High-Level Interfaces
RP(1)
RP(1) General Commands Manual RP(1)

rphigh-level interface to rosenpass

rp [explain] [verbose] genkey ... | pubkey ... | exchange ...

rp [...] genkey PRIVATE_KEYS_DIR

rp [...] pubkey PRIVATE_KEYS_DIR PUBLIC_KEYS_DIR

rp [...] exchange PRIVATE_KEYS_DIR [dev <device>] [listen <ip>:<port>] [peer PUBLIC_KEYS_DIR [endpoint <ip>:<port>] [persistent-keepalive <interval>] [allowed-ips <ip1>/<cidr1>[,<ip2>/<cidr2>] ...]] ...

The rp program is used to build a VPN with WireGuard and Rosenpass.

The optional [explain] and [verbose] options can be used to obtain further help or to enable a detailed view on the operations, respectively.

genkey PRIVATE_KEYS_DIR
Creates a new directory with appropriate permissions and generates all the necessary private keys required for a peer to participate in a rosenpass connection.
pubkey PRIVATE_KEYS_DIR PUBLIC_KEYS_DIR
Creates a fresh directory at PUBLIC_KEYS_DIR, which contains the extracted public keys from the private keys generated by genkey and located inside PRIVATE_KEYS_DIR.
exchange PRIVATE_KEYS_DIR [dev <device>] [listen <ip>:<port>] [PEERS]
Starts the VPN on interface device, listening on the provided IP and port combination, allowing connections from PEERS.

The rp utility exits 0 on success, and >0 if an error occurs.

In this example, we will assume that the server has an interface bound to 192.168.0.1, that accepts incoming connections on port 9999/UDP for Rosenpass and port 10000/UDP for WireGuard.

To create a VPN connection, start by generating secret keys on both hosts.

rp genkey server.rosenpass-secret
rp genkey client.rosenpass-secret

Extract the public keys:

rp pubkey server.rosenpass-secret server.rosenpass-public
rp pubkey client.rosenpass-secret client.rosenpass-public

Copy the "-public" directories to the other peers and then start the VPN. On the server:

sudo rp exchange server.rosenpass-secret dev rosenpass0 listen 192.168.0.1:9999 \
    peer client.rosenpass-public allowed-ips fe80::/64

On the client:

sudo rp exchange client.rosenpass-secret dev rosenpass 0 \
    peer server.rosenpass-public endpoint 192.168.0.1:9999 allowed-ips fe80::/64

Assign IP addresses:

sudo ip a add fe80::1/64 dev rosenpass0 # Server
sudo ip a add fe80::2/64 dev rosenpass0 # Client

Test the connection by pinging the server on the client machine:

ping fe80::1%rosenpass0 # Client

You can watch how rosenpass replaces the WireGuard PSK with the following:

watch -n 0.2 'wg show all; wg show all preshared-keys'

rosenpass(1), wg(1)

Rosenpass was created by Karolin Varner, Benjamin Lipp, Wanja Zaeske, Marei Peischl, Stephan Ajuvo, and Lisa Schmidt.

This manual page was written by Clara Engler

The bugs are tracked at https://github.com/rosenpass/rosenpass/issues.

September 16, 2024 Debian