Rosenpass - Revision history

Tfc: /* Testing the connection */

2025-02-27T18:33:10Z

Testing the connection

← Older revision		Revision as of 18:33, 27 February 2025
Line 200:		Line 200:
	rtt min/avg/max/mdev = 1.116/1.190/1.329/0.098 ms		rtt min/avg/max/mdev = 1.116/1.190/1.329/0.098 ms

	$ ssh ~~server~~ "ping -c3 1:c:bad:c0de::1"		$ ssh client "ping -c3 1:c:bad:c0de::1"
	PING 1:c:bad:c0de::1 (1:c:bad:c0de::1) 56 data bytes		PING 1:c:bad:c0de::1 (1:c:bad:c0de::1) 56 data bytes
	64 bytes from 1:c:bad:c0de::1: icmp_seq=1 ttl=64 time=1.03 ms		64 bytes from 1:c:bad:c0de::1: icmp_seq=1 ttl=64 time=1.03 ms

Tfc: minor link fix

2025-02-27T15:55:36Z

minor link fix

← Older revision		Revision as of 15:55, 27 February 2025
Line 1:		Line 1:
	[https://rosenpass.eu// Rosenpass] implements a post-quantum-secure key exchange for use with e.g. [[WireGuard]].		[https://rosenpass.eu/ Rosenpass] implements a post-quantum-secure key exchange for use with e.g. [[WireGuard]].

	=Setting up Rosenpass=		=Setting up Rosenpass=

Tfc: generate keys on the hosts.

2025-02-27T15:52:19Z

generate keys on the hosts.

← Older revision		Revision as of 15:52, 27 February 2025
Line 20:		Line 20:
	We will first need to generate and then distribute the keypairs.		We will first need to generate and then distribute the keypairs.

	Creating the key pairs is simple:		Creating the key pairs is simple, but to do this securely, it should happen on the respective hosts.
			This way it becomes a bit elaborate to distribute the public keys to the other respective peer:

	<syntaxHighlight lang="bash">		<syntaxHighlight lang="bash">
	~~nix~~-~~shell~~ -p ~~rosenpass wireguard~~-~~tools~~		ssh root@server "rm -rf /var/secrets/{rp,wg} && mkdir -m 755 -p /var/secrets/{rp,wg} && chown systemd-network:systemd-network /var/secrets/wg"
	mkdir ~~keys~~ && ~~cd keys~~		ssh root@client "rm -rf /var/secrets/{rp,wg} && mkdir -m 755 -p /var/secrets/{rp,wg} && chown systemd-network:systemd-network /var/secrets/wg"

	~~# keys for Rosenpass~~		ssh root@server "cd /var/secrets/rp && rosenpass gen-keys --secret-key pqsk --public-key pqpk"
	rosenpass gen-keys --secret-key ~~client.~~pqsk --public-key ~~client.~~pqpk		ssh root@client "cd /var/secrets/rp && rosenpass gen-keys --secret-key pqsk --public-key pqpk"
	rosenpass gen-keys --secret-key ~~server.~~pqsk --public-key ~~server.~~pqpk

	~~# Keys for WireGuard~~		ssh root@server "cd /var/secrets/wg && wg genkey \| tee wgsk \| wg pubkey > wgpk"
	wg genkey \| tee ~~client.~~wgsk \| wg pubkey > ~~client.~~wgpk		ssh root@client "cd /var/secrets/wg && wg genkey \| tee wgsk \| wg pubkey > wgpk"
	wg genkey \| tee ~~server.~~wgsk \| wg pubkey > ~~server.~~wgpk
	~~</syntaxHighlight>~~

	~~You can create as many keypairs as you like for different connections or roles; it is also possible to reuse the same keypair for every connection~~.		rsync root@server:/var/secrets/rp/pqpk server.pqpk
			rsync root@client:/var/secrets/rp/pqpk client.pqpk
			rsync --perms --chmod=644 server.pqpk root@client:/var/secrets/rp/server.pqpk
			rsync --perms --chmod=644 client.pqpk root@server:/var/secrets/rp/client.pqpk

	~~Copying the keypairs~~ is ~~also simple but a bit more tedious to get the file system permissions right:~~		ssh root@server "echo server wg pubkey is \$(cat /var/secrets/wg/wgpk)"
			ssh root@client "echo client wg pubkey is \$(cat /var/secrets/wg/wgpk)"
			</syntaxHighlight>

