←back to thread

Knocker, a knock based access control system for your homelab

(github.com)
67 points xlmnxp | 4 comments | 22 Oct 25 08:37 UTC | HN request time: 0s | source
Show context
tptacek ◴[22 Oct 25 13:01 UTC] No.45668433[source]
I will never, ever understand this "single-packet authentication" "port knocking" fetish. It has never made sense. Bin it, along with fail2ban, and just set up WireGuard.

Your network authentication should not be a fun game or series of Rube Goldberg contraptions.

replies(7): >>45668640 #>>45668974 #>>45669023 #>>45672079 #>>45672470 #>>45673304 #>>45676649 #
trelane ◴[22 Oct 25 18:35 UTC] No.45673304[source]
Do you have a guide to using wireguard in this way?
replies(1): >>45673329 #
tptacek ◴[22 Oct 25 18:36 UTC] No.45673329[source]
Using WireGuard in what way? WireGuard defaults to the security posture SPA/port knocking hopes to asymptotically achieve.
replies(1): >>45673364 #
1. trelane ◴[22 Oct 25 18:40 UTC] No.45673364[source]
> Using WireGuard in what way?

Using WireGuard to gate access to a server. It looks like it's a VPN, not an access control mechanism. So I am curious how this works.

replies(3): >>45673372 #>>45673417 #>>45675523 #
2. tptacek ◴[22 Oct 25 18:41 UTC] No.45673372[source]
Set up WireGuard, filter everything but WireGuard (51820/udp) on en0, and then SSH in over the WireGuard connection.
3. akerl_ ◴[22 Oct 25 18:44 UTC] No.45673417[source]
WireGuard is sort of a VPN, but really its core is peer to peer links with simple, footgun-resistant configs.

The most mundane setup is two peers with each other’s public keys that let each peer talk to the other via the WireGuard link.

4. immibis ◴[22 Oct 25 21:41 UTC] No.45675523[source]
It is a VPN. The point was to block all external traffic except for VPN traffic. Then make sure your VPN is secure, and you're all set. When you want to connect to some service, connect to the VPN first and then connect to the service through the VPN. Then all your traffic has actual security and not just some light obfuscation via secret handshake.

IMO, "only wireguard" is too restrictive of a policy - I also trust openssh and nginx to be open to the internet, if configured moderately carefully. Most FOSS servers that are widely deployed on the internet are safe to be deployed on the internet, or we'd know about it. I reviewed something that's not widely deployed on the internet though (Apache Zookeeper) and couldn't convince myself that every code path was properly checking authentication. That would have to go behind a VPN.