Fwknop on x86/64 22.03.2

Hi,

I'm trying to get fwknop working on OpenWrt 22.03.2 r19803-9a599fee93 x86/64.

The problem that I'm facing is:

  • I can see the SPA packet:
Fri Nov 25 19:45:19 2022 daemon.info fwknopd[3431]: (stanza #1) SPA Packet from IP: xx.xx.xx.xx received with access source match
Fri Nov 25 19:45:19 2022 daemon.info fwknopd[3431]: Added FORWARD rule to FWKNOP_FORWARD for xx.xx.xx.xx -> 0.0.0.0/0 tcp/222, expires at 1669398379
Fri Nov 25 19:45:19 2022 daemon.info fwknopd[3431]: Added DNAT rule to FWKNOP_PREROUTING for xx.xx.xx.xx -> 0.0.0.0/0 tcp/222, expires at 1669398379
  • I can see the iptables rules being updated
Chain FWKNOP_FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       xx.xx.xx.xx         0.0.0.0/0            tcp dpt:222 /* _exp_1669398379 */

but, I get a connection refused on port 222 while trying to ssh into the router. (moved from default port 22 to 222).
tried it with telnet on port 80, same behavior.
The "pkts" count in iptables for this rule is always 0, no matter how many times I try to connect in the allocated interval.

Initially after installing fwknopd I got an error from iptables saying that some "nat" module was not available and I fixed that by installing "iptables-mod-nat-extra".
This was while fwknopd was launched with -v otherwise it would not tell anything.

Where should I look to debug this issue ?
might the problem be ralated to: nftables vs iptables ?

Thank you,
George

1 Like

Did you have any luck? Because I'm seeing the exact same thing. Fwiw I had a working fwknop config going back continuously to probably 18.06. It was working fine in 21.02 and it stopped working in 22.03. My assumption is the same as yours: nftables vs iptables. I saw this in 22.03.0 as well, but I figured that's what I get for running a .0, yet it's still happening in .2.

have not worked on the problem in the meantime.
But, it's working on OpenWrt 21.02.3 r16554-1d4dea6d4f , TP-Link Archer C7 v5.
I think I will drop a few versions if this is the only solution for now.

downgraded to 21.02.5 r16688-fa9a932fdb and it's working fine.

fwknopd is basically useless on "nftables"-style openwrt, unless you add script glue that does the firewall manipulation.

It is not just the iptables/nftables difference, one could have done in openwrt what basically every other non-joke distro did, and have the nftables-compatibility iptables userspace installed.

But openwrt fw4 uses its own table, so it basically and fundamentally cannot interoperate on anything that expects the usual iptables-style chains and tables. If any table or chain does a DROP in nftables, it cannot be overriden to an ACCEPT by some other table/chain, not even a higher priority one.

So, the openwrt fwknopd package in 22.0x is buggy. It needs to add such fwknopd action scripts, and use them instead of the built-in fwknopd iptables manipulation. Even if upstream fwknopd would fix an issue requested more than half a decade ago and add nftables support, it would not help on openwrt due to the fw4 table. We need to add openwrt-specific glue for it to work, and that should be done by the openwrt fwknopd package.

More details and possibly a fix here:

1 Like

At this point, it probably makes more sense to use a (road-warrior type-) wireguard VPN setup, than fwknop. Like fwknop, wireguard won't respond/ reveal itself unless you have the correct wireguard key, on the pro side, all communication after this handshake will be part of the VPN as well (and is encrypted).

4 Likes

I think I may have a working solution without extra scripts and awkward config. If you install kmod-ipt-nat and kmod-ipt-nat-extra, along with luci-app-fwknopd, the forwarding rules work correctly. I'm not sure if other modes work, but forwarding seemed the most complicated to stitch together with nft rules.

1 Like

not working on my side:

OpenWrt 22.03.5 r20134-5f15225c1e / LuCI openwrt-22.03 branch git-23.093.57104-ce20b4a

but,

OpenWrt 21.02.7 r16847-f8282da11e / LuCI openwrt-21.02 branch git-23.093.57360-e98243e

, worked first try.
I guess will stay on 21.02.xx for a while, hopefully fwknopd gets updated.

@Shikasta can you comment on this?

I did some experimentation after the initial success and posted more about it here: https://github.com/openwrt/packages/issues/16818#issuecomment-1456407848 and follow-up https://github.com/openwrt/packages/issues/16818#issuecomment-1476278433
Removing both packages, I've confirmed the knock works but entry doesn't; then re-added only kmod-ipt-nat and found that it works again, so only that module is needed.

It was while trying to debug the missing routing entries with iptables -t nat when I was getting

iptables v1.8.7 (legacy): can't initialize iptables table `nat': Table does not exist (do you need to insmod?)

I'm on OpenWRT 22.03.2 on a WRT3200ACM. I doubt 22.03.5 will be that different, but might be worth trying the older build.

Thanks, will you make your fw update anytime soon?

I'm at 23.05 RC -3 After installing kmod-ipt-nat, fwknopd works perfectly.

Thank you

1 Like

I just got confirmation OpenSPA can be considered as replacement for Fwknop:

Anyone brave to try?

From the link:

Well, I would rather at least include replay protection into the project before considering it a viable replacement for fwknop. You could however use the project in its current form, it works as is.

FYI, other alternative:

I'm not sure about it's readiness, though.

I can confirm my previous fix also works on WRT3200ACM running 23.05.5.

Just installing kmod-ipt-nat and iptables-zz-legacy alongside fwknopd (and dependency tree) works.