Enable post-quantum cryptography
Post-quantum cryptography aims to mitigate risks associated with quantum computing's potential to undermine existing encryption methods. Current concerns include the possibility of bad actors collecting encrypted network traffic to decrypt it once quantum computers become available. This 'harvest and decrypt later' strategy threatens the confidentiality of presently secure communications. Rosenpass, a post-quantum secure protocol, addresses these concerns by offering advanced cryptographic measures to protect VPN connections against such future threats.
About Rosenpass
Rosenpass is a post-quantum secure key-exchange protocol that enhances WireGuard VPNs against quantum computer attacks. It employs advanced cryptographic methods Classic McEliece and Kyber. The software is open-source and designed for easy integration with existing WireGuard installations. It ensures future-proof security against quantum threats by continuously generating and rotating WireGuard pre-shared keys every two minutes. Rosenpass can also be used as a generic key-exchange mechanism for other protocols.
Starting v0.25.4, the NetBird agent runs an embedded Rosenpass server that automatically rotates and applies WireGuard pre-shared keys to every point-to-point connection.
NetBird uses a Golang implementation of the Rosenpass protocol by the cunīcu project.
Enable Rosenpass in NetBird
This is still an experimental feature, may contain bugs, and is not supported on mobile devices.
Rosenpass can be enabled by setting a flag on client start-up.
netbird up --enable-rosenpass
Rosenpass respects a provided pre-shared key and uses it for its initial key generation. It is possible to define a manually generated pre-shared key.
netbird up --enable-rosenpass --preshared-key <preshared-key>
This configuration is persistent and preserved by the agent during restarts.
If the Rosenpass feature is enabled on a peer it will only be able to communicate with other peers that have Rosenpass enabled.
Disable Rosenpass
To disable Rosenpass again use the following command.
netbird down
netbird up --enable-rosenpass=false
Enable permissive mode
Enabling Rosenpass on one peer assumes that all peers have Rosenpass enabled. If one of the peers does not enable this feature or run an older version that lacks Rosenpass, the connection won't work. To allow non-Rosenpass enabled peers to connect to a Rosenpass peer, the permissive mode can be activated. In this case, the NetBird client will default to a standard WireGuard connection without pre-shared keys for those connections that don't support Rosenpass. It will continue negotiating PSKs with Rosenpass for the rest, ensuring enhanced security wherever possible:
netbird up --enable-rosenpass --rosenpass-permissive
Get started
- Make sure to star us on GitHub
- Follow us on Twitter
- Join our Slack Channel
- NetBird latest release on GitHub