惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
P
Palo Alto Networks Blog
S
Securelist
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
NISL@THU
NISL@THU
L
Lohrmann on Cybersecurity
有赞技术团队
有赞技术团队
The GitHub Blog
The GitHub Blog
C
Cisco Blogs
B
Blog
Microsoft Azure Blog
Microsoft Azure Blog
Recent Announcements
Recent Announcements
Simon Willison's Weblog
Simon Willison's Weblog
T
Tenable Blog
Know Your Adversary
Know Your Adversary
Spread Privacy
Spread Privacy
WordPress大学
WordPress大学
月光博客
月光博客
Latest news
Latest news
C
CXSECURITY Database RSS Feed - CXSecurity.com
T
Threat Research - Cisco Blogs
Cisco Talos Blog
Cisco Talos Blog
I
InfoQ
D
Darknet – Hacking Tools, Hacker News & Cyber Security
W
WeLiveSecurity
Hacker News - Newest:
Hacker News - Newest: "LLM"
酷 壳 – CoolShell
酷 壳 – CoolShell
U
Unit 42
C
Cybersecurity and Infrastructure Security Agency CISA
博客园 - 聂微东
人人都是产品经理
人人都是产品经理
Google DeepMind News
Google DeepMind News
Apple Machine Learning Research
Apple Machine Learning Research
Attack and Defense Labs
Attack and Defense Labs
罗磊的独立博客
T
The Exploit Database - CXSecurity.com
I
Intezer
GbyAI
GbyAI
Jina AI
Jina AI
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Blog — PlanetScale
Blog — PlanetScale
博客园 - 司徒正美
Google Online Security Blog
Google Online Security Blog
Engineering at Meta
Engineering at Meta
D
Docker
Recent Commits to openclaw:main
Recent Commits to openclaw:main
小众软件
小众软件
云风的 BLOG
云风的 BLOG
爱范儿
爱范儿
Project Zero
Project Zero

