Supported Systems

We provide packages for Nix, Arch Linux, and Alpine Linux.

Since Rosenpass was released not too long ago, packaging is an ongoing process. You can find the latest information about all the Linux distributions we support on Repology.

Even if your distribution is not listed here, you can always compile Rosenpass yourself or download a pre-built, statically linked binary from our GitHub release page. You can also find OCI container images (Docker, Podman, etc.) there. While we only offer x86_64 builds, there's no principle reason limiting Rosenpass to x86_64, and you can compile it for any architecture in Linux, or MacOS, that is supported by liboqs.

How to install Rosenpass on your Linux distribution

If your distribution isn't listed below, you can compile and install Rosenpass yourself in just a few steps.

(arch pacman)		$ pacman -S rosenpass

(arch AUR)		$ aura -A rosenpass-git

(NixOS)			$ nix-env -iA nixos.rosenpass nixos.rosenpass-tools

(nix-flake)		$ nix profile install github:rosenpass/rosenpass#rosenpass

(alpine (testing))	$ apk add rosenpass

To find more information on the available command line parameters, you can use these tools:

rp help

rosenpass help

How to set up your Rosenpass enhanced WireGuard VPN

Note: Technically, there's no difference between both hosts, but we named them server (pink) and client (orange) in this example to make it easier to comprehend.

1. Start by generating secret keys on both hosts.

Note: These will be stored in newly created server.rosenpass-secret and client.rosenpass-secret directories.

rp genkey server.rosenpass-secret

rp genkey client.rosenpass-secret

2. Extract the public keys

Note: As above, these will be stored in newly created server.rosenpass-public and client.rosenpass-public directories.

rp pubkey server.rosenpass-secret server.rosenpass-public

rp pubkey client.rosenpass-secret client.rosenpass-public

3. Copy each -public directory to the other peer

scp -r server.rosenpass-public user@client:/path/to/directory

scp -r client.rosenpass-public user@server:/path/to/directory

Congrats! Your basic setup is complete!

How to launch your Rosenpass-enhanced WireGuard VPN

4. Start the VPN

Note: This may conflict with your firewall. In that case, you will need to configure your firewall to give Rosenpass access to the port number explicitly mentioned in these commands, 9999 in this example, as well as give WireGuard access to this port number incremented by one, 10000 in this example.

sudo rp exchange server.rosenpass-secret dev rosenpass0 listen 127.0.0.1:9999 \
peer client.rosenpass-public allowed-ips fe80::/64

sudo rp exchange client.rosenpass-secret dev rosenpass0 \
peer server.rosenpass-public endpoint 127.0.0.1:9999 allowed-ips fe80::/64

5. Assign IP addresses

sudo ip a add fe80::1/64 dev rosenpass0

sudo ip a add fe80::2/64 dev rosenpass0

Just to be sure: Verify the magic!

6. Test the connection by pinging the server on the client machine

ping fe80::1%rosenpass0

7. You can watch how Rosenpass replaces the WireGuard PSK with the following command

watch -n 0.2 'wg show all; wg show all preshared-keys'

All done!

Rosenpass will now generate a new PSK key for WireGuard about every two minutes and keep your VPN connection secure against post-quantum computer attacks.

If you have further questions, please feel free to get in touch. We maintain a public Rosenpass Matrix chatroom, as well as several inboxes, for public inquiries, development questions, and general interest. Feature requests can also be opened at our GitHub pages

Go to Contact Page