	~~<syntaxHighlight lang="bash">~~		Note down the results of the last two printed lines as these are the public keys that need to be entered in the following NixOS configuration snippets.
	~~ssh root@server "rm -rf /var/secrets/{rp,wg} && mkdir -m 755 -p /var/secrets/{rp,wg} && chown systemd-network:systemd-network /var/secrets/wg"~~
	~~rsync --perms --chmod=640 --chown=systemd-network:systemd-network server~~.~~wgsk root@server:/var/secrets/wg/wgsk~~
	~~rsync --perms --chmod=640 server.pqsk root@server:/var/secrets/rp/pqsk~~
	~~rsync --perms --chmod=640 server.pqpk root@server:/var/secrets/rp/pqpk~~
	~~rsync --perms --chmod=644 client.pqpk root@server:/var/secrets/rp/~~

	~~ssh root@client "rm -rf /var/secrets/{rp,wg} && mkdir -m 755 -p /var/secrets/{rp,wg} && chown systemd-network:systemd-network /var/secrets/wg"~~		You can create as many keypairs as you like for different connections or roles; it is also possible to reuse the same keypair for every connection.
	~~rsync --perms --chmod=640 --chown=systemd-network:systemd-network client~~.~~wgsk root@client:/var/secrets/wg/wgsk~~
	~~rsync --perms --chmod=640 client.pqsk root@client:/var/secrets/rp/pqsk~~
	~~rsync --perms --chmod=640 client.pqpk root@client:/var/secrets/rp/pqpk~~
	~~rsync --perms --chmod=644 server.pqpk root@client:/var/secrets/rp/~~
	~~</syntaxHighlight>~~

	===Server setup===		===Server setup===

Tfc: /* Rosenpass is not able to exchange keys */

2025-02-27T13:43:47Z

Rosenpass is not able to exchange keys

← Older revision		Revision as of 13:43, 27 February 2025
Line 230:		Line 230:
	Even if the rosenpass0 device pops up, it still might be possible that Rosenpass observes errors during setup or connect.		Even if the rosenpass0 device pops up, it still might be possible that Rosenpass observes errors during setup or connect.
	Please have a look at the output of the command <code>systemctl status rosenpass</code>.		Please have a look at the output of the command <code>systemctl status rosenpass</code>.
			If for example file permissions of the keys are too restrictive, then this will manifest as error messages here.

	=See also=		=See also=

Tfc: typo

2025-02-27T13:43:14Z

typo

← Older revision		Revision as of 13:43, 27 February 2025
Line 222:		Line 222:
	==The <code>rosenpass0</code> device does not pop up==		==The <code>rosenpass0</code> device does not pop up==

	This is most likely an issue in the non-~~Rosenpart~~ of the configuration.		This is most likely an issue in the non-Rosenpass part of the configuration.
	Please have a look at the output of the command <code>systemctl status sytemd-network</code>.		Please have a look at the output of the command <code>systemctl status sytemd-network</code>.
	If for example file permissions of the keys are too restrictive, then this will manifest as error messages here.		If for example file permissions of the keys are too restrictive, then this will manifest as error messages here.

Tfc: /* The rosenpass0 device does not pop up */

2025-02-27T13:35:29Z

The rosenpass0 device does not pop up

← Older revision		Revision as of 13:35, 27 February 2025
Line 220:		Line 220:
	=Troubleshooting=		=Troubleshooting=

	==The rosenpass0 device does not pop up==		==The <code>rosenpass0</code> device does not pop up==

	This is most likely an issue in the non-Rosenpart of the configuration.		This is most likely an issue in the non-Rosenpart of the configuration.

Tfc at 12:48, 27 February 2025

2025-02-27T12:48:29Z

← Older revision		Revision as of 12:48, 27 February 2025
Line 235:		Line 235:
	* [https://rosenpass.eu/ Rosenpass homepage]		* [https://rosenpass.eu/ Rosenpass homepage]
	* WireGuard page in this Wiki: [[WireGuard]]		* WireGuard page in this Wiki: [[WireGuard]]
			* [https://search.nixos.org/options?query=rosenpass List of Rosenpass options supported by NixOS]
	* [https://search.nixos.org/options?query=wireguard List of WireGuard options supported by NixOS]		* [https://search.nixos.org/options?query=wireguard List of WireGuard options supported by NixOS]

	[[Category:Networking]]		[[Category:Networking]]

Tfc: Created page with "[https://rosenpass.eu// Rosenpass] implements a post-quantum-secure key exchange for use with e.g. WireGuard. =Setting up Rosenpass= This wiki page guides through the set up of an encrypted Wireguard with Rosenpass connection between two network hosts. For this guide, we assume that there are 2 NixOS hosts, both reachable via the network hostnames `server` and `client`. After successful setup, the hosts will be able to reach each other via t..."

2025-02-27T12:47:21Z

Created page with "[https://rosenpass.eu// Rosenpass] implements a post-quantum-secure key exchange for use with e.g. WireGuard. =Setting up Rosenpass= This wiki page guides through the set up of an encrypted Wireguard with Rosenpass connection between two network hosts. For this guide, we assume that there are 2 NixOS hosts, both reachable via the network hostnames <code>server</code> and <code>client</code>. After successful setup, the hosts will be able to reach each other via t..."

New page

[https://rosenpass.eu// Rosenpass] implements a post-quantum-secure key exchange for use with e.g. [[WireGuard]].

=Setting up Rosenpass=

This wiki page guides through the set up of an encrypted Wireguard with Rosenpass connection between two network hosts.

For this guide, we assume that there are 2 NixOS hosts, both reachable via the network hostnames <code>server</code> and <code>client</code>.

After successful setup, the hosts will be able to reach each other via these IPs:

* server: <code>1:c:bad:c0de::1</code>
* client: <code>1:c:bad:c0de::2</code>

==Generate and distribute keypairs==

Each peer needs to have a public-private keypair, for both WireGuard and Rosenpass.
The keys can be generated on any machine that already has WireGuard and Rosenpass installed using the <code>wg</code> and the <code>rosenpass</code> utilities.
Install these tools either temporarily with <code>nix-shell -p rosenpass wireguard-tools</code> or add these tools to your system profile.

We will first need to generate and then distribute the keypairs.

Creating the key pairs is simple:

<syntaxHighlight lang="bash">
nix-shell -p rosenpass wireguard-tools
mkdir keys && cd keys

# keys for Rosenpass
rosenpass gen-keys --secret-key client.pqsk --public-key client.pqpk
rosenpass gen-keys --secret-key server.pqsk --public-key server.pqpk

# Keys for WireGuard
wg genkey | tee client.wgsk | wg pubkey > client.wgpk
wg genkey | tee server.wgsk | wg pubkey > server.wgpk
</syntaxHighlight>

You can create as many keypairs as you like for different connections or roles; it is also possible to reuse the same keypair for every connection.

Copying the keypairs is also simple but a bit more tedious to get the file system permissions right:

<syntaxHighlight lang="bash">
ssh root@server "rm -rf /var/secrets/{rp,wg} && mkdir -m 755 -p /var/secrets/{rp,wg} && chown systemd-network:systemd-network /var/secrets/wg"
rsync --perms --chmod=640 --chown=systemd-network:systemd-network server.wgsk root@server:/var/secrets/wg/wgsk
rsync --perms --chmod=640 server.pqsk root@server:/var/secrets/rp/pqsk
rsync --perms --chmod=640 server.pqpk root@server:/var/secrets/rp/pqpk
rsync --perms --chmod=644 client.pqpk root@server:/var/secrets/rp/

ssh root@client "rm -rf /var/secrets/{rp,wg} && mkdir -m 755 -p /var/secrets/{rp,wg} && chown systemd-network:systemd-network /var/secrets/wg"
rsync --perms --chmod=640 --chown=systemd-network:systemd-network client.wgsk root@client:/var/secrets/wg/wgsk
rsync --perms --chmod=640 client.pqsk root@client:/var/secrets/rp/pqsk
rsync --perms --chmod=640 client.pqpk root@client:/var/secrets/rp/pqpk
rsync --perms --chmod=644 server.pqpk root@client:/var/secrets/rp/
</syntaxHighlight>

===Server setup===

Enable WireGuard on the server via <tt>/etc/nixos/configuration.nix</tt>:
<syntaxhighlight lang="nix">
{
# ... rest of the server config ...

systemd.network = {
networks."rosenpass" = {
matchConfig.Name = "rosenpass0";
networkConfig.IPv4Forwarding = true;
networkConfig.IPv6Forwarding = true;
address = [ "1:c:bad:c0de::1/64" ];
};
netdevs."10-rosenpass0" = {
netdevConfig = {
Kind = "wireguard";
Name = "rosenpass0";
};
wireguardConfig.PrivateKeyFile = "/var/secrets/wg/wgsk";
wireguardConfig.ListenPort = 10000;
wireguardPeers = [
{
# It is possible to restrict this to the actual IP here.
AllowedIPs = [ "::/0" ];
PublicKey = "<copy content of client.wgpk here>";
}
];
};
};

services.rosenpass = {
enable = true;
defaultDevice = "rosenpass0";
settings = {
verbosity = "Verbose";
public_key = "/var/secrets/rp/pqpk";
secret_key = "/var/secrets/rp/pqsk";
listen = [ "[::]:9999" ];
peers = [
{
public_key = "/var/secrets/rp/client.pqpk";
peer = "<copy content of client.wgpk here>";
}
];
};
};

networking.firewall.allowedUDPPorts = [
9999 # rosenpass
10000 # WireGuard
];
}
</syntaxhighlight>

===Client setup===
<syntaxhighlight lang="nix">
{
# ...

