Getting fwknop to work

setting-up-fwknop.md

How to setup fwknop

Cloud Setup

• Using sshd_conf from my other place configure a bastion to run on 2 ports
  • use the other random port to help you set all this up!
• expose them on GCP
• also expose udp/62201 for the knock (62201 is the default, but you can change in the config)
• on a debian instance install fwknop-server
• configure ip tables as follows:

  $ iptables -I INPUT 1 -i eth0 -p tcp --dport 22 -j DROP
  $ iptables -I INPUT 1 -i eth0 -p tcp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

client

• install fwknop (sometimes called fwknop-client)
• use fwknop -K keys.txt to gen the key and HMAC_key for your SPA
• add these to ~/.fwknoprc like so:

[bastion]
SPA_SERVER          <Target IP>  
ACCESS              tcp/22
KEY_BASE64          <BASE64>
HMAC_KEY_BASE64     <BASE64>
USE_HMAC            Y

server

• copy accross the key data to /etc/fwknop/access.conf
• run $ sudo fwknop -S to check it's status
• run $ sudo fwknop -R to restartit with the new settings
• double check your iptables setup looks ok

client

• run fwknop -n bastion -R --verbose
• Providing this is successful you should now be able to login on ssh port 22 :D

If you're trying to set this up remotely be careful.
The iptable table commands are in the wrong order. They must be run in this order to not kill your current ssh connection. Also be careful because in 2025 eth0 is not the default nic on ubuntu. Use enp3s0 instead.

  $ sudo iptables -I INPUT 1 -i enp3s0 -p tcp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  $ sudo iptables -I INPUT 1 -i enps30 -p tcp --dport 22 -j DROP