2

I have a server running Wireguard. Being a security paranoid, I'm using fwknop (Firewall Knocking Operator - a glorified port knocking server) to conceal the Wireguard port.

This means that whenever I want to connect one of my clients to the Wireguard server, I need first to use fwknop client to open the Wireguard port on the server (via iptables) and then connect to Wireguard.

I'm starting to question if this is actually necessary, since Wireguard drops invalid attempts and a hacker would not get any feedback. Therefore, using fwknop, or any other port knocking services, is useless (for Wireguard, at least. It could, and is, useful for other services, of course).

Does it make sense to use port knocking for Wireguard concealment?

Pedro Abrantes
  • 153
  • 7

1 Answers1

0

As port scanning won't work on wireguard anyway (it's just a UDP lister) and all invalid packets are dropped, port knocking would a ultra-paranoid on-top thing here.

I'd not recommend to use port knocking in any business environment, as it is flawed by design (securoity by obscurity) and not a real "security" solution. But this is just my opinion, I know some (strange) admins that dropped 2FA for the knox.

bjoster
  • 4,423
  • 5
  • 22
  • 32
  • Doesn't change the answer, but fwknop uses cryptography to authenticate (https://www.cipherdyne.org/fwknop/) and has protection against replay. So this one is not flawed by design. – A.B Sep 05 '22 at 11:16
  • "port knocking[...] it is flawed by design", the advice was using crypto instead. – bjoster Sep 06 '22 at 12:09