README
¶
go-rosenpass
🚧 go-rosenpass has not been audited. Please use with care!
go-rosenpass is a port of Rosenpass to Go.
The implementation aims to be compatible with the reference implementation in Rust for the:
- on-wire protocol
- handshake parameters
- command-line interface
Installation
Binary releases
go-rosenpass distributes builds via GitHub Releases. You can download a pre-built binary from there.
From source
go install cunicu.li/go-rosenpass/cmd@latest
Example Setup
# Generate our own WireGuard key pair
WG_PRIVATE_KEY=$(wg genkey)
WG_PUBLIC_KEY=$(wg pubkey <<< ${WG_PRIVATE_KEY})
# Generate our own Rosenpass key pair
go-rosenpass gen-keys-intf wg0
# Show our details
echo "Your hostname: $(hostname)"
echo "Your WireGuard public key: ${WG_PUBLIC_KEY}"
# Query the peer details
read -p "Enter your peers hostname: " PEER
read -p "Enter your peers WireGuard public key: " WG_PUBLIC_KEY_PEER
# Exchange Rosenpass public key
scp /etc/wireguard/wg0/pqpk root@${PEER}:/etc/wireguard/wg0/${WG_PUBLIC_KEY//\//}.pqpk
# Generate wg-quick configuration
cat <<EOF >> /etc/wireguard/wg0.conf
[Interface]
PrivateKey = ${WG_PRIVATE_KEY}
ListenPort = 51820
PostUp = go-rosenpass exchange-intf %i & echo $! > /run/go-rosenpass.%i.pid
PreDown = pkill -F /run/go-rosenpass.%i.pid || true
[Peer]
PublicKey = ${WG_PUBLIC_KEY_PEER}
Endpoint = ${PEER}:51820
EOF
# Bring connection up
wg-quick up wg0
References
- https://github.com/rosenpass/rosenpass
- https://rosenpass.eu/
- https://media.ccc.de/v/eh20-4-rosenpass-ein-vpn-zum-schutz-vor-quantencomputern
Authors
- Steffen Vogel (@stv0g)
License
go-rosenpass is licensed under the Apache 2.0 license.
- SPDX-FileCopyrightText: 2023 Steffen Vogel post@steffenvogel.de
- SPDX-License-Identifier: Apache-2.0
Documentation
¶
Index ¶
- Variables
- func GenerateKeyPair() (PublicKey, SecretKey, error)
- func GenerateRound2KeyPair() (PublicKey, SecretKey, error)
- func ParsePeerID(s string) (pid, error)
- type Config
- type Conn
- type Endpoint
- type Handler
- type HandshakeCompletedHandler
- type HandshakeExpiredHandler
- type Key
- type KeyOutput
- type KeyOutputReason
- type PeerConfig
- type PeerID
- type PresharedKey
- type PublicKey
- type ReceiveFunc
- type SecretKey
- type Server
- type SinglePortUDPConn
- type UDPConn
- type UDPEndpoint
Constants ¶
This section is empty.
Variables ¶
View Source
var ( // From the WireGuard paper // Rekey every two minutes, discard the key if no rekey is achieved within three. RekeyAfterTimeResponder = 2 * time.Minute RekeyAfterTimeInitiator = RekeyAfterTimeResponder + 10*time.Second RejectAfterTime = 3 * time.Minute // Seconds until the biscuit key is changed; we issue biscuits // using one biscuit key for one epoch and store the biscuit for // decryption for a second epoch. BiscuitEpoch = 5 * time.Minute // Retransmission constants // will retransmit for up to 2 minutes; starting with a delay of // 0.5 seconds and increasing the delay exponentially by a factor of // 2 up to 10 seconds. An additional jitter factor of ±0.5 seconds is added. RetransmitDelayGrowth = 2.0 RetransmitDelayBegin = 500 * time.Millisecond RetransmitDelayEnd = 10 * time.Second RetransmitDelayJitter = 500 * time.Millisecond )
Functions ¶
func GenerateKeyPair ¶
GenerateKeyPair generates a new Classic McEliece key pair.
func GenerateRound2KeyPair ¶
GenerateKeyPair generates a new Classic McEliece key pair in its old (round 2) format.
func ParsePeerID ¶
Types ¶
type HandshakeCompletedHandler ¶
type HandshakeCompletedHandler interface {
HandshakeCompleted(pid, key)
}
type HandshakeExpiredHandler ¶
type HandshakeExpiredHandler interface {
HandshakeExpired(pid)
}
type KeyOutput ¶
type KeyOutput struct {
Peer PeerID
KeyFile string
Why KeyOutputReason
}
Output format: output-key peer {} key-file {of:?} {why}.
func ParseKeyOutput ¶
type KeyOutputReason ¶
type KeyOutputReason string
const ( KeyOutputReasonExchanged KeyOutputReason = "exchanged" KeyOutputReasonStale KeyOutputReason = "stale" )
type PeerConfig ¶
type PeerConfig struct {
PublicKey spk // The peer’s public key
Endpoint *net.UDPAddr // The peers's endpoint
}
func (*PeerConfig) PID ¶
func (p *PeerConfig) PID() PeerID
type PeerID ¶
type PeerID = pid
Some aliases for the public API.
func PeerIDFromPublicKey ¶
func PeerIDFromPublicKey(spk spk) PeerID
type PresharedKey ¶
type PresharedKey = key
type ReceiveFunc ¶ added in v0.3.1
type Server ¶
type Server struct {
// contains filtered or unexported fields
}
func NewUDPServer ¶
func (*Server) RemovePeer ¶ added in v0.3.1
type SinglePortUDPConn ¶ added in v0.4.0
type SinglePortUDPConn struct {
// contains filtered or unexported fields
}
func NewSinglePortUDPConn ¶ added in v0.4.0
func NewSinglePortUDPConn(la []*net.UDPAddr) (*SinglePortUDPConn, error)
func (*SinglePortUDPConn) Close ¶ added in v0.4.0
func (c *SinglePortUDPConn) Close() error
func (*SinglePortUDPConn) LocalEndpoints ¶ added in v0.4.0
func (c *SinglePortUDPConn) LocalEndpoints() (eps []Endpoint, err error)
func (*SinglePortUDPConn) Open ¶ added in v0.4.0
func (c *SinglePortUDPConn) Open() (recvFncs []ReceiveFunc, err error)
func (*SinglePortUDPConn) Send ¶ added in v0.4.0
func (c *SinglePortUDPConn) Send(pl payload, spkt spk, ep Endpoint) error
type UDPConn ¶ added in v0.3.1
type UDPConn struct {
// contains filtered or unexported fields
}
func (*UDPConn) LocalEndpoints ¶ added in v0.3.1
func (*UDPConn) Open ¶ added in v0.3.1
func (s *UDPConn) Open() ([]ReceiveFunc, error)
type UDPEndpoint ¶ added in v0.3.1
func NewUDPEndpoint ¶ added in v0.3.1
func NewUDPEndpoint(s string) (*UDPEndpoint, error)
func (UDPEndpoint) Equal ¶ added in v0.3.1
func (ep UDPEndpoint) Equal(o Endpoint) bool
func (*UDPEndpoint) String ¶ added in v0.3.1
func (ep *UDPEndpoint) String() string
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.