NetBird - Networking Knowledge Hub - RSS Feed

NetBird Is Now on the Vultr Marketplace Native NetBird on the GL.iNet Comet Pro (GL-RM10) NetBird v0.71 - IPv6 Overlay Addressing NetBird Exit Nodes - Appear at Home, or Anywhere Else Reporting Bugs and Requesting Features in NetBird Setup and Use Local AdGuard Home Anywhere with NetBird DNS How to Set Up NetBird on PiKVM for Secure Remote KVM Access NetBird v0.69 - CrowdSec IP Reputation for the Reverse Proxy Cloudflare Mesh vs NetBird vs Tailscale: Performance Compared Self-Hosting Nextcloud with Docker and NetBird Implementing Zero Trust with NetBird NetBird v0.67 - Layer 4 Proxy Support for TCP, UDP, and TLS Solwr Enhances Remote Connectivity with NetBird Self-Hosting NetBird with Authentik Jellyfin Media Server - Self-Host Your Movies, TV, and Music Cloudflare Tunnels vs. NetBird Reverse Proxy INFITX Builds Zero-Touch Kubernetes Networking with NetBird NetBird v0.66 - Expose Local Services to the Internet from the CLI Pangolin vs. NetBird Home Assistant Setup Guide with EASY Remote Access NetBird v0.65 - Built-in Reverse Proxy with Custom Domains Docker for Beginners - Everything You Need to Get Started NetBird for SOC 2 Compliance NetBird v0.63 - Custom DNS Zones for Private Network Resolution Vibecode This in a Weekend and Take 5% of the Company NetBird v0.62 - Built-in Local Users with Optional IdP Integration NetBird v0.61.0 - Granular SSH Access Control and Automatic Updates Top 5 Alternatives to OpenVPN Top 5 Open Source Alternatives to Tailscale Top 5 Alternatives to ZeroTier How to Set Up ZeroByte and REST Server for Backups with NetBird How to Install n8n v2.0 with NPM and PM2 ZeroTier vs. NetBird The Ultimate Immich Guide - Ditch Google and Amazon Photos for Good NetBird as Your Help with ISO 27001 Compliance NetBird and Huntress - Secure Network Access for MSPs How to Access Windows Shares from Anywhere with NetBird netgo Relies on Modern ZTNA with NetBird Connect to Your Homelab from Anywhere with a Raspberry Pi NetBird SSH - A New, Identity-Aware Approach The AI Mega Mesh: How to Connect 30+ GPU Cloud Providers Connect Multiple Ollama GPUs to OpenWebUI with NetBird Top 5 Tailscale Alternatives SSH and RDP, now in your browser NetBird–Acronis Integration: Empowering MSPs for Advanced Ransomware and Threat Defense Introducing the Control Center - Remote Access, Beautifully Visualized NetBird at MSP Global 2025 Understanding Overlay Networks - The Basics NetBird and SentinelOne Singularity™ - Automate Threat Response NetBird and Microsoft Intune - Enforcing Device Compliance for Zero Trust Rethinking Zero Trust Security with NetBird and pfSense Improving Unidirectional Access Control Proxmox VE for Beginners Guide with NetBird LXC Stronger Security: NetBird + GitHub Secure Open Source Fund NetBird's MSP Partner Program Signicat Enhances Cross-Cloud Accessibility with NetBird SonicWall SSL VPN NetExtender vs. NetBird NetBird Is Embracing the AGPLv3 License NetBird Profiles Have Landed - Manage Multiple Accounts Effortlessly Rethinking Access Control to Secure Your On-Premises SharePoint Servers Sport Alliance Increases Efficiency with Zero Trust Networking at Scale Rethinking Network Access: qwertiko Goes Zero Trust with NetBird Optimizing Network Efficiency with NetBird's Lazy Connections Use Port Ranges in Access Control Policies Generic HTTP Endpoint for Network Events Streaming NetBird’s Response to Spear-Phishing Campaign Targeting Financial Executives Zero-Trust Access to Internal Resources Without Installing Agents Enhance Network Visibility with NetBird’s Traffic Events Logging TrueNAS Made Easy - Install, Set Up, and Access From Anywhere Top 5 Alternatives for WireGuard Jump Hosts. Gateways for Remote Access NetBird Network Routes and Exit Nodes Security for All - SSO and MFA for Free Enhancing Network Access Control with NetBird's Identity Provider Feature Twingate vs. NetBird Limit Network Access Based on Running Applications FortiClient ZTNA vs. NetBird OpenVPN vs. NetBird Tailscale vs. NetBird Getting Started with an Azure Site-to-Site VPN Getting Started with an On-premise-to-AWS Site-to-Site VPN Secure Remote Access to VPCs, LANs, and Offices regreSSHion - A New OpenSSH Server Remote Code Execution Vulnerability Evolve Bank & Trust Data Breach. What Happened? What Is a Site-to-Site VPN? IPSec Tunneling Demystified. Enhancing Data Security Across Networks Understanding IPSec Tunnel and Transport Modes Understanding the Differences Between IKEv1 and IKEv2 Understanding the IKEv1 Protocol in IPSec ZeroTier versus NetBird - Which Should You Choose? AWS Lambda Serverless Security. Mistakes, Oversights, and Potential Vulnerabilities Using NetBird for Kubernetes Access Serverless Security Vulnerabilities and Best Practices to Mitigate Them Security Best Practices for Serverless Azure Functions A Guide to Remote Access Security for SMEs IoT Security Essentials. How to Achieve Secure Remote Access Open Source Zero Trust Networking Using SSH for Secure Remote Access How We Integrated Rosenpass in NetBird Using eBPF and XDP to Share Default DNS Port Between Multiple Resolvers
The First Quantum-Resistant Mesh VPN
Written byMisha Bragin · 2024-02-15 · via NetBird - Networking Knowledge Hub - RSS Feed

Are you aware that even in the absence of quantum computers today, the encrypted data in your organization or personal information remains vulnerable? This might not be an immediate concern, but it's a ticking time bomb. Cybercriminals are already capable of harvesting encrypted data with the intent to decrypt it later. Once quantum computing becomes widely accessible, these hackers will have the tools to retroactively decrypt previously secure information.

NetBird is deeply committed to network security, enabling organizations to protect their networks through point-to-point connection encryption, micro-segmentation, and comprehensive network visibility. While these measures are effective against today's threats, what about future security challenges of the post-quantum world? In the past few months, we've spent some time on this topic, experimenting and integrating Rosenpass, a key exchange protocol that uses secure techniques against attacks from quantum computers.

Even though this feature is experimental, we believe we have created the first quantum-resistant mesh-capable VPN. Are you interested in learning how it works and trying it for yourself? Please read on, and traditionally, you can always check our code; it is open source.

The need for quantum-resistant cryptography

Today's encryption methods will be at risk when quantum computers arrive. There's no set date, but experts think we might see the first quantum computers between 2035 and 2040. These computers will likely be able to decrypt nearly all the encrypted data being shared on the internet right now.

What's the immediate risk? As highlighted in the introduction, malicious actors could adopt a "harvest now, decrypt later" strategy. This involves intercepting and storing encrypted data, for example, network traffic, with the intent to decrypt it in the future once quantum computing technology becomes available.

Consider a hospital with sensitive patient records or a financial institution storing confidential customer data. These organizations have numerous data pathways between internal applications and databases where a hacker can tap in and steal data. Additionally, these organizations often have hundreds, if not thousands, of employees, accessing this information from various devices, often remotely, increasing the attack surface. While several security measures can be put in place—such as multi-factor authentication (MFA), the principle of least privilege access, and mutual authentication—to mitigate risks and safeguard this data, it's important to accept that absolute security is unattainable in cybersecurity.

No wonder being a CISO is stressful, and quantum computers do not bring more excitement to their job. netbird-management

So, what can we do to help CISOs and security professionals of the world sleep better at night? Well, at least we could bring some order (and hopefully excitement) to their private networks and protect the traffic from the future threat—quantum computers.

If you are not a CISO looking to release stress but happen to use or be familiar with WireGuard, stay with me, as we have some exciting solutions involving Rosenpass that uses WireGuard's pre-shared keys.

Using pre-shared keys in WireGuard

If you've heard about WireGuard, you've probably also heard about an option to use pre-shared symmetric keys. Using pre-shared keys in WireGuard is optional, but it helps mitigate future quantum computer attacks with an additional layer of symmetric encryption. To enable this option, one needs to pre-share a 256-bit symmetric encryption key between any pair of WireGuard peers.

We can use the command to generate a pre-shared key :


We can now set this key on a pair of WireGuard peers and see what happens. I will be using the command to configure peers. One peer is my Ubuntu 22.04 laptop, and the other is a remote server on Digital Ocean, also running Ubuntu 22.04.

Equipped with ChatGPT, I generated the following WireGuard configs. One for the remote server:


The other one for my laptop which will be the client:


Please do not use these configuration files in production, as publicly exposed keys would compromise any system they're used in. Also, don't forget to set a proper on your client configuration.

By the way, NetBird is a point-to-point private network that automatically configures WireGuard, so you don't need to worry about copying and pasting configuration files, public IPs, and key distribution as it is done from a central place - the NetBird Management service. Later in this post, you will see how the "zero configuration" effect also applies to enabling post-quantum resistance in your private network.

Now, back to our WireGuard setup. After Running on both machines and pinging the server from my laptop, we can confirm that the machines connected successfully:


We can also see what pre-shared keys are used by running the following command:


That was pretty straightforward. But there is a challenge, though. How can we generate and securely exchange pre-shared keys between peers automatically? This is where Rosenpass steps in.

About Rosenpass

Rosenpass is a key exchange protocol using techniques that are secure against attacks from quantum computers. It employs two strong post-quantum key exchange methods – Classic McEliece and Kyber. The latter has been selected in the NIST post-quantum cryptography competition to become a post-quantum cryptographic standard.

The Rosenpass application runs side-by-side with WireGuard and generates a new post-quantum-secure pre-shared key (PSK) every two minutes. The generated pre-shared key can then be applied to WireGuard, which still performs the pre-quantum-secure key exchange and transfers any transport data without involvement from Rosenpass. Check the Rosenpass protocol whitepaper for more details on how it works.

Running WireGuard with Rosenpass

Let's get into some cool stuff. We will now try running Rosenpass and see how to use generated pre-shared keys in WireGuard.

Similar to setting up WireGuard, the Rosenpass daemons on both machines must be configured to recognize one another. This involves exchanging Rosenpass public keys and ensuring that each daemon knows the public endpoints of the other, enabling them to establish a connection. Wait! Is there another config on top of the one we already have for WireGuard? Yes, but don't worry. Later in the article, I will show you how Rosenpass integrates with NetBird, where you don't need to worry about configuration.

