惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

N
News and Events Feed by Topic
V
V2EX
博客园 - 【当耐特】
Vercel News
Vercel News
雷峰网
雷峰网
爱范儿
爱范儿
WordPress大学
WordPress大学
云风的 BLOG
云风的 BLOG
S
Securelist
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Microsoft Azure Blog
Microsoft Azure Blog
F
Full Disclosure
有赞技术团队
有赞技术团队
Hugging Face - Blog
Hugging Face - Blog
NISL@THU
NISL@THU
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Attack and Defense Labs
Attack and Defense Labs
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
Microsoft Security Blog
Microsoft Security Blog
腾讯CDC
P
Proofpoint News Feed
B
Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
K
Kaspersky official blog
I
InfoQ
Google Online Security Blog
Google Online Security Blog
L
LINUX DO - 最新话题
Project Zero
Project Zero
Engineering at Meta
Engineering at Meta
V
Visual Studio Blog
AI
AI
Schneier on Security
Schneier on Security
B
Blog RSS Feed
T
Tor Project blog
H
Help Net Security
H
Hackread – Cybersecurity News, Data Breaches, AI and More
L
LINUX DO - 热门话题
阮一峰的网络日志
阮一峰的网络日志
S
Security @ Cisco Blogs
T
Threat Research - Cisco Blogs
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
C
Cyber Attacks, Cyber Crime and Cyber Security
G
Google Developers Blog
Google DeepMind News
Google DeepMind News
V2EX - 技术
V2EX - 技术
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
A
Arctic Wolf
Webroot Blog
Webroot Blog
Recent Commits to openclaw:main
Recent Commits to openclaw:main

NetBird - Networking Knowledge Hub - RSS Feed

NetBird Is Now on the Vultr Marketplace Native NetBird on the GL.iNet Comet Pro (GL-RM10) NetBird v0.71 - IPv6 Overlay Addressing NetBird Exit Nodes - Appear at Home, or Anywhere Else Reporting Bugs and Requesting Features in NetBird Setup and Use Local AdGuard Home Anywhere with NetBird DNS How to Set Up NetBird on PiKVM for Secure Remote KVM Access NetBird v0.69 - CrowdSec IP Reputation for the Reverse Proxy Cloudflare Mesh vs NetBird vs Tailscale: Performance Compared Self-Hosting Nextcloud with Docker and NetBird Implementing Zero Trust with NetBird NetBird v0.67 - Layer 4 Proxy Support for TCP, UDP, and TLS Solwr Enhances Remote Connectivity with NetBird Self-Hosting NetBird with Authentik Jellyfin Media Server - Self-Host Your Movies, TV, and Music Cloudflare Tunnels vs. NetBird Reverse Proxy INFITX Builds Zero-Touch Kubernetes Networking with NetBird NetBird v0.66 - Expose Local Services to the Internet from the CLI Pangolin vs. NetBird Home Assistant Setup Guide with EASY Remote Access NetBird v0.65 - Built-in Reverse Proxy with Custom Domains Docker for Beginners - Everything You Need to Get Started NetBird for SOC 2 Compliance NetBird v0.63 - Custom DNS Zones for Private Network Resolution Vibecode This in a Weekend and Take 5% of the Company NetBird v0.62 - Built-in Local Users with Optional IdP Integration NetBird v0.61.0 - Granular SSH Access Control and Automatic Updates Top 5 Alternatives to OpenVPN Top 5 Open Source Alternatives to Tailscale Top 5 Alternatives to ZeroTier How to Set Up ZeroByte and REST Server for Backups with NetBird How to Install n8n v2.0 with NPM and PM2 ZeroTier vs. NetBird The Ultimate Immich Guide - Ditch Google and Amazon Photos for Good NetBird as Your Help with ISO 27001 Compliance NetBird and Huntress - Secure Network Access for MSPs How to Access Windows Shares from Anywhere with NetBird netgo Relies on Modern ZTNA with NetBird Connect to Your Homelab from Anywhere with a Raspberry Pi NetBird SSH - A New, Identity-Aware Approach The AI Mega Mesh: How to Connect 30+ GPU Cloud Providers Connect Multiple Ollama GPUs to OpenWebUI with NetBird Top 5 Tailscale Alternatives SSH and RDP, now in your browser NetBird–Acronis Integration: Empowering MSPs for Advanced Ransomware and Threat Defense Introducing the Control Center - Remote Access, Beautifully Visualized NetBird at MSP Global 2025 Understanding Overlay Networks - The Basics NetBird and SentinelOne Singularity™ - Automate Threat Response NetBird and Microsoft Intune - Enforcing Device Compliance for Zero Trust Rethinking Zero Trust Security with NetBird and pfSense Improving Unidirectional Access Control Proxmox VE for Beginners Guide with NetBird LXC Stronger Security: NetBird + GitHub Secure Open Source Fund NetBird's MSP Partner Program Signicat Enhances Cross-Cloud Accessibility with NetBird SonicWall SSL VPN NetExtender vs. NetBird NetBird Is Embracing the AGPLv3 License NetBird Profiles Have Landed - Manage Multiple Accounts Effortlessly Rethinking Access Control to Secure Your On-Premises SharePoint Servers Sport Alliance Increases Efficiency with Zero Trust Networking at Scale Rethinking Network Access: qwertiko Goes Zero Trust with NetBird Optimizing Network Efficiency with NetBird's Lazy Connections Use Port Ranges in Access Control Policies Generic HTTP Endpoint for Network Events Streaming NetBird’s Response to Spear-Phishing Campaign Targeting Financial Executives Zero-Trust Access to Internal Resources Without Installing Agents Enhance Network Visibility with NetBird’s Traffic Events Logging TrueNAS Made Easy - Install, Set Up, and Access From Anywhere Top 5 Alternatives for WireGuard Jump Hosts. Gateways for Remote Access NetBird Network Routes and Exit Nodes Security for All - SSO and MFA for Free Enhancing Network Access Control with NetBird's Identity Provider Feature Twingate vs. NetBird Limit Network Access Based on Running Applications FortiClient ZTNA vs. NetBird OpenVPN vs. NetBird Tailscale vs. NetBird Getting Started with an Azure Site-to-Site VPN Getting Started with an On-premise-to-AWS Site-to-Site VPN Secure Remote Access to VPCs, LANs, and Offices regreSSHion - A New OpenSSH Server Remote Code Execution Vulnerability Evolve Bank & Trust Data Breach. What Happened? What Is a Site-to-Site VPN? IPSec Tunneling Demystified. Enhancing Data Security Across Networks Understanding IPSec Tunnel and Transport Modes Understanding the Differences Between IKEv1 and IKEv2 Understanding the IKEv1 Protocol in IPSec ZeroTier versus NetBird - Which Should You Choose? AWS Lambda Serverless Security. Mistakes, Oversights, and Potential Vulnerabilities Using NetBird for Kubernetes Access Serverless Security Vulnerabilities and Best Practices to Mitigate Them Security Best Practices for Serverless Azure Functions A Guide to Remote Access Security for SMEs IoT Security Essentials. How to Achieve Secure Remote Access Open Source Zero Trust Networking Using SSH for Secure Remote Access The First Quantum-Resistant Mesh VPN Using eBPF and XDP to Share Default DNS Port Between Multiple Resolvers
How We Integrated Rosenpass in NetBird
Written byMisha Bragin · 2024-02-24 · via NetBird - Networking Knowledge Hub - RSS Feed

In a recent article titled First Quantum Resistant Mesh VPN, we talked about how quantum computers could break the security of private networks. We also looked into how to make WireGuard-based networks safer by using pre-shared keys (PSK) generated by Rosenpass. Lastly, we learned how to set up a quantum-resistant point-to-point network in just a few minutes with NetBird.

If you are curious about how all this works and how we integrated Rosenpass into NetBird, this post is for you. As usual, the code is open source and you can check it for yourself on GitHub: netbird/netbirdio.

Ronsenpass Go implementation

The first challenge we had to overcome was using Rosenpass in our NetBird client application, which runs on your machines. The Rosenpass daemon that does the pre-shared symmetric key exchange is a standalone application written in Rust. In contrast, NetBird is built using Go. As we wanted to avoid complicating the installation process and packaging another tool with our NetBird, we had to find a way to embed Rosenpass.

Fortunately, we discovered a recent Go-based implementation of the Rosenpass protocol by cunicu. After collaborating with the project maintainer, we got a fully embeddable Go API. The following code starts an instance of the Rosenpass server and configures a handler function that is triggered when a newly negotiated PSK is available:


Brilliant! That was an easy one. Kudos to stv0g for the rosenpass-go library.

But that is not it. We still need to configure a pair of Rosenpass servers running on different machines to be aware of each other. How can we do this?

Automatic Rosenpass peer discovery

Besides generating a private and public key pair and setting a listen port, the Rosenpass configuration involves extra steps. Like WireGuard, peers using Rosenpass must know each other's public keys. Once again, luck is on our side; we can utilize the signalling service NetBird peers already use to negotiate direct WireGuard connections.

