Rosenpass provides pre-built binary files for x86 64-bit Ubuntu. This is the most common architecture. If you need something else, you are advised to compile Rosenpass from source.

1. Install the dependencies necessary for running Rosenpass. This is just WireGuard:

sudo apt --yes install wireguard

2. Download the Rosenpass binary. The following command gets you the latest version. If you need a different one, have a look at the releases page.

wget https://github.com/rosenpass/rosenpass/releases/download/v0.2.2/rosenpass-x86_64-linux-0.2.2.tar

3. Unzip the file. You can use the following command, or use the file explorer and “Extract Here” (or similar) from the context menu.

The archive contains a directory bin with the main binary rosenpass (link to its manual) and the helper rp (link to its manual).

tar xf rosenpass-x86_64-linux-0.2.2.tar

4. Install Rosenpass by copying its binaries to /usr/local/bin with root privileges:

sudo install bin/rosenpass /usr/local/bin

sudo install bin/rp /usr/local/bin

5. Test: As a quick test that the installation succeeded, run both tools with the help command to show a short usage hint:

rosenpass help

rp help

Note: In version the current version v0.2.2, rp shows an error message if Git is not installed. You can safely use rp without Git.

That’s it! You have now downloaded and installed Rosenpass. You can now proceed to set up a Rosenpass-enhanced WireGuard VPN.

If you cannot or do not want to use the pre-built binaries, you can compile Rosenpass from source.

1. Install the dependencies necessary for compiling and running Rosenpass. The following command also installs curl in preparation for the Rustup installation in the next point:

sudo apt --yes install libsodium-dev libclang-dev cmake pkg-config git build-essential curl wireguard

2. Install Rust. The preferred way to do this is by using Rustup (the website should show a straightforward command to install Rustup). During installation, Rustup asks you about your installation preferences; if you are unsure you can just proceed with the standard installation.
   

3. Clone the Rosenpass Git repository, change to the rosenpass directory, and switch to the branch of the latest release:

git clone https://github.com/rosenpass/rosenpass.git

cd rosenpass

git checkout v0.2.2

Without switching to a different branch, you will install and compile the development version from the main branch. If you would like to compile a released version, find its Git tag name by browsing the releases page and use git checkout accordingly. If you would like to compile the version from a specific branch, you can find a branches overview on GitHub.

4. Compile: This is the actual compilation step and may take a while:

cargo build --release

5. Install: If the compilation succeeded, proceed to install Rosenpass by copying its binaries to /usr/local/bin with root privileges:

sudo install target/release/rosenpass /usr/local/bin

sudo install rp /usr/local/bin

6. Test: As a quick test that the installation succeeded, run both tools with the help command to show a short usage hint:

rosenpass help

rp help

That’s it! You have downloaded, compiled, and installed Rosenpass. You can now proceed to set up a Rosenpass-enhanced WireGuard VPN.

In this section, we set up a Rosenpass-enhanced WireGuard connection between two peers. Technically, there’s no difference between the two peers. However, for clarity, we name them server (pink) and client (orange).

Prepare the Key Pairs

1. Start by generating secret keys for both peers

Note: These will be stored in newly created server.rosenpass-secret and client.rosenpass-secret directories.

rp genkey server.rosenpass-secret

rp genkey client.rosenpass-secret

2. Extract the public keys

Note: As above, these will be stored in newly created server.rosenpass-public and client.rosenpass-public directories.

rp pubkey server.rosenpass-secret server.rosenpass-public

rp pubkey client.rosenpass-secret client.rosenpass-public

3. Copy each -public directory to the other peer

Both peers need the -public directory of other peer, respectively, and it needs to be placed next to the -secret and -public directories that already exist. If you have SSH access to both machines, you can use the following commands:

scp -r server.rosenpass-public user@client:/path/to/directory

scp -r client.rosenpass-public user@server:/path/to/directory

Congrats! This completes the setup of the key pairs.

Launch your Rosenpass-enhanced WireGuard VPN

In the following two commands, replace $SERVERIP with the IP address under which the client can reach the server. This might be a publicly routable IP address, an IP address within your local network, or even the loopback address 127.0.0.1.

Equally, replace $DEVICE by the name of the network device on which the server receives packets for the $SERVERIP.

You can find information about the network device and IP addresses using the command:

ip a

4. Start the VPN

Start the Rosenpass and WireGuard processes on both server and client. This creates a WireGuard network interface named rosenpass0, which allows us, in the next step, to assign an internal IP address and to add a route for the internal network.

