Quick Start

Supported Systems

We provide packages for Nix, Arch Linux, and Alpine Linux.

Since Rosenpass was released not too long ago, packaging is an ongoing process. You can find the latest information about all the Linux distributions we support on Repology.

Even if your distribution is not listed here, you can always compile Rosenpass yourself or download a pre-built, statically linked binary from our GitHub release page. You can also find OCI container images (Docker, Podman, etc.) there. While we only offer x86_64 builds, there's no principle reason limiting Rosenpass to x86_64, and you can compile it for any architecture in Linux, or MacOS, that is supported by liboqs.

How to install Rosenpass on your Linux distribution

(arch AUR)		$ aura -A rosenpass-git
(arch pacman)	$ pacman -S rosenpass
(NixOS)			$ nix-env -iA nixos.rosenpass nixos.rosenpass-tools
(nix-flake)		$ nix profile install github:rosenpass/rosenpass#rosenpass
(cargo)			$ cargo install rosenpass
(alpine)		$ apk add rosenpass

To find more information on the available command line parameters, you can use these tools:

rp help
rosenpass help

How to set up your Rosenpass enhanced WireGuard VPN

Note: Technically, there's no difference between both hosts, but we named them server (pink) and client (orange) in this example to make it easier to comprehend.

  1. Start by generating secret keys on both hosts.
  2. Note: These will be stored in newly created server.rosenpass-secret and client.rosenpass-secret directories.

    user@server:~$ rp genkey server.rosenpass-secret
    

    user@client:~$ rp genkey client.rosenpass-secret
    

  3. Extract the public keys
  4. Note: As above, these will be stored in newly created server.rosenpass-public and client.rosenpass-public directories.

    user@server:~$ rp pubkey server.rosenpass-secret server.rosenpass-public
    

    user@client:~$ rp pubkey client.rosenpass-secret client.rosenpass-public
    

  5. Copy each -public directory to the other peer
  6. user@server:~$ scp -r server.rosenpass-public user@client:/path/to/directory
    

    user@client:~$ scp -r client.rosenpass-public user@server:/path/to/directory
    

    Congrats! Your basic setup is complete!

    How to launch your Rosenpass-enhanced WireGuard VPN

  7. Start the VPN
  8. user@server:~$ sudo rp exchange server.rosenpass-secret dev rosenpass0 listen 192.168.0.1:9999 \
    peer client.rosenpass-public allowed-ips fe80::/64
    

    user@client:~$ sudo rp exchange client.rosenpass-secret dev rosenpass0 \
    peer server.rosenpass-public endpoint 192.168.0.1:9999 allowed-ips fe80::/64
    

  9. Assign IP addresses
  10. user@server:~$ sudo ip a add fe80::1/64 dev rosenpass0
    

    user@client:~$ sudo ip a add fe80::2/64 dev rosenpass0
    

    Just to be sure: Verify the magic!

  11. Test the connection by pinging the server on the client machine
  12. user@client:~$ ping fe80::1%rosenpass0
    

  13. You can watch how Rosenpass replaces the WireGuard PSK with the following command
  14. watch -n 0.2 'wg show all; wg show all preshared-keys'
    

    All done!

    Rosenpass will now generate a new PSK key for WireGuard about every two minutes and keep your VPN connection secure against post-quantum computer attacks.

If you have further questions, please feel free to get in touch. We maintain a public Rosenpass Matrix chatroom, as well as several inboxes, for public inquiries, development questions, and general interest. Feature requests can also be opened at our GitHub pages

License

The Rosenpass software is subject to the Apache License Version 2.0, January 2004 and the MIT License with attribution

The content of this website, except for photographic material, is published under a Creative Commons license:
Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)
Photographic material is published under this separate Creative Commons License:
Attribution-NonCommercial-NoDerivs 4.0 International (CC BY-NC-ND 4.0 Deed)