Single Packet Authorization with Fwknop

Fwknop (FireWall KNock OPerator) provides support for Single Packet Authorization (SPA).
Fwknop is a modern and more secure replacement for port knocking.
More information can be found at
Detailed tutorial at

A client is required to open ports on the router configured with Fwknopd (Fwknop server).

  • CLI (Command Line Interface) client is known as fwknop or fwknop-client which is available in most Linux distribution package managers, including OpenWrt. It can also be used on MacOS natively and on Windows using Cygwin.
  • Smart Phone client is called fwknop2, which is available on the Google Play Store. There does not appear to be an iPhone client currently available.
  • Desktop/Server client is known as fwknop-gui, which is cross-platform. It is available at for Linux, MacOS, and Windows for manual installation or on most Linux distributions it is available in the package manager.

The easiest way to get the Fwknop server running is to install luci-app-fwknopd

The Luci app installation will automatically generate a set of keys. The qr code, at the top of the settings page, contains the two keys and can be used to import keys into the fwknop Android app. Once you have configured the settings as required, you will need to tick the Enable config overwrite checkbox at the top.

The following settings can be configured from the Luci app, with a few that are configured by default. The only setting you should modify is OPEN_PORTS to restrict the required ports. Usually you would only allow SSH or HTTPS access to the router.

SOURCE defines the IP or IPs that are allowed to send valid SPA packets. If an otherwise valid packet arrives from an IP not listed, it will be ignored. The default value is ANY, which indicates that any source IP can be valid.

KEY_BASE64 or KEY defines the primary key used to generate and validate the SPA packet. This will be automatically generated by default.

Key type indicates whether the HMAC key is plaintext or Base64 encoded. A Base64 key is translated to Binary, which allows for a larger keyspace than a plain text key.

HMAC_KEY_BASE64 or HMAC_KEY defines the HMAC message verification key. This field is optional and can be left blank to indicate no HMAC verification. Recommended to leave the default setting.

HMAC Key type indicates whether the HMAC key is plaintext or Base64 encoded.

OPEN_PORTS defines the protocol and port to open when a valid SPA packet is received. If left blank, this information will be derived from the SPA packet. If populated, this must be in the format of protocol/portnumber e.g. tcp/22 or udp/22.

FW_ACCESS_TIMEOUT defines in seconds the length of time that a port will remain open by default. Note that even after the port closes, the established connection will persist until terminated.

REQUIRE_SOURCE_ADDRESS causes the server to require the source IP to be included in the SPA packet.

MAX_SPA_PACKET_AGE defines the maximum age in seconds that the server will accept requests. If left blank, it will default to 120 seconds.

PCAP_INTF dictates which interface Fwknop will listen on. The Luci app will try to select the correct interface on installation, based on which is the WAN port.

ENABLE_IPT_FORWARDING defines whether an SPA packet can trigger port forwarding through to an internal host. Defaults to “y”.

The best way to debug what is happening with fwknopd is to run it as follows:

fwknopd -f -v -i eth0

This will not start the fwknopd daemon, but start the app against eth0 so you can see debugging output on the console. You might need to change that interface depending on your setup. Now, with fwknopd running, go ahead and run the fwknop client. You will see verbose information about: - SPA packet specifics. - If it successfully authenticates/decrypts: corresponding iptables commands that fwknopd executes (to grant access to whatever service you are requesting with the client) You can stop debugging by pressing Ctrl+C

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2019/11/18 07:57
  • by panaut0lordv