Fwknop (FireWall KNock OPerator) provides support for Single Packet Authorization (SPA).
Fwknop is a modern and more secure replacement for port knocking.
More information can be found at https://www.cipherdyne.org/fwknop/
Detailed tutorial at https://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html
A client is required to open ports on the router configured with Fwknopd (Fwknop server).
The Luci app installation will automatically generate a set of keys. The qr code, at the top of the settings page, contains the two keys and can be used to import keys into the fwknop Android app. Once you have configured the settings as required, you will need to tick the Enable config overwrite checkbox at the top.
The following settings can be configured from the Luci app, with a few that are configured by default. The only setting you should modify is OPEN_PORTS to restrict the required ports. Usually you would only allow SSH or HTTPS access to the router.
SOURCE defines the IP or IPs that are allowed to send valid SPA packets. If an otherwise valid packet arrives from an IP not listed, it will be ignored. The default value is ANY, which indicates that any source IP can be valid.
KEY_BASE64 or KEY defines the primary key used to generate and validate the SPA packet. This will be automatically generated by default.
Key type indicates whether the HMAC key is plaintext or Base64 encoded. A Base64 key is translated to Binary, which allows for a larger keyspace than a plain text key.
HMAC_KEY_BASE64 or HMAC_KEY defines the HMAC message verification key. This field is optional and can be left blank to indicate no HMAC verification. Recommended to leave the default setting.
HMAC Key type indicates whether the HMAC key is plaintext or Base64 encoded.
OPEN_PORTS defines the protocol and port to open when a valid SPA packet is received. If left blank, this information will be derived from the SPA packet. If populated, this must be in the format of protocol/portnumber e.g. tcp/22 or udp/22.
FW_ACCESS_TIMEOUT defines in seconds the length of time that a port will remain open by default. Note that even after the port closes, the established connection will persist until terminated.
REQUIRE_SOURCE_ADDRESS causes the server to require the source IP to be included in the SPA packet.
MAX_SPA_PACKET_AGE defines the maximum age in seconds that the server will accept requests. If left blank, it will default to 120 seconds.
PCAP_INTF dictates which interface Fwknop will listen on. The Luci app will try to select the correct interface on installation, based on which is the WAN port.
ENABLE_IPT_FORWARDING defines whether an SPA packet can trigger port forwarding through to an internal host. Defaults to “y”.
The best way to debug what is happening with fwknopd is to run it as follows:
fwknopd -f -v -i eth0
This will not start the fwknopd daemon, but start the app against eth0 so you can see debugging output on the console. You might need to change that interface depending on your setup. Now, with fwknopd running, go ahead and run the fwknop client. You will see verbose information about: - SPA packet specifics. - If it successfully authenticates/decrypts: corresponding iptables commands that fwknopd executes (to grant access to whatever service you are requesting with the client) You can stop debugging by pressing Ctrl+C