WireGuard

Is PQC enabled? — quick check

WireGuard + Rosenpass

# 1) No-dependency check — identify this machine first.
uname -a 2>/dev/null || true

# 2) Dependency check — prompt before installing anything.
if ! command -v wg >/dev/null 2>&1; then
  echo 'WireGuard tools was not found.'
  printf 'Install or enable WireGuard tools now? [y/N] '
  read answer
  case "$answer" in
    [Yy]*) echo 'Install wireguard-tools through your OS package manager, then rerun this snippet.' ;;
    *) echo 'Skipping WireGuard tools-based check.'; exit 1 ;;
  esac
fi

wg show wg0 preshared-keys
sudo journalctl -u rosenpass -n 20 --no-pager 2>/dev/null | tail -5

Expected when PQC is ON

peer:  AbCd...   psk:  XyZ...
rosenpass[1234]: handshake completed peer=...

What you'll see when PQC is OFF

peer:  AbCd...   psk:  (none)
# no rosenpass logs — tunnel is classical Curve25519 only

OpenVPN

# 1) No-dependency check — identify this machine first.
uname -a 2>/dev/null || true

# 2) Dependency check — prompt before installing anything.
if ! command -v openvpn >/dev/null 2>&1; then
  echo 'OpenVPN was not found.'
  printf 'Install or enable OpenVPN now? [y/N] '
  read answer
  case "$answer" in
    [Yy]*) echo 'Install OpenVPN 2.6+ linked against OpenSSL 3.5+, then rerun this snippet.' ;;
    *) echo 'Skipping OpenVPN-based check.'; exit 1 ;;
  esac
fi

    openvpn --version | head -2
openvpn --show-groups 2>&1 | grep -i mlkem

Expected when PQC is ON

OpenVPN 2.6.12 ... [SSL (OpenSSL)]
mlkem768

What you'll see when PQC is OFF

OpenVPN 2.5.9 ... [SSL (OpenSSL)]
# (empty) — OpenSSL ≤ 3.4 or build without ML-KEM

WireGuard is intentionally minimal — its handshake uses Noise IK with Curve25519 and ChaCha20-Poly1305 only. There is no in-protocol negotiation, so there is no path to add a hybrid PQ group the way TLS did. The accepted answer is to layer a pre-shared key derived from a post-quantum KEM on top.

Rosenpass

Rosenpass performs a PQ key exchange (Classic McEliece + Kyber) out-of-band, then feeds the result into WireGuard's preshared_key field. Listing peers in rosenpass.toml mirrors the WireGuard config and the daemon rotates the PSK every two minutes.

rosenpass exchange-config rosenpass.toml

Verify

wg show wg0 preshared-keys
# A line per peer with a base64 PSK = Rosenpass is active

What this gets you

Forward-secret tunnel symmetric keys derived from a PQ-resistant PSK.
"Harvest now, decrypt later" attackers gain nothing from recording the WG handshake.
Identity / authentication is still Curve25519 — replace endpoints rotation with Rosenpass static keys for a fully PQ identity story.

Run the check on services behind the tunnel →