Is this project abandoned? #344
Comments
|
It's essentially retired. Wireguard ticks a lot of the design requirements that fwknop had. And the project runners have mostly moved on to other things. |
Does not build on Ventura Declared abandoned in mrash/fwknop#344 (comment) 0 downloads in the last 30 days
|
@jp-bennett I'm curious about the statement Wireguard ticks a lot of the design requirements that fwknop had. Can you elaborate on that? I've been a user of fwknop for a long time and I've only read about Wireguard (docs, articles). I can't see how it's a replacement for what fwknop provides. Thanks. |
I, too, share the same curiosity. From my understanding, fwknop serves as an implementation of Single Packet Authorization (SPA), while WireGuard is primarily recognized as a comprehensive VPN solution. In the case of using fwknop to open an SSH port, the SSH connection itself acts as the encrypted tunnel, rendering the need for an additional encrypted tunnel from WireGuard unnecessary. In essence, fwknop provides a means to dynamically and automatically open ports, whereas WireGuard establishes encrypted tunnels. Additionally, fwknop allows for a manual security layer by prompting users for a password, while WireGuard utilizes automatic asymmetric cryptography. Considering the above, it would be unfortunate to witness the disappearance of fwknop, as I am unaware of any other comparable SPA solution. Although it is possible to configure tools like iptables and nmap for traditional port knocking, fwknop with its SPA approach represents the next-generation, more secure iteration of this concept. If WireGuard does indeed have the capability to serve as a similar SPA solution, I would greatly appreciate any assistance in understanding this aspect more thoroughly. Thank you in advance for your insights. |
|
Hi all,
WireGuard and fwknop share one important similarity which stealth under
active scans. That is, it will never be possible to develop an
unauthenticated scanner to detect either a WireGuard peer node or fwknopd.
The underlying technology to achieve this is different, but the design goal
is the same (and UDP is used by both projects here too as a means to an
end).
Beyond that, agreed there are some important differences. If one does not
need a full VPN solution and just wants to effectively "shift" a TCP-based
service into the realm of non-scannability via SPA, then fwknop achieves
this goal. There may also be some interesting combinations of fwknop +
WireGuard too. For example, WireGuard (to my knowledge) cannot bind to a
range of UDP ports. So, if you have a WireGuard client at Starbucks or
something that is behind a filtering gateway that blocks the particular UDP
port that was previously defined on the server side, then you are out of
luck unless you can either 1) dynamically change the WireGuard server-side
listening port which implies some out-of-band way of gaining admin access,
or 2) maybe use the fwknopd NAT capability together with its ability to
monitor a range of UDP ports for the incoming SPA packet. In the latter
case, the WireGuard client traffic from the client (over whatever UDP port
is actually allowed out) will be NAT'd into the WireGuard server port. This
is the "ghost service" capability in fwknopd:
https://cipherdyne.org/blog/2009/11/creating-ghost-services-with-single-packet-authorization.html
I'm glad to see people are still using fwknop. I plan on jumping back in to
continue development of it.
Thanks,
…--Mike
On Mon, May 22, 2023 at 9:42 PM 2push4more ***@***.***> wrote:
@jp-bennett <https://github.com/jp-bennett> I'm curious about the
statement *Wireguard ticks a lot of the design requirements that fwknop
had*. Can you elaborate on that? I've been a user of fwknop for a long
time and I've only read about Wireguard (docs, articles). I can't see how
it's a replacement for what fwknop provides. Thanks.
I, too, share the same curiosity.
From my understanding, fwknop serves as an implementation of Single Packet
Authorization (SPA), while WireGuard is primarily recognized as a
comprehensive VPN solution. In the case of using fwknop to open an SSH
port, the SSH connection itself acts as the encrypted tunnel, rendering the
need for an additional encrypted tunnel from WireGuard unnecessary. In
essence, fwknop provides a means to dynamically and automatically open
ports, whereas WireGuard establishes encrypted tunnels.
Additionally, fwknop allows for a manual security layer by prompting users
for a password, while WireGuard utilizes automatic asymmetric cryptography.
Considering the above, it would be unfortunate to witness the
disappearance of fwknop, as I am unaware of any other comparable SPA
solution. Although it is possible to configure tools like iptables and nmap
for traditional port knocking, fwknop with its SPA approach represents the
next-generation, more secure iteration of this concept.
If WireGuard does indeed have the capability to serve as a similar SPA
solution, I would greatly appreciate any assistance in understanding this
aspect more thoroughly.
Thank you in advance for your insights.
—
Reply to this email directly, view it on GitHub
<#344 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAC42RAHWMRRIFINKCJAC23XHQIXLANCNFSM6AAAAAAQ2POODI>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
--
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
|
|
@mrash Mike, so glad to hear this!! I think fwknop is awesome software and I'm glad it will continue to be available and supported! |
Sure. First off, I'm only speaking for myself. Glad to see @mrash still around. Been a long time, hope all is well. So, the big thing that fwknop brings to the table is being able to send a cryptographically secure request to a remote server in a single packet, without a TCP port open and listening, etc. And my use case was always to use that request to open a port and connect SSH or another service. As Michael points out, Wireguard also has the single packet cryptography stuff figured out, in that each packet by itself is signed and encrypted in a way that stands alone and is secure. (So much so that I've mulled over how one might add an SPA payload directly inside a Wireguard encrypted packet.) Wireguard ignores unsigned traffic, so it's not detectable in a network scan. And it's way lighter than the old OpenVPN binaries and libraries, so Wireguard trivially builds in to a router or server. That's obviously not the only trick that Fwknop can do, but it's the trick I used the most. |
Unaccepted PRs going back 6 years
No commits in 2 years
The text was updated successfully, but these errors were encountered: