(github.com)

67 points xlmnxp | 1 comments | 22 Oct 25 08:37 UTC | HN request time: 0s | source

Show context

tptacek ◴[22 Oct 25 13:01 UTC] No.45668433[source]▶

I will never, ever understand this "single-packet authentication" "port knocking" fetish. It has never made sense. Bin it, along with fail2ban, and just set up WireGuard.

Your network authentication should not be a fun game or series of Rube Goldberg contraptions.

replies(7): >>45668640 #>>45668974 #>>45669023 #>>45672079 #>>45672470 #>>45673304 #>>45676649 #

trelane ◴[22 Oct 25 18:35 UTC] No.45673304[source]▶

>>45668433 #

Do you have a guide to using wireguard in this way?

replies(1): >>45673329 #

tptacek ◴[22 Oct 25 18:36 UTC] No.45673329[source]▶

>>45673304 #

Using WireGuard in what way? WireGuard defaults to the security posture SPA/port knocking hopes to asymptotically achieve.

replies(1): >>45673364 #

trelane ◴[22 Oct 25 18:40 UTC] No.45673364[source]▶

>>45673329 #

> Using WireGuard in what way?

Using WireGuard to gate access to a server. It looks like it's a VPN, not an access control mechanism. So I am curious how this works.

replies(3): >>45673372 #>>45673417 #>>45675523 #

1. tptacek ◴[22 Oct 25 18:41 UTC] No.45673372{3}[source]▶

>>45673364 #

Set up WireGuard, filter everything but WireGuard (51820/udp) on en0, and then SSH in over the WireGuard connection.

↑

Knocker, a knock based access control system for your homelab