Getting fwknop to work

setting-up-fwknop.md

How to setup fwknop

Cloud Setup

• Using sshd_conf from my other place configure a bastion to run on 2 ports
  • use the other random port to help you set all this up!
• expose them on GCP
• also expose udp/62201 for the knock (62201 is the default, but you can change in the config)
• on a debian instance install fwknop-server
• configure ip tables as follows:

  $ iptables -I INPUT 1 -i eth0 -p tcp --dport 22 -j DROP
  $ iptables -I INPUT 1 -i eth0 -p tcp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

client

• install fwknop (sometimes called fwknop-client)
• use fwknop -K keys.txt to gen the key and HMAC_key for your SPA
• add these to ~/.fwknoprc like so:

[bastion]
SPA_SERVER          <Target IP>  
ACCESS              tcp/22
KEY_BASE64          <BASE64>
HMAC_KEY_BASE64     <BASE64>
USE_HMAC            Y

server

• copy accross the key data to /etc/fwknop/access.conf
• run $ sudo fwknop -S to check it's status
• run $ sudo fwknop -R to restartit with the new settings
• double check your iptables setup looks ok

client

• run fwknop -n bastion -R --verbose
• Providing this is successful you should now be able to login on ssh port 22 :D

@poleguy - not always the case that it'll be enp3s0 as it depends on how many nics you have on your computer. For innstance, the proper way to determine the interface packets will arrive on to the server from the Internet is by determining it programmatically:

sudo /usr/sbin/ip r g 8.8.8.8 | /usr/bin/awk '/via/{print $5}'

You should change 8.8.8.8 to an IP address your clients will be arriving from, say LAN/WAN link.