Hiya, I am looking towards deploying WireGuard as my primary VPN connection, and wonder a bit if the various clients (Android, wg-quick, whatever there is for macOS, iOS and Windows), could be made to include the possibility of calling external programs upon (re-)connections, in my case specifically for port knocking, but possibly useful for other purposes as well? In the cases of Android and iOS, I am a bit unsure about interaction with other apps, so maybe, to begin with, just built-in port knocking capabilities could be considered. Any thoughts? -- A video dry trample here madam ere help martyr doe diva -- http://doulogos.blogspot.com
wg-quick-based clients have this, but the UI clients do not. However, for your use case, port knocking, I'd recommend getting rid of the port knocking. WireGuard is silent to unauthenticated packets, which means you don't need to port knock it. It was specifically made as a port knocking replacement.
On Fri, 2020-11-13 at 16:46 +0100, Sune Mølgaard wrote:
> Hiya,
>
> I am looking towards deploying WireGuard as my primary VPN
> connection,
> and wonder a bit if the various clients (Android, wg-quick, whatever
> there is for macOS, iOS and Windows), could be made to include the
> possibility of calling external programs upon (re-)connections, in my
> case specifically for port knocking, but possibly useful for other
> purposes as well?
>
> In the cases of Android and iOS, I am a bit unsure about interaction
> with other apps, so maybe, to begin with, just built-in port knocking
> capabilities could be considered.
>
> Any thoughts?
>
In my experence there isn't really a case where the client gets
disconnected (like a crash) and then needs to reconnect.
For me the client always stays enabled, but if there is a problem at
the remote end then packets don't go anywhere.
In other words the traffic might get dropped by the remote (feels like
no traffic *at all*), but I've never seen a situation where I was
accedentially sending unencrypted traffic.
Nicholas
On 13/11/2020 17.58, Nicholas Capo wrote:
> On Fri, 2020-11-13 at 16:46 +0100, Sune Mølgaard wrote:
>> Hiya,
>>
>> I am looking towards deploying WireGuard as my primary VPN
>> connection,
>> and wonder a bit if the various clients (Android, wg-quick, whatever
>> there is for macOS, iOS and Windows), could be made to include the
>> possibility of calling external programs upon (re-)connections, in my
>> case specifically for port knocking, but possibly useful for other
>> purposes as well?
>>
>> In the cases of Android and iOS, I am a bit unsure about interaction
>> with other apps, so maybe, to begin with, just built-in port knocking
>> capabilities could be considered.
>>
>> Any thoughts?
>>
>
> In my experence there isn't really a case where the client gets
> disconnected (like a crash) and then needs to reconnect.
> For me the client always stays enabled, but if there is a problem at
> the remote end then packets don't go anywhere.
>
> In other words the traffic might get dropped by the remote (feels like
> no traffic *at all*), but I've never seen a situation where I was
> accedentially sending unencrypted traffic.
>
> Nicholas
>
>
>
Hi Nicholas,
Well, my worry was that if I used port knocking, then, since I also use
fail2ban on the server, the client (phone specifically), would change
IP-addresses, need to knock, or else get banned.
But if I understand Jason correctly (thank you, Jason), even if we
employ port knocking for a few other things, if we keep the WG port
open, it will actually look closed, unless one actually has a legitimate
client and client config.
Is that understanding correct?
--
Real programmers don't comment...
What was hard to write should be hard to read.
On 11/14/20, Sune Mølgaard <sune@molgaard.org> wrote:
> But if I understand Jason correctly (thank you, Jason), even if we
> employ port knocking for a few other things, if we keep the WG port
> open, it will actually look closed, unless one actually has a legitimate
> client and client config.
>
> Is that understanding correct?
That is correct.