When the NetBird Management service authorizes both machines to establish a connection, the machines initiate a connection negotiation process. They collect a list of all potential connection candidates, including local and public IP addresses (IP: port). Using the Signal service, they exchange these candidates with each other and then proceed to ping these candidates to determine the best available option. The image below illustrates the process:

netbird-signalling

Extending the Signal service protocol to include a Rosenpass key did the trick. Our machines can now exchange their public keys and add them to the embedded Rosenpass instance.

We are missing one more step: setting up a remote Rosenpass endpoint.

Discovering Rosenpass endpoint

Initiating the key exchange process requires Rosenpass peers to be mutually accessible. To achieve this, it's necessary to discover and set up an endpoint (IP: port) on at least one of the peers. This part is trickier. So, what are our options?

We could start the same connection negotiation process, or NAT traversal, that we do for WireGuard connections. This involves using the Signal service mentioned earlier and pinging peers until they find a way through NAT. While it's feasible, it's not always straightforward. Hard NATs can make it difficult to set up a direct connection. We might have to use relay services to route encrypted peer-to-peer traffic between machines. Implementing this could get complicated and time-consuming. So, we had to make some compromises.

We chose a simpler method using the already established WireGuard connection between the machines. This strategy involved using the private IPs assigned by NetBird to set up the Rosenpass endpoints. Our process was to allow the standard NetBird connection negotiation to conclude, and then, we configured Rosenpass to work through the established WireGuard tunnel.

To implement this solution, we only needed to add a new callback function to inform the rest of the software once the peers had established a connection. This function configures the Rosenpass endpoint to point to the remote peer using the NetBird's private IP. And once Rosenpass is done with the PSK exchange, we can apply it to WireGuard. Schematically, the Rosenpass configuration process looks like this:

netbird-signalling

Good! But are there any disadvantages to this approach?

Final adjustments

The issue arises from the moment after establishing a WireGuard connection and before the Rosenpass instances negotiate a PSK. During this time, which lasts for a few seconds, WireGuard operates without a configured PSK. Additionally, WireGuard's handshake mechanism keeps the connection session without PSK active for several minutes, even if we set up the PSK immediately after the handshake. This is how WireGuard works, meaning that our connection is not quantum-secure for around two minutes—a scenario we found unacceptable!

We opted for a straightforward solution to tackle this issue: autogenerating a PSK before and restarting the WireGuard session. Initially, prior to initiating the WireGuard connection negotiation process, the agent generates a pre-shared key. This key is derived using its public key and the public key of the remote peer. It's important to note that Rosenpass does not participate in this key generation process. Below is a sample code snippet illustrating this procedure:


The function combines the first 16 bytes from each public key, creating a concatenated byte array that serves as input to the function, generating a new key. This process ensures that, since both peers know each other's public keys, they can consistently regenerate the same PSK.

This method is initially sufficient, employing an "interim" PSK for the preliminary phase of the connection. This temporary PSK remains in use for only a short duration—until Rosenpass successfully negotiates a PSK.

Following Rosenpass's successful negotiation, the agent refreshes the WireGuard session. This refresh is executed by removing the WireGuard peer from the interface and then re-adding it—this time applying the newly negotiated PSK. The entire operation is swift, taking merely a few milliseconds, and has a minor impact on the connection.

That's the whole solution. Rosenpass will negotiate a new PSK every two minutes for each peer, and NetBird will apply these keys to the WireGuard interface, making point-to-point connections quantum-resistant. Here is the integration code that we open sourced on GitHub: netbirdio/netbird

Backwards compatibility

If both peers support and enable the Rosenpass feature, they will establish a post-quantum secure connection. However, if one of the peers do not enable this feature or run an older version that lacks Rosenpass, the connection won't work. We intentionally did this to enforce quantum resistance so the network is either fully quantum-resistant or not. A warning indicating that will pop up when running the command:


It may not be convenient to have some connections working and some not, especially with large deployments. Therefore, we introduced a flag . In this case, the NetBird client will default to a standard WireGuard connection without pre-shared keys for those connections that don't support Rosenpass. It will continue negotiating PSKs with Rosenpass for the rest, ensuring enhanced security wherever possible:


Conclusion

Initially, the WireGuard connection uses a PSK generated from the peers' public keys for a few seconds, an acceptable limitation. Moreover, when NetBird peers connect to the NetBird Signal and Management services, these connections do not offer quantum resistance, making them potentially vulnerable to attacks.

However, this is not to say improvements cannot be made. We are committed to enhancing our system, aiming to secure all communications with quantum-resistant measures in the future.

Meanwhile, if you want to try NetBird with Rosenpass for yourself, install it and run on a couple of machines. This won't take more than five minutes of your time: