Lib.rs

Cryptography
#post-quantum-cryptography #vpn #wireguard #security #protocols #analysis #secure

bin+lib rosenpass

Build post-quantum-secure VPNs with WireGuard!

by Karolin Varner, wucke13 and 12 contributors

17 releases

0.2.1 Nov 18, 2023
0.2.0 Sep 5, 2023
0.2.0-rc.1 Aug 29, 2023
0.1.2-rc.4 Apr 13, 2023
0.1.1 Feb 25, 2023

#536 in Cryptography

MIT/Apache

180KB
3.5K SLoC

Rosenpass README

Nix QC crates.io Libraries.io dependency status for latest release

This repository contains

  1. A description of the Rosenpass protocol
  2. The reference implementation of the protocol – the rosenpass tool
  3. A frontend integrating Rosenpass and WireGuard to create a vpn – the rp frontend
  4. Security analysis of the protocol using proverif

Getting started

First, install rosenpass. Then, check out the help functions of rp & rosenpass:

rp help
rosenpass help

Follow quick start instructions to get a VPN up and running.

Software architecture

The rosenpass tool is written in Rust and uses liboqs^liboqs and libsodium^libsodium. The tool establishes a symmetric key and provides it to WireGuard. Since it supplies WireGuard with key through the PSK feature using Rosenpass+WireGuard is cryptographically no less secure than using WireGuard on its own ("hybrid security"). Rosenpass refreshes the symmetric key every two minutes.

As with any application a small risk of critical security issues (such as buffer overflows, remote code execution) exists; the Rosenpass application is written in the Rust programming language which is much less prone to such issues. Rosenpass can also write keys to files instead of supplying them to WireGuard With a bit of scripting the stand alone mode of the implementation can be used to run the application in a Container, VM or on another host. This mode can also be used to integrate tools other than WireGuard with Rosenpass.

The rp tool written in bash makes it easy to create a VPN using WireGuard and Rosenpass.

rp is easy to get started with but has a few drawbacks; it runs as root, demanding access to both WireGuard and Rosenpass private keys, takes control of the interface and works with exactly one interface. If you do not feel confident about running Rosenpass as root, you should use the stand-alone mode to create a more secure setup using containers, jails, or virtual machines.

Networking & ports

rp allocates two UDP ports; if port N is specified for rosenpass, it will allocate port N+1 for WireGuard.

Like WireGuard, Rosenpass does not enforce any separation between clients and servers. If you do not specify the listen option, Rosenpass and WireGuard will choose random ports; this is client mode. If you do not specify endpoint, Rosenpass will not try to connect to the peer and instead wait for connections from peers. This is server mode. You may specify both. Leaving out both is not forbidden but also not very useful.

Security analysis

We are working on a cryptographic proof of security, but we already provide a symbolic analysis using proverif as part of the software package. You can run the security analysis using the nix package manager which handles installing the dependencies or you can call the ./analyze.sh script directly. In this case, you need to ensure that proverif, graphviz, awk, and cpp are installed on your system.

   (nix) $ nix build .#proof-proverif --print-build-logs
(manual) $ ./analyze.sh

The analysis is implemented according to modern software engineering principles: Using the C preprocessor, we where able to split the analysis into multiple files and uses some meta programming to avoid repetition. The code uses a variety of optimizations to speed up analysis such as using secret functions to model trusted/malicious setup. We split the model into two separate entry points which can be analyzed in parallel. Each is much faster than both models combined. A wrapper script provides instant feedback about which queries execute as expected in color: A red cross if a query fails and a green check if it succeeds.

[^pqwg-statedis]: Unless supplied with a pre-shared-key, but this defeats the purpose of a key exchange protocol [^wg-statedis]: https://lists.zx2c4.com/pipermail/wireguard/2021-August/006916.htmlA

Getting Rosenpass

Rosenpass is packaged for more and more distributions, maybe also for the distribution of your choice?

Packaging status

Mirrors

Don't want to use GitHub or only have an IPv6 connection? Rosenpass has set up two mirrors for this:

Supported by

Funded through NLNet with financial support for the European Commission's NGI Assure program.

Dependencies

~29–44MB
~744K SLoC