Skip to content

Instantly share code, notes, and snippets.

Last active October 15, 2021 14:42
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Getting fwknop to work

How to setup fwknop

Cloud Setup

  • Using sshd_conf from my other place configure a bastion to run on 2 ports
    • use the other random port to help you set all this up!
  • expose them on GCP
  • also expose udp/62201 for the knock (62201 is the default, but you can change in the config)
  • on a debian instance install fwknop-server
  • configure ip tables as follows:
  $ iptables -I INPUT 1 -i eth0 -p tcp --dport 22 -j DROP
  $ iptables -I INPUT 1 -i eth0 -p tcp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT


  • install fwknop (sometimes called fwknop-client)
  • use fwknop -K keys.txt to gen the key and HMAC_key for your SPA
  • add these to ~/.fwknoprc like so:
SPA_SERVER          <Target IP>  
ACCESS              tcp/22
KEY_BASE64          <BASE64>
USE_HMAC            Y


  • copy accross the key data to /etc/fwknop/access.conf
  • run $ sudo fwknop -S to check it's status
  • run $ sudo fwknop -R to restartit with the new settings
  • double check your iptables setup looks ok


  • run fwknop -n bastion -R --verbose
  • Providing this is successful you should now be able to login on ssh port 22 :D
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment