install wireguard
- Install Rust >= 1.64.0 (as of 2023-07-01). This can be achieved using Rustup, for example.
- Clone the Git Repository:
git clone https://github.com/rosenpass/rosenpass.git
- Change to the Rosenpass directory:
cd rosenpass
- Switch to the version you want to install. Without switching, you will install and compile the dev version. Find the name of the version that you would like to install on the releases page, or find the name of the latest release. Use the following command to switch to version, e.g., 0.2.2:
git checkout v0.2.2
- Compile Rosenpass, this may take a while:
cargo build --release
- Install Rosenpass:
sudo install target/release/rosenpass /usr/local/bin
- If you want the Rosenpass helper:
rp
It can be installed it with:
sudo install rp /usr/local/bin
That’s it! You have now downloaded, compiled, and installed Rosenpass.
- If Rosenpass is not yet available for your distribution, you can attempt to download it manually.
- Download the desired version for your operating system from the releases page, or directly jump to the latest version.
- Unzip the file. On Linux you can use tar for this:
tar xf rosenpass-x86_64-linux-0.2.2.tar
- Install Rosenpass:
sudo install bin/rosenpass /usr/local/bin
- If you want the Rosenpass helper:
rp
It can be installed it with:
sudo install bin/rp /usr/local/bin
- Delete the downloaded files:
rm -r rosenpass-x86_64-linux-0.2.2.tar bin/
That’s it! You have now downloaded and installed Rosenpass.
In this section, we set up a Rosenpass-enhanced WireGuard connection between two peers. Technically, there’s no difference between the two peers. However, for clarity, we name them server (pink) and client (orange).
Prepare the Key Pairs
1. Start by generating secret keys for both peers
Note: These will be stored in newly created server.rosenpass-secret and client.rosenpass-secret directories.
rp genkey server.rosenpass-secret
rp genkey client.rosenpass-secret
2. Extract the public keys
Note: As above, these will be stored in newly created server.rosenpass-public and client.rosenpass-public directories.
rp pubkey server.rosenpass-secret server.rosenpass-public
rp pubkey client.rosenpass-secret client.rosenpass-public
3. Copy each -public directory to the other peer
scp -r server.rosenpass-public user@client:/path/to/directory
scp -r client.rosenpass-public user@server:/path/to/directory
Congrats! This completes the setup of the key pairs.
Launch your Rosenpass-enhanced WireGuard VPN
4. Start the VPN
Note: This may conflict with your firewall. In that case, you will need to configure your firewall to give Rosenpass access to the port number explicitly mentioned in these commands, 9999 in this example, as well as give WireGuard access to this port number incremented by one, 10000 in this example.
rp exchange server.rosenpass-secret dev rosenpass0 listen 127.0.0.1:9999 \
peer client.rosenpass-public allowed-ips fe80::/64
rp exchange client.rosenpass-secret dev rosenpass0 \
peer server.rosenpass-public endpoint 127.0.0.1:9999 allowed-ips fe80::/64
5. Assign IP addresses
ip a add fe80::1/64 dev rosenpass0
ip a add fe80::2/64 dev rosenpass0
Just to be sure: Verify the magic!
6. Test the connection
You can test the connection by pinging the server from the client peer and vice versa:
ping fe80::1%rosenpass0
ping fe80::2%rosenpass0
7. Watch how Rosenpass replaces the WireGuard PSK
You can watch how Rosenpass replaces the WireGuard PSK with the following command:
watch -n 2 'wg show all; wg show all preshared-keys'
All done!
Rosenpass will now generate a new PSK key for WireGuard about every two minutes and keep your VPN connection secure against post-quantum computer attacks.