First, we will need to download and install Rosenpass:


Second, we will generate a pair of private and public keys for Rosenpass and do some configuration.

On the client machine:


On the server machine:


Like with WireGuard, we will need to make the Rosenpass server and client aware of each others public keys. Thus, we should copy the file from the server to the client and the from the client to the server.

After copying the keys, we can run Rosenpass daemons using the command. On the client machine:


On the server machine:


Please note that I configured the property on the client machine to specify the server's remote address as . Ensure you replace with your server's public IP address. The port is the Rosenpass listen port. The following output on both machines indicates that Rosenpass successfully generated a new WireGuard pre-shared key:


Both client and server Rosenpass instances stored a newly negotiated symmetric key in the file we specified in the property. Rosenpass will update this file every two minutes to rotate the key.


We can now use this key and apply it to the WireGuard instances we configured by running the command on both machines:


and


Let's verify if we applied the keys correctly:


One crucial detail is that even if you applied a pre-shared key only on one of the machines, the connection would still work for a few minutes. Why? This is due to the WireGuard's handshake mechanism. When you first apply the PSK on one machine and not the other, the existing session (established before the PSK configuration) continues to work until the next handshake attempt. This behavior can lead to a situation where traffic continues to flow for a short period, even after a configuration mismatch. WireGuard will continue to use the last successful handshake until a new one happens.

How scalable is this?

Let's summarize the setup. Rosenpass operates separately from WireGuard, running as an independent application on its own port on both machines. Like setting up WireGuard, you need to configure Rosenpass with its public keys. Additionally, one Rosenpass instance must be set up with the remote's public endpoint to enable key exchange. Rosenpass generates a new pre-shared key (PSK) every two minutes, which you then manually apply to the WireGuard interface on both machines. Voilà, and you have a quantum-resistant WireGuard-based VPN.

I know what you are thinking. This doesn't scale, right? How about a production setup with hundreds of machines? Pre-sharing additional symmetric keys is an excellent idea but can be troublesome from a key management perspective. Add that many machines are behind NATs and change their public IPs frequently, and you will end up with a configuration hell. How do we simplify the process without compromising on quantum resistance? We asked ourselves at NetBird, and here is the solution.

Setting up a quantum-resistant mesh VPN


This is the only thing you need to do to enable post-quantum resistance in your private network. There is no need to configure WireGuard or Rosenpass. NetBird will automatically establish a point-to-point WireGuard connection between all your machines and enable Rosenpass on top of it. Of course, given that you have NetBird installed on your machines.

To prove this statement, I will run the command on my laptop:


And on the server:


After SSO and MFA authentication, we can see that the pre-shared keys are being generated and applied to the WireGuard interfaces every two minutes:


I can even ping my laptop from the server "with quantum-resistance" by using a search or fully qualified domain name (FQDN) that NetBird automatically assigned to it:


I will add another machine to the network to make it even more interesting and run NetBird as a docker container on my laptop. I will need to generate a one-off setup key, as there is no way to do an interactive login with SSO in a container:


As a result, NetBird forms a small three-node mesh network where machines connect directly to each other. Running the command on my laptop indicates that there are now two WireGuard peers with the enabled pre-shared keys:


Add as many machines as you want; try it on AWS Lambda or Azure Functions to add some serverless flavor to your mini-mesh network.

For the especially curious, here is the Rosenpass integration PR on GitHub that we merged into main recently: netbirdio/netbird#1153.

Conclusion

I want to use this section not to say how vital network security is and that modern cryptography is under threat when quantum computers will hit the mass market. But to credit the creators and developers of the beautiful open-source technologies we use at NetBird. Some of these people I'm lucky to know personally. Thank you, Jason A. Donenfeld for WireGuard, Karolin Varner & Team for Rosenpass, and Steffen Vogel for rosenpass-go.

By no means do we consider ourselves post-quantum cryptography experts. This post aims to raise awareness about future security threats, trigger discussions, and inspire others to open source their solutions and experiment with post-quantum cryptography. However, we educated ourselves on the topic. We consulted with people working in the field to understand the basics to be able to carry out the experiment and share the results with you.

If you want to lear more about the implementation details, check out this post: How We Integrated Rosenpass in NetBird.