mrash / fwknop

Single Packet Authorization > Port Knocking
http://www.cipherdyne.org/fwknop/
GNU General Public License v2.0
1.13k stars 232 forks source link

Is this project abandoned? #344

Open silversword411 opened 2 years ago

silversword411 commented 2 years ago

Unaccepted PRs going back 6 years No commits in 2 years

jp-bennett commented 2 years ago

It's essentially retired. Wireguard ticks a lot of the design requirements that fwknop had. And the project runners have mostly moved on to other things.

franzinc commented 1 year ago

@jp-bennett I'm curious about the statement Wireguard ticks a lot of the design requirements that fwknop had. Can you elaborate on that? I've been a user of fwknop for a long time and I've only read about Wireguard (docs, articles). I can't see how it's a replacement for what fwknop provides. Thanks.

2push4more commented 1 year ago

@jp-bennett I'm curious about the statement Wireguard ticks a lot of the design requirements that fwknop had. Can you elaborate on that? I've been a user of fwknop for a long time and I've only read about Wireguard (docs, articles). I can't see how it's a replacement for what fwknop provides. Thanks.

I, too, share the same curiosity.

From my understanding, fwknop serves as an implementation of Single Packet Authorization (SPA), while WireGuard is primarily recognized as a comprehensive VPN solution. In the case of using fwknop to open an SSH port, the SSH connection itself acts as the encrypted tunnel, rendering the need for an additional encrypted tunnel from WireGuard unnecessary. In essence, fwknop provides a means to dynamically and automatically open ports, whereas WireGuard establishes encrypted tunnels.

Additionally, fwknop allows for a manual security layer by prompting users for a password, while WireGuard utilizes automatic asymmetric cryptography.

Considering the above, it would be unfortunate to witness the disappearance of fwknop, as I am unaware of any other comparable SPA solution. Although it is possible to configure tools like iptables and nmap for traditional port knocking, fwknop with its SPA approach represents the next-generation, more secure iteration of this concept.

If WireGuard does indeed have the capability to serve as a similar SPA solution, I would greatly appreciate any assistance in understanding this aspect more thoroughly.

Thank you in advance for your insights.

mrash commented 1 year ago

Hi all,

WireGuard and fwknop share one important similarity which stealth under active scans. That is, it will never be possible to develop an unauthenticated scanner to detect either a WireGuard peer node or fwknopd. The underlying technology to achieve this is different, but the design goal is the same (and UDP is used by both projects here too as a means to an end).

Beyond that, agreed there are some important differences. If one does not need a full VPN solution and just wants to effectively "shift" a TCP-based service into the realm of non-scannability via SPA, then fwknop achieves this goal. There may also be some interesting combinations of fwknop + WireGuard too. For example, WireGuard (to my knowledge) cannot bind to a range of UDP ports. So, if you have a WireGuard client at Starbucks or something that is behind a filtering gateway that blocks the particular UDP port that was previously defined on the server side, then you are out of luck unless you can either 1) dynamically change the WireGuard server-side listening port which implies some out-of-band way of gaining admin access, or 2) maybe use the fwknopd NAT capability together with its ability to monitor a range of UDP ports for the incoming SPA packet. In the latter case, the WireGuard client traffic from the client (over whatever UDP port is actually allowed out) will be NAT'd into the WireGuard server port. This is the "ghost service" capability in fwknopd: https://cipherdyne.org/blog/2009/11/creating-ghost-services-with-single-packet-authorization.html

I'm glad to see people are still using fwknop. I plan on jumping back in to continue development of it.

Thanks,

--Mike

On Mon, May 22, 2023 at 9:42 PM 2push4more @.***> wrote:

@jp-bennett https://github.com/jp-bennett I'm curious about the statement Wireguard ticks a lot of the design requirements that fwknop had. Can you elaborate on that? I've been a user of fwknop for a long time and I've only read about Wireguard (docs, articles). I can't see how it's a replacement for what fwknop provides. Thanks.

I, too, share the same curiosity.

From my understanding, fwknop serves as an implementation of Single Packet Authorization (SPA), while WireGuard is primarily recognized as a comprehensive VPN solution. In the case of using fwknop to open an SSH port, the SSH connection itself acts as the encrypted tunnel, rendering the need for an additional encrypted tunnel from WireGuard unnecessary. In essence, fwknop provides a means to dynamically and automatically open ports, whereas WireGuard establishes encrypted tunnels.

Additionally, fwknop allows for a manual security layer by prompting users for a password, while WireGuard utilizes automatic asymmetric cryptography.

Considering the above, it would be unfortunate to witness the disappearance of fwknop, as I am unaware of any other comparable SPA solution. Although it is possible to configure tools like iptables and nmap for traditional port knocking, fwknop with its SPA approach represents the next-generation, more secure iteration of this concept.

If WireGuard does indeed have the capability to serve as a similar SPA solution, I would greatly appreciate any assistance in understanding this aspect more thoroughly.

Thank you in advance for your insights.

— Reply to this email directly, view it on GitHub https://github.com/mrash/fwknop/issues/344#issuecomment-1558361481, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAC42RAHWMRRIFINKCJAC23XHQIXLANCNFSM6AAAAAAQ2POODI . You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- Michael Rash | Founder http://www.cipherdyne.org/ Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F

e40 commented 1 year ago

@mrash Mike, so glad to hear this!! I think fwknop is awesome software and I'm glad it will continue to be available and supported!

jp-bennett commented 1 year ago

@jp-bennett I'm curious about the statement Wireguard ticks a lot of the design requirements that fwknop had. Can you elaborate on that? I've been a user of fwknop for a long time and I've only read about Wireguard (docs, articles). I can't see how it's a replacement for what fwknop provides. Thanks.

Sure. First off, I'm only speaking for myself. Glad to see @mrash still around. Been a long time, hope all is well.

So, the big thing that fwknop brings to the table is being able to send a cryptographically secure request to a remote server in a single packet, without a TCP port open and listening, etc. And my use case was always to use that request to open a port and connect SSH or another service. As Michael points out, Wireguard also has the single packet cryptography stuff figured out, in that each packet by itself is signed and encrypted in a way that stands alone and is secure. (So much so that I've mulled over how one might add an SPA payload directly inside a Wireguard encrypted packet.) Wireguard ignores unsigned traffic, so it's not detectable in a network scan. And it's way lighter than the old OpenVPN binaries and libraries, so Wireguard trivially builds in to a router or server.

That's obviously not the only trick that Fwknop can do, but it's the trick I used the most.