in Version 14 there was knockd, now there is Fwknop. The installation page says:
client is known as fwknop or fwknop-client which is available ... and on Windows using Cygwin.
In the scenario, for which I am setting up a new router, Cygwin is not an option, it can not be installed on the participating windows clients!
What other choices do I have?
In the end, I need some sort of daemon on OpenWrt, that simply recognizes access to certain ports and reacts to a certain sequence of ports. Just like good old knockd.
All this takes place inside a trusted LAN, so there is no security issue here.
If the lan is trusted, why do you need any port knocking? Typically this is used on the wan to open ports only after a specific sequence of knocks occurs (from the internet, which is obviously untrusted)
I don't think port knocking is designed to do that.
The idea behind port knocking is that you can have a 'secret knock' that opens ports (that are otherwise kept closed) as an additional security measure for remote access to your router/network.
You may want something like Wake on Lan.
See this recent thread on the topic:
Note, not all hardware can support WOL, and the power-off/hibernation state details will have a significant impact on the ability for this to work properly.
I know that WOL would be the better choice, but... there are some windows machines involved, that can't cope with it. Just believe me, I tried to make it work for days on those machines. Senseless. The only working solution I found was to let these machines knock ports on the router running OpenWrt, and let the router send the correct WOL packages to the server.
I know this is a sick solution, but it's not my fault. Ask Bill about it...
Yeeees.... sounds like a good idea... but: did you ever try teaching more than 1 windows user to use a web GUI in order to activate something they want? That could become a life time experience!
Saved as a batch on the windows desktops, that the users simply need to click onto, when that particular server is needed. Of course, there's no telnet daemon running on the router, but knockd recognizes those connection requests and can react to them and awaken the server. I know that this is a very dirty solution, but it was the one with the least "inconvenience" for the users, and I'd rather not try to teach them something different now, after they got used to this "just-one-click-thing", especially not something that would require more than one click to get what they want...
I know those user actions that Luci can create, that don't even require logging in, so you don't need to give away any password. But still, this would require the http daemon to be reachable from that part of the net. The port knocking solution my be a dirty one, but on the other hand it does not require any open port, they just have to be knocked at.
Powershell is not available on all windows clients because of old OS versions. I know those OS version should not be used any longer, but that is not my decision to make.
Please believe me: I tried different WOL programs on all windows machines, and I have not found a single program that is available for all OS versions, and that will work on every machine under any circumstances. For example: there are windows machines, that need the wake up call to be done when a certain user account is activated. Do you know how many autostart mechanisms exist in windows and how they differ from version to version? You have to do this differently on each version. Some version require a valid user account, some require a machine account. And when a machine is upgraded, you can try to make it work from scratch again. Been there, done that. Sigh...
This fake telnet connection trick is the only technique I got to work on every machine, no matter how old the hardware, no matter how much out of date the OS.
To cut a long story short: I think the best solution to my problem is to try to compile knockd myself and make it run on OpenWrt 22 on the new router again.
Somehow I can not quite believe that the authors of OpenWrt threw out something that was at least working, no matter how secure they thought it was, and replaced it by something that requires an additional installation of some kind of virtual machine (Cygwin) on the clients, just to get the same functionality again. (Question: how secure is cygwin on windows compared to knockd on OpenWrt??)
I wouldn't bother at all if there was a native windows client available for the replacement of knockd, that would run on different versions of windows or if they had made the old package optional, but this is some kind of policy I can not quite agree to.
That's almost certainly not the reason. More likely it was because the upstream project has been unmaintained for more than a decade, the source repository disappeared, and the package had to be dropped for formal reasons.
I am either unable or too stupid to find any commit that removes the package with a reason attached. I have to assume that's because it's been too long ago. 14.07 was the last version that came with a knock/knockd package, that was almost a decade ago, and it already had it in the legacy "oldpackages" feed back then.
No, I haven't yet. I was preferring and looking for a scriptable solution, which requires as less user interaction as possible. But if there is nothing better available any more, I guess I'll have to get along with it.
That's nice and all and congratulations on your uptime. But, yikes, for someone who's ostensibly quite security conscious ("how secure is cygwin on windows compared to knockd on OpenWrt?") you seem surprisingly chill with running a router firmware that's been EOL and insecure for the better part of a decade.
Anyhoo, after re-reading this part of your post several times I still don't quite get it, please help me out here:
Yup. Even easier, you can set up another secondary web server instance next to LuCI, on another port, and have it run a shell script when it's accessed. BTDT.
I don't get it, your router's knockd is reachable via telnet from those parts of your network, but a httpd isn't? You know that plain http is, to all intents and purposes, the same as telnet. You could even use a telnet client to poke that httpd.
The router in question is not my router, and as I said before: it is not my decision when and if it needs to be upgraded!
That really sounds interesting and it could be the solution to my problem. When you say, it can be run when accessed, do you mean accessed in a browser or would access in a script, eg. with curl, be sufficient enough to trigger the command?
I do understand your concern about this, but I think there's a misunderstanding here: as far as I know, knockd itself offers no service at any port, it just listens to the assigned ports and reacts to connection requests. Of course I choose dead ports, where no service will ever run. (At least I hope so.) The windows shell script just calls "telnet $port", but that call will never be answered and it will never open a telnet session. These calls are only done to make knockd do its work.
I don't think that this could be a security issue, but please correct me if I'm wrong!
As far as I am aware anything goes: a browser, curl, wget, even telnet to the port will cause the web server to deliver its default page. Which behind the scenes can be a simple shell script.
I have no security concerns, but I didn't know you meant what you wrote to be security concerns -- I took it as a technical hinderance.
I've been trying to understand fwknop and make it work today, but I have to admit: it is way above me and too complicated.
I don't think that this package will bring a solution to my problem, for two reasons:
It seems to me, this package is meant for far heavier set up problems than mine. I just need some script to be executed when certain ports are knocked at in a specific order.
It would require additional installations on each participating client.
There must be some easier way of getting what I need.
I found some information on the net about implementing some sort of knockd using pure iptable commands, but the next information I found is that iptables have been replaced by firewall4.
So, it is back to square one. Next try to solve this would be trying to compile knockd for openwrt 22.
