If the lan is trusted, why do you need any port knocking? Typically this is used on the wan to open ports only after a specific sequence of knocks occurs (from the internet, which is obviously untrusted)
I know that WOL would be the better choice, but... there are some windows machines involved, that can't cope with it. Just believe me, I tried to make it work for days on those machines. Senseless. The only working solution I found was to let these machines knock ports on the router running OpenWrt, and let the router send the correct WOL packages to the server.
I know this is a sick solution, but it's not my fault. Ask Bill about it...
Saved as a batch on the windows desktops, that the users simply need to click onto, when that particular server is needed. Of course, there's no telnet daemon running on the router, but knockd recognizes those connection requests and can react to them and awaken the server. I know that this is a very dirty solution, but it was the one with the least "inconvenience" for the users, and I'd rather not try to teach them something different now, after they got used to this "just-one-click-thing", especially not something that would require more than one click to get what they want...
I know those user actions that Luci can create, that don't even require logging in, so you don't need to give away any password. But still, this would require the http daemon to be reachable from that part of the net. The port knocking solution my be a dirty one, but on the other hand it does not require any open port, they just have to be knocked at.
Powershell is not available on all windows clients because of old OS versions. I know those OS version should not be used any longer, but that is not my decision to make.
Please believe me: I tried different WOL programs on all windows machines, and I have not found a single program that is available for all OS versions, and that will work on every machine under any circumstances. For example: there are windows machines, that need the wake up call to be done when a certain user account is activated. Do you know how many autostart mechanisms exist in windows and how they differ from version to version? You have to do this differently on each version. Some version require a valid user account, some require a machine account. And when a machine is upgraded, you can try to make it work from scratch again. Been there, done that. Sigh...
This fake telnet connection trick is the only technique I got to work on every machine, no matter how old the hardware, no matter how much out of date the OS.
To cut a long story short: I think the best solution to my problem is to try to compile knockd myself and make it run on OpenWrt 22 on the new router again.
Somehow I can not quite believe that the authors of OpenWrt threw out something that was at least working, no matter how secure they thought it was, and replaced it by something that requires an additional installation of some kind of virtual machine (Cygwin) on the clients, just to get the same functionality again. (Question: how secure is cygwin on windows compared to knockd on OpenWrt??)
I wouldn't bother at all if there was a native windows client available for the replacement of knockd, that would run on different versions of windows or if they had made the old package optional, but this is some kind of policy I can not quite agree to.
That's almost certainly not the reason. More likely it was because the upstream project has been unmaintained for more than a decade, the source repository disappeared, and the package had to be dropped for formal reasons.
I am either unable or too stupid to find any commit that removes the package with a reason attached. I have to assume that's because it's been too long ago. 14.07 was the last version that came with a knock/knockd package, that was almost a decade ago, and it already had it in the legacy "oldpackages" feed back then.
No, I haven't yet. I was preferring and looking for a scriptable solution, which requires as less user interaction as possible. But if there is nothing better available any more, I guess I'll have to get along with it.
That's nice and all and congratulations on your uptime. But, yikes, for someone who's ostensibly quite security conscious ("how secure is cygwin on windows compared to knockd on OpenWrt?") you seem surprisingly chill with running a router firmware that's been EOL and insecure for the better part of a decade.
Anyhoo, after re-reading this part of your post several times I still don't quite get it, please help me out here:
Yup. Even easier, you can set up another secondary web server instance next to LuCI, on another port, and have it run a shell script when it's accessed. BTDT.
I don't get it, your router's knockd is reachable via telnet from those parts of your network, but a httpd isn't? You know that plain http is, to all intents and purposes, the same as telnet. You could even use a telnet client to poke that httpd.
The router in question is not my router, and as I said before: it is not my decision when and if it needs to be upgraded!
That really sounds interesting and it could be the solution to my problem. When you say, it can be run when accessed, do you mean accessed in a browser or would access in a script, eg. with curl, be sufficient enough to trigger the command?
I do understand your concern about this, but I think there's a misunderstanding here: as far as I know, knockd itself offers no service at any port, it just listens to the assigned ports and reacts to connection requests. Of course I choose dead ports, where no service will ever run. (At least I hope so.) The windows shell script just calls "telnet $port", but that call will never be answered and it will never open a telnet session. These calls are only done to make knockd do its work.
I don't think that this could be a security issue, but please correct me if I'm wrong!