Skip to main content

How to deploy the fwknop to different OS

CentOS Deployment Guide for fwknop

Step1# Install Depences

sudo yum install -y wget git
sudo yum install -y libtool
sudo yum install -y libpcap libpcap-devel
sudo yum install -y texinfo
sudo yum install -y iptables-services
sudo systemctl enable iptables
sudo systemctl start iptables

Step2# Install fwknop

$ git clone https://github.com/mrash/fwknop.git
# The 2.6.11 tag have some errors when install, so we checkout to this commit
$ cd fwknop && git checkout 7605573040604cf899fee4fff21fa0c6e6bc5c37
$ ./autogen.sh

In Centos 7 you will get the following error, when running ./autogen.sh

...
doc/Makefile.am:1: error: option 'info-in-builddir' not recognized
...

We can fix it by changing doc/Makefile.am (comment out the AUTOMAKE_OPTIONS line and try again)

tip

Changed doc/Makefile.am

# Comment this line
-AUTOMAKE_OPTIONS    = info-in-builddir
+#AUTOMAKE_OPTIONS    = info-in-builddir

Then try ./configure && make && make install

Step3# Config fwknop and Run fwknop

$ vim server/access.conf
#### fwknopd access.conf stanzas ###

SOURCE              ANY
OPEN_PORTS          tcp/4022,tcp/22
KEY_BASE64                  e7USwx6Ik5LU4f3s0sBA9C5vB0y/UeQpdbDAcjT5+EY=
HMAC_KEY_BASE64             pVRDi5qu6IYT34RVQn7JNXI0ETnxVldxC+kZxMcGhjK7gF7MYTRSdDDWrJHh8IfTO4NY2zNQ6sCI6DFFSr93QA==
REQUIRE_SOURCE_ADDRESS       Y
REQUIRE_USERNAME            vps
#PCAP_INTF                   eth0;
# If you want to use GnuPG keys then define the following variables
#
#GPG_HOME_DIR           /homedir/path/.gnupg
#GPG_DECRYPT_ID         ABCD1234
#GPG_DECRYPT_PW         __CHANGEME__

# If you want to require GPG signatures:
#GPG_REQUIRE_SIG                    Y
#GPG_IGNORE_SIG_VERIFY_ERROR        N
#GPG_REMOTE_ID                      1234ABCD

SOURCE                      ANY
KEY_BASE64                  FKRrVEuDjxas9yAXR18hPl9XX8gYPRHSpFp2jFKQrf0=
HMAC_KEY_BASE64             Zya1FvFa1hQkbxZkTfq+rOFeUm+WtpiHGheol8UTuLV1QHLd2epG1SLyygQDFK4V3KxRZmyrBPHuokW3JigWnQ==

Then run fwknop

fwknopd -K
fwknopd -U -a server/access.conf

Step4# Config iptables

# Allow local loopback (to avoid affecting local access)
sudo iptables -A INPUT -i lo -j ACCEPT

# Allow established connections to continue communicating
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow UDP port 62201 for fwknop
sudo iptables -A INPUT -p udp -m udp --dport 62201 -j ACCEPT

# See Warning below
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow ICMP (optional, enables ping)
sudo iptables -A INPUT -p icmp -j ACCEPT

# Default DROP all other INPUT
sudo iptables -P INPUT DROP

# Save the rules to /etc/systconfig/iptables
service iptables save
warning

Allow SSH connections (port 22), please be careful not to ignore this rule(sudo iptables -A INPUT -p udp -m udp --dport 62201 -j ACCEPT) for the first time, unless you are already familiar with fwknop and iptables. We use other ports to test the configuration, so port 22 will be opened

Step5# Configure and Use the fwknop Client for Secure Access

# .fwknoprc
##############################################################################
#
# Firewall Knock Operator (fwknop) client rc file.
#
# This file contains user-specific fwknop client configuration default
# and named parameter sets for specific invocations of the fwknop client.
#
# Each section (or stanza) is identified and started by a line in this
# file that contains a single identifier surrounded by square brackets.
# It is this identifier (or name) that is used from the fwknop command line
# via the '-n <name>' argument to reference the corresponding stanza.
#
# The parameters within the stanza typically match corresponding client
# command-line parameters.
#
# The first one should always be `[default]' as it defines the global
# default settings for the user. These override the program defaults
# for these parameters.  If a named stanza is used, its entries will
# override any of the default values.  Command-line options will trump them
# all.
#
# Subsequent stanzas will have only the overriding and destination
# specific parameters.
#
# Lines starting with `#' and empty lines are ignored.
#
# See the fwknop.8 man page for a complete list of valid parameters
# and their values.
#
##############################################################################
#
# We start with the 'default' stanza.  Uncomment and edit for your
# preferences.  The client will use its built-in default for those items
# that are commented out.
#
[default]

#DIGEST_TYPE         sha256
#FW_TIMEOUT          30
#SPA_SERVER_PORT     62201
#SPA_SERVER_PROTO    udp
#ALLOW_IP            <ip addr>
#SPOOF_USER          <username>
#SPOOF_SOURCE_IP     <IPaddr>
#TIME_OFFSET         0
#USE_GPG             N
#GPG_HOMEDIR         /path/to/.gnupg
#GPG_EXE             /path/to/gpg
#GPG_SIGNER          <signer ID>
#GPG_RECIPIENT       <recipient ID>
#NO_SAVE_ARGS        N

# User-provided named stanzas:

# Example for a destination server of 192.168.1.20 to open access to
# SSH for an IP that is resolved externally, and one with a NAT request
# for a specific source IP that maps port 8088 on the server
# to port 88 on 192.168.1.55 with timeout.
#
#[myssh]
#SPA_SERVER          192.168.1.20
#ACCESS              tcp/22
#ALLOW_IP            resolve
#
#[mynatreq]
#SPA_SERVER          192.168.1.20
#ACCESS              tcp/8088
#ALLOW_IP            10.21.2.6
#NAT_ACCESS          192.168.1.55,88
#CLIENT_TIMEOUT      60
#

[vpn]
SPA_SERVER_PROTO            udp
SPA_SERVER_PORT             62201
ALLOW_IP                    <YouClientIP>
ACCESS                      tcp/4022,tcp/22
SPA_SERVER                  vpn.server
KEY_BASE64                  e7USwx6Ik5LU4f3s0sBA9C5vB0y/UeQpdbDAcjT5+EY=
HMAC_KEY_BASE64             pVRDi5qu6IYT34RVQn7JNXI0ETnxVldxC+kZxMcGhjK7gF7MYTRSdDDWrJHh8IfTO4NY2zNQ6sCI6DFFSr93QA==
USE_HMAC                    Y
SPOOF_USER                  vps
FW_TIMEOUT   		   60

Then run fwknop -n vpn -v to open access to SSH for an IP that is resolved externally.

tip

Check the iptables if the access is opened by iptables -nvL

$ iptables -vnL
Chain INPUT (policy DROP 2 packets, 88 bytes)
 pkts bytes target     prot opt in     out     source               destination
  17M 3034M FWKNOP_INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
9655K 1671M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
3682K  295M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
14001  911K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
 117K 6214K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4022
20036 1334K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
 5971 1639K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:62201

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 10 packets, 592 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FWKNOP_INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
 # You can find this rule in the iptables
    0     0 ACCEPT     tcp  --  *      *       <YourIP>         0.0.0.0/0            tcp dpt:4022/* _exp_1742783157 */
    0     0 ACCEPT     tcp  --  *      *       <YourIP>         0.0.0.0/0            tcp dpt:22/* _exp_1742783157 */
tip

Telnet it in the client computer similar as the following command to check if the access is opened

$ telnet <YourIP> 4022
Trying <YourIP>...
Connected to fwknop.com.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.4

fwknop Deployment on Windows

fwknop Deployment on MacOS

fwknop Deployment on OpenWRT