NixOS Wiki

Rosenpass: Difference between revisions

← Older editNewer edit →
VisualWikitext
Tfc (talk | contribs)
8 edits
Tfc (talk | contribs)
8 edits
generate keys on the hosts.
Line 20: Line 20:
We will first need to generate and then distribute the keypairs.
We will first need to generate and then distribute the keypairs.


Creating the key pairs is simple:
Creating the key pairs is simple, but to do this securely, it should happen on the respective hosts.
This way it becomes a bit elaborate to distribute the public keys to the other respective peer:


<syntaxHighlight lang="bash">
<syntaxHighlight lang="bash">
nix-shell -p rosenpass wireguard-tools
ssh root@server "rm -rf /var/secrets/{rp,wg} && mkdir -m 755 -p /var/secrets/{rp,wg} && chown systemd-network:systemd-network /var/secrets/wg"
mkdir keys && cd keys
ssh root@client "rm -rf /var/secrets/{rp,wg} && mkdir -m 755 -p /var/secrets/{rp,wg} && chown systemd-network:systemd-network /var/secrets/wg"


# keys for Rosenpass
ssh root@server "cd /var/secrets/rp && rosenpass gen-keys --secret-key pqsk --public-key pqpk"
rosenpass gen-keys --secret-key client.pqsk --public-key client.pqpk
ssh root@client "cd /var/secrets/rp && rosenpass gen-keys --secret-key pqsk --public-key pqpk"
rosenpass gen-keys --secret-key server.pqsk --public-key server.pqpk


# Keys for WireGuard
ssh root@server "cd /var/secrets/wg && wg genkey | tee wgsk | wg pubkey > wgpk"
wg genkey | tee client.wgsk | wg pubkey > client.wgpk
ssh root@client "cd /var/secrets/wg && wg genkey | tee wgsk | wg pubkey > wgpk"
wg genkey | tee server.wgsk | wg pubkey > server.wgpk
</syntaxHighlight>


You can create as many keypairs as you like for different connections or roles; it is also possible to reuse the same keypair for every connection.
rsync root@server:/var/secrets/rp/pqpk server.pqpk
rsync root@client:/var/secrets/rp/pqpk client.pqpk
rsync --perms --chmod=644 server.pqpk root@client:/var/secrets/rp/server.pqpk
rsync --perms --chmod=644 client.pqpk root@server:/var/secrets/rp/client.pqpk


Copying the keypairs is also simple but a bit more tedious to get the file system permissions right:
ssh root@server "echo server wg pubkey is \$(cat /var/secrets/wg/wgpk)"
ssh root@client "echo client wg pubkey is \$(cat /var/secrets/wg/wgpk)"
</syntaxHighlight>


<syntaxHighlight lang="bash">
Note down the results of the last two printed lines as these are the public keys that need to be entered in the following NixOS configuration snippets.
ssh root@server "rm -rf /var/secrets/{rp,wg} && mkdir -m 755 -p /var/secrets/{rp,wg} && chown systemd-network:systemd-network /var/secrets/wg"
rsync --perms --chmod=640 --chown=systemd-network:systemd-network server.wgsk root@server:/var/secrets/wg/wgsk
rsync --perms --chmod=640 server.pqsk root@server:/var/secrets/rp/pqsk
rsync --perms --chmod=640 server.pqpk root@server:/var/secrets/rp/pqpk
rsync --perms --chmod=644 client.pqpk root@server:/var/secrets/rp/


ssh root@client "rm -rf /var/secrets/{rp,wg} && mkdir -m 755 -p /var/secrets/{rp,wg} && chown systemd-network:systemd-network /var/secrets/wg"
You can create as many keypairs as you like for different connections or roles; it is also possible to reuse the same keypair for every connection.
rsync --perms --chmod=640 --chown=systemd-network:systemd-network client.wgsk root@client:/var/secrets/wg/wgsk
rsync --perms --chmod=640 client.pqsk root@client:/var/secrets/rp/pqsk
rsync --perms --chmod=640 client.pqpk root@client:/var/secrets/rp/pqpk
rsync --perms --chmod=644 server.pqpk root@client:/var/secrets/rp/
</syntaxHighlight>


===Server setup===
===Server setup===
Retrieved from "https://wiki.nixos.org/wiki/Rosenpass"