joekir/setting-up-fwknop.md

Last active October 5, 2025 01:36

Star (2) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/joekir/c721e42ac0a164ed3ed5fbf5fa709d24.js"></script>
Save joekir/c721e42ac0a164ed3ed5fbf5fa709d24 to your computer and use it in GitHub Desktop.

Download ZIP

Getting fwknop to work

Raw

setting-up-fwknop.md

How to setup fwknop

Cloud Setup

Using sshd_conf from my other place configure a bastion to run on 2 ports
- use the other random port to help you set all this up!
expose them on GCP
also expose udp/62201 for the knock (62201 is the default, but you can change in the config)
on a debian instance install fwknop-server
configure ip tables as follows:

  $ iptables -I INPUT 1 -i eth0 -p tcp --dport 22 -j DROP
  $ iptables -I INPUT 1 -i eth0 -p tcp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

client

install fwknop (sometimes called fwknop-client)
use fwknop -K keys.txt to gen the key and HMAC_key for your SPA
add these to ~/.fwknoprc like so:

[bastion]
SPA_SERVER          <Target IP>  
ACCESS              tcp/22
KEY_BASE64          <BASE64>
HMAC_KEY_BASE64     <BASE64>
USE_HMAC            Y

server

copy accross the key data to /etc/fwknop/access.conf
run $ sudo fwknop -S to check it's status
run $ sudo fwknop -R to restartit with the new settings
double check your iptables setup looks ok

client

run fwknop -n bastion -R --verbose
Providing this is successful you should now be able to login on ssh port 22 :D

poleguy commented Feb 3, 2025

If you're trying to set this up remotely be careful.
The iptable table commands are in the wrong order. They must be run in this order to not kill your current ssh connection. Also be careful because in 2025 eth0 is not the default nic on ubuntu. Use enp3s0 instead.

  $ sudo iptables -I INPUT 1 -i enp3s0 -p tcp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  $ sudo iptables -I INPUT 1 -i enps30 -p tcp --dport 22 -j DROP

ak2766 commented Oct 5, 2025

@poleguy - not always the case that it'll be enp3s0 as it depends on how many nics you have on your computer. For innstance, the proper way to determine the interface packets will arrive on to the server from the Internet is by determining it programmatically:

sudo /usr/sbin/ip r g 8.8.8.8 | /usr/bin/awk '/via/{print $5}'

You should change 8.8.8.8 to an IP address your clients will be arriving from, say LAN/WAN link.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment