People keep saying this, but it hasn't been true for me. I've had to reinstall PiVPN a few times, I assume because automatic updates may have broken it somehow. I tried manually configuring wireguard every time but just could not get it to work after hours of trying. PiVPN has always been extremely easy to install and configure.

Have you tried investigating the config it produces and comparing that to what you ended up with on your failed attempts? Way back when I first started using OpenVPN installing a quick-setup in a VM was how I found a glaring mistake I'd been making (with routing, it turned out, not the OpenVPN config itself).

Not that it massively matters if you are happy with PiVPN of course, but understanding more may help you diagnose issues should PiVPN ever fail.

After skimming both the GitHub and the protocol specification for rosenpass, I still have no idea what benefit it provides on top of wireguard and therefore why I should use it.

It's below the fold on rosenpass.eu but:

> Rosenpass is a key-exchange protocol using techniques that are secure against attacks from quantum computers. It achieves the same security guarantees as WireGuard, using two strong post-quantum key exchange methods – Classic McEliece and Kyber.

> To use Rosenpass, you don't have to get rid of WireGuard; Rosenpass handles post-quantum security, WireGuard handles pre-quantum security and high-speed data transmission.

I saw some references to post-quantum security, but I also saw references to something called "Post-Quantum Wireguard" so it seemed like that was handled by some other project, or at best some sub-component of Rosenpass.

Wireguard has a pre-shared key that can essentially get 'added to' the base key, making it more secure. Rosenpass effectively just makes these PSKs and trades them in a way that makes it quantum secure. Basically it should be a part of base wireguard, but for now it's a good addition.

Thanks, that's the clearest explanation I've seen.

for one or two devices, yes.

But after that, key and config management becomes a bit more challenging.

I have a bout 14 devices on a VPN, so that uses ansible to make sure all the keys are where they should be, and can be rotated if needs be.

I have a WireGuard VPN with about 250 devices, most of them POS machines in the wild. I adopted WireGuard for our first machines about half a year before the 1.0 release, so there weren't much tools yet.

I piggybacked onto the original configuration file format and built myself https://github.com/WolleTD/wg-setup, which helps me validating the correctness and uniqueness of new entries, hacks names into the entries and even updates an internal DNS zone.

I really don't have to care much for key rotation, though. As most of the devices are out of our control anyway, they aren't allowed to connect to anything inside the VPN. It's just for us to connect to them.