Failed to send centos packets on the MAC. Procedure

[Ran-Xing]

Client : Darwin xrsec.local 21.2.0 Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64 x86_64

Server : Linux VM-4-6-centos 4.18.0-348.7.1.el8_5.x86_64 #1 SMP Wed Dec 22 13:25:12 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

macos error

# macos
IP=""
KEY1="0sZirx/3/68oIAmyT4OubNm2r="
KEY2="Co2bACGJqQvEIFaOocnE+ozXI2aG5Tc3ZCpq5z1YFpfpVlgoMg=="
fwknop --destination $IP --access tcp/25002,udp/25002 --server-port 25005 --key-base64-rijndael $KEY1 --key-base64-hmac $KEY2 --source-ip $(curl -s cip.cc | grep IP | cut -d " " -f 2)

# centos
tcpdump udp port 25005

ubuntu success

# ubuntu
IP=""
KEY1="0sZirx/3/68oIAmyT4OubNm2r="
KEY2="Co2bACGJqQvEIFaOocnE+ozXI2aG5Tc3ZCpq5z1YFpfpVlgoMg=="
fwknop --destination $IP --access tcp/25002,udp/25002 --server-port 25005 --key-base64-rijndael $KEY1 --key-base64-hmac $KEY2 --source-ip $(curl -s cip.cc | grep IP | cut -d " " -f 2)

# centos
tcpdump udp port 25005

[Ran-Xing]

fwknop --destination $IP --access tcp/25002,udp/25002 --server-port 25005 --key-base64-rijndael $KEY1 --key-base64-hmac $KEY2 --source-ip --verbose
[-] WARNING: Should use -a or -R to harden SPA against potential MITM attacks
SPA Field Values:
=================
   Random Value: 1116472761702543
       Username: xr
      Timestamp: 1641613567
    FKO Version: 3.0.0
   Message Type: 1 (Access msg)
 Message String: 0.0.0.0,tcp/25002,udp/25002
     Nat Access: <NULL>
    Server Auth: <NULL>
 Client Timeout: 0
    Digest Type: 3 (SHA256)
      HMAC Type: 3 (SHA256)
Encryption Type: 1 (Rijndael)
Encryption Mode: 2 (CBC)
   Encoded Data: xxxxxxxx
SPA Data Digest: xxxxxxxx
           HMAC: xxxxxxxx
 Final SPA Data: xxxxxxxx

Generating SPA packet:
            protocol: udp
         source port: <OS assigned>
    destination port: 25005
             IP/host: $IP
send_spa_packet: bytes sent: 225

[basbebe]

+1

macOS 12.3.1 does not send UDP packets out for me. In I choose -P tcpraw or -P icmp (with sudo), packets get sent out. No error message from fwknop, tcpdump shows no packet.

fwknop client 2.6.10, FKO protocol version 3.0.0

[Ran-Xing]

@basbebe If yes, check if firewall software is installed You can use tcpdump to check the packet sending status

I uninstalled Little Snitch and it works fine, including the newer M1

[basbebe]

@XRSec sudo nmap -sU -p 62201 [IP] shows up on the server.

Even after disabling little snitch and the macOS firewall, no udp packet gets sent by fwknop…

Using tcpdump on the client and the server.

[Ran-Xing]

@basbebe If you install this software, there will be this problem, but it is useless to disable it. You need to uninstall it completely. Please download the installation package and choose to uninstall the kernel module during the installation process.

[basbebe]

@XRSec Thanks for pointing this out, I will give it a try.

Though I don't want to do without little snitch so I might have to forego fwknop for now if there is no way to have them coexist…

[Ran-Xing]

hi, is there any new tool to replace this tool?

[jp-bennett]

hi, is there any new tool to replace this tool?

Honestly, Wireguard in UDP mode with a preshared key essentially provides the same protections.

[Ran-Xing]

@jp-bennett tks

[Ran-Xing]

ervery one, this message is latest

Hello, 

I have talked again to our developers about this and we did some testing. 

We assume that you're trying to use a port range of like 25000 here. We only prevent DPI for ports above 49152, the default is above 60000. When we do DPI we change the timing and thus prevent fwknop from working. Rules don't help because we haven't a name. On Ventura, once Apple reliably comes up with a name, that shouldn't be a problem.

Kind regards from Vienna,

Benjamin Gangl
-- 
Objective Development Software GmbH
[https://obdev.at](https://www.obdev.at/)

https://twitter.com/littlesnitch
https://twitter.com/launchbar
https://twitter.com/micro_snitch