On Sunday, December 3, 2017 8:48:19 AM EST you wrote: > Kind Sir > > First, this looks like a fantastic port protection method. Thanks for your > work in writing it. > > I am trying to set this up for the first time on a Ubiquiti Edge-lite router > which uses debian wheezey (mips). The version in the Wheezey repos is > quite dated > > user@Host ~ $ sudo fwknopd -V > [-] file: /etc/fwknop/fwknopd.conf permissions should only be user > read/write (0600, -rw-------) > fwknopd server 2.0.0rc2 > > I have also installed to a host on my lan and it does not report this > permission issue. So I assume that the warning is from fwknop and not the > Edge Os on the router and plan on changing it. Although I may compile the > newest version instead. But that caries it own set of problems as the > router is not a very good compiler, so I would need to compile on a > computer which is not of the same architecture. > > More important is that I am not understanding how to work around an issue > with the first step in your tutorial. It says; > > "From spaclient generate encryption and HMAC keys along with the ssh access > request arguments to spaserver.domain.com. In the fwknop command below the > client IP '1.1.1.1' is used in the argument: '-a 1.1.1.1', and assumes this > IP is known to the user. This is the externally routable IP of the client > system (i.e. past any NAT device), and will certainly be different for your > particular network. Using the -a argument is the most secure method of > generating an SPA packet since it encrypts IP to be allowed through the > remote firewall within the SPA packet vs. having to trust the network layer > header. The fwknop client can also resolve your externally routable IP via > the -R argument which causes fwknop to issue an HTTPS request (via wget > --secure- protocol ...) to an IP resolution script hosted on > cipherdyne.org. However, if you are concerned about a local network admin > or other entity discovering usage of the fwknop client through traffic > analysis you should not use this option since DNS and HTTPS requests to > cipherdyne.org are rather obvious." > > My issue is that for my case use the remote IP will almost never be known > before hand. What I am trying to do. I have a couple of IP-Cameras that I > would like to put into service for security reasons but they call home to > the manufactures servers and I don't trust them. When these cameras are > allowed to talk freely the output is accessible from a cell phone app and > that is a nice feature, but only when I want that access to exist. Hence > fwknop, which, if I understand its capabilities correctly will allow me to > slap the router on some port and have it open access for the cameras to > talk to the manufactures servers there by giving me access via my cell to > the camera output. When I am done, a second slap of the router and the > access will be terminated. > > The tutorial never says, and I have not been able to locate how to work > around the "assumption that the ip" is known or can be discovered when the > key is generated. So, not being able to get that ip, as it will always be > different, depending which towers and network the phone will be on, can I > just omit that part of the command? > > Another issue that I will have to deal with is that I did not install the > gpg suggested packages into the router as they wanted to drag in a bunch of > other dependencies and space is limited on the router and I want to keep > the footprint as small as possible. > > Any help or guidance you can share with me will be greatly appreciated. I > hope to write a tutorial for the users of the Ubiquiti routers. The only > info I have been able to find is on a Ubuntu site and it is quite dated > also. Although I have not looked specifically at openwrt yet, but will do > so next. > > Thanks > Randy
I did finally find the info about the -s -R -a switches and did get a successful key generation. But it seams according to the access.conf on the router it can't accept the keys. KEY vs KEY_BASE64 and HMAC_KEY_BASE64 So I assuming that the older version can't use the keys. -- If it ain't broke tweek it ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Fwknop-discuss mailing list Fwknop-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