systemd.network = {
networks."rosenpass" = {
matchConfig.Name = "rosenpass0";
networkConfig.IPv4Forwarding = true;
networkConfig.IPv6Forwarding = true;
address = [ "1:c:bad:c0de::2/64" ];
};
netdevs."10-rosenpass0" = {
netdevConfig = {
Kind = "wireguard";
Name = "rosenpass0";
};
wireguardConfig.PrivateKeyFile = "/var/secrets/wg/wgsk";
wireguardPeers = [
{
# It is possible to restrict this to the actual IP here.
AllowedIPs = [ "::/0" ];
PublicKey = "<copy content of server.wgpk here>";
Endpoint = "<IP of Server>:10000";
PersistentKeepalive = 25;
}
];
};
};

services.rosenpass = {
enable = true;
defaultDevice = "rosenpass0";
settings = {
verbosity = "Verbose";
public_key = "/var/secrets/rp/pqpk";
secret_key = "/var/secrets/rp/pqsk";
peers = [
{
public_key = "/var/secrets/rp/server.pqpk";
endpoint = "<IP of Server>:9999";
peer = "<copy content of server.wgpk here>";
}
];
};
};
}
</syntaxhighlight>

As the keypairs are already in place, running <code>nixos-rebuild switch</code> (or any of the deployment tools you prefer) should result in a working setup.

If you need more connections, then create keypairs for more hosts, reuse the *client* config for them and extend the peer lists (for both WireGuard and Rosenpass) in the server configuration.

==Testing the connection==

Log in (preferably as root) on both servers and check if the network setup was successful:

<syntaxHighlight lang="console">
# ip a
...
3: rosenpass0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet6 1:c:bad:c0de::1/64 scope global
valid_lft forever preferred_lft forever

# wg show all
interface: rosenpass0
public key: nF7sPZ6pfsyR2yVg+TBen2awq00iU54aMiQ1DPLxGWA=
private key: (hidden)
listening port: 10000

peer: sl23uUw0pdWO7vS/O6a7+ZBALLEPkf9jFEl8sviJsnY=
preshared key: (hidden)
endpoint: [2a01:4f8:c013:afbc::]:52845
allowed ips: ::/0
latest handshake: 59 seconds ago
transfer: 2.00 KiB received, 1.43 KiB sent

# wg show all preshared-keys
rosenpass0 sl23uUw0pdWO7vS/O6a7+ZBALLEPkf9jFEl8sviJsnY= 2WlrMm+4c56xazoeewsEUmY9rnRhn1kKu9iAepoGCrg=
</syntaxHighlight>

It is important that <code>rosenpass0</code> exists at all, has the right configured addresses on both hosts, and that the other peer is correctly shown in the WireGuard output.

For Rosenpass, it is important that the last column in the output of <code>wg show all preshared-keys</code> is the same on both hosts, as this is the key that is exchanged via Rosenpass and then inserted as preshared key into the WireGuard connection.

Finally, both machines must be able to reach each other:

<syntaxHighlight lang="console">
$ ssh server "ping -c3 1:c:bad:c0de::2"
PING 1:c:bad:c0de::2 (1:c:bad:c0de::2) 56 data bytes
64 bytes from 1:c:bad:c0de::2: icmp_seq=1 ttl=64 time=1.12 ms
64 bytes from 1:c:bad:c0de::2: icmp_seq=2 ttl=64 time=1.33 ms
64 bytes from 1:c:bad:c0de::2: icmp_seq=3 ttl=64 time=1.13 ms

--- 1:c:bad:c0de::2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.116/1.190/1.329/0.098 ms

$ ssh server "ping -c3 1:c:bad:c0de::1"
PING 1:c:bad:c0de::1 (1:c:bad:c0de::1) 56 data bytes
64 bytes from 1:c:bad:c0de::1: icmp_seq=1 ttl=64 time=1.03 ms
64 bytes from 1:c:bad:c0de::1: icmp_seq=2 ttl=64 time=1.40 ms
64 bytes from 1:c:bad:c0de::1: icmp_seq=3 ttl=64 time=1.97 ms

--- 1:c:bad:c0de::1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.027/1.466/1.969/0.387 ms
</syntaxHighlight>

=Troubleshooting=

==The rosenpass0 device does not pop up==

This is most likely an issue in the non-Rosenpart of the configuration.
Please have a look at the output of the command <code>systemctl status sytemd-network</code>.
If for example file permissions of the keys are too restrictive, then this will manifest as error messages here.

==Rosenpass is not able to exchange keys==

Even if the rosenpass0 device pops up, it still might be possible that Rosenpass observes errors during setup or connect.
Please have a look at the output of the command <code>systemctl status rosenpass</code>.

=See also=
* [https://www.wireguard.com/ WireGuard homepage]
* [https://rosenpass.eu/ Rosenpass homepage]
* WireGuard page in this Wiki: [[WireGuard]]
* [https://search.nixos.org/options?query=wireguard List of WireGuard options supported by NixOS]

[[Category:Networking]]