In the following two commands, remember to replace $SERVERIP with the IP address under which the client can reach the server.

sudo rp exchange server.rosenpass-secret \
  dev rosenpass0 \
  listen $SERVERIP:9999 \
  peer client.rosenpass-public \
  allowed-ips 192.168.21.0/24

sudo rp exchange client.rosenpass-secret \
  dev rosenpass0 \
  peer server.rosenpass-public \
  endpoint $SERVERIP:9999 \
  allowed-ips 192.168.21.0/24

5. Assign IP addresses

In this example, we use addresses from the internal network 192.168.21.0/24 within the VPN. Feel free to try something else, but make sure to adapt IP addresses and networks in all commands where necessary.

sudo ip a add 192.168.21.1 dev rosenpass0

sudo ip a add 192.168.21.2 dev rosenpass0

6. Add routes for the WireGuard network

Verify that the routing table containes an entry for the internal network 192.168.21.0/24. You can do so with the following command:

ip route

Its output should contain a line about the 192.168.21.0/24 network, mentioning the interface rosenpass0:

…
192.168.21.0/24 dev rosenpass0 scope link
…

If such a line is not present, you can add a route using:

sudo ip route add 192.168.21.0/24 dev rosenpass0

Remember to verify and do this on both server and client.

7. Configure your firewall

Not sure if you are behind a firewall? You can skip this step and come back in case you cannot get a connection to work.

In this example, the server needs to be reachable on two ports: 9999 for the Rosenpass connection, and 10000 for the WireGuard connection. Port 9999 is explicitly configured in the command used in the next step. The WireGuard port is implicitly set by the rp tool to the Rosenpass port number incremented by one, 10000 in this example.

Configure your firewall(s) such that incoming UDP packets on ports 9999 and 10000 are allowed.

The standard firewall under Ubuntu is ufw. In case it is enabled on your server, you can use the following commands to add rules that allow the necessary incoming connections for this example setup. Remember to replace $SERVERIP with the IP address under which the client can reach the server, and $DEVICE by the name of the network device on which the server receives packets for the $SERVERIP.

sudo ufw allow in on $DEVICE \
  from any to $SERVERIP \
  port 9999 \
  proto udp \
  comment 'Rosenpass'

sudo ufw allow in on $DEVICE \
  from any to $SERVERIP \
  port 10000 \
  proto udp \
  comment 'WireGuard'

The new firewall rules should look like this:

sudo ufw status

Status: active

To                         Action      From
--                         ------      ----
$SERVERIP 9999/udp on $DEVICE ALLOW       Anywhere                   # Rosenpass
$SERVERIP 10000/udp on $DEVICE ALLOW       Anywhere                   # WireGuard

Steps to verify your setup

8. Test the Rosenpass handshake

As a first test, check if Rosenpass manages to exchange a shared secret and to hand it over to WireGuard as pre-shared key (PSK).

On both the server and the client, you can run the following command to see which pre-shared key WireGuard is using for the connection. Be aware that this shows meant-to-be-secret cryptographic key material, and pay attention to who is able to see your computer’s screen:

sudo wg show rosenpass0 preshared-keys

The output should show one line consisting of two base64-encoded strings, separated by a space. The second string is the pre-shared key. This should be the same on both machines. Rosenpass changes it approximately every two minutes:

q1ySvWXjsS2l0Apu2f9YZLw7pLT4+QXfIZVTpMBO01I=    (redacted)

Likewise on both server and client, you can display the state of the WireGuard connection:

sudo wg show rosenpass0

On the client, you should see an output like this, where $SERVERIP matches the IP address configured earlier:

interface: rosenpass0
  public key: 1NQJ1iObOnkkWlqDU6bhqGPEjCIIvKTKjI10XE0t7DA=
  private key: (hidden)
  listening port: 52922

peer: q1ySvWXjsS2l0Apu2f9YZLw7pLT4+QXfIZVTpMBO01I=
  preshared key: (hidden)
  endpoint: $SERVERIP:10000
  allowed ips: 192.168.21.0/24

And on the server, you should see an output like this, with WireGuard listening port 10000:

interface: rosenpass0
  public key: q1ySvWXjsS2l0Apu2f9YZLw7pLT4+QXfIZVTpMBO01I=
  private key: (hidden)
  listening port: 10000

peer: 1NQJ1iObOnkkWlqDU6bhqGPEjCIIvKTKjI10XE0t7DA=
  preshared key: (hidden)
  allowed ips: 192.168.21.0/24

The displayed public key of the server should be listed as the ID of the peer on the client, and vice versa.

If you want to continuously watch the current state of the WireGuard tunnel and its pre-shared key, you can use the following command on both client and server; this can be useful during debugging, e.g., to see if both sides keep using the same pre-shared key and exchange it synchronously. This combines the two above commands repeats and them every 2 seconds:

sudo watch 'wg show all; wg show all preshared-keys'

9. Test the WireGuard connection

You can test the WireGuard connection by pinging the server’s internal IP address from the client peer and vice versa:

ping 192.168.21.2

ping 192.168.21.1

All done and the ping test works?

Rosenpass will now generate a new PSK key for WireGuard about every two minutes and keep your WireGuard VPN connection secure against post-quantum computer attacks.