On Sun, Dec 3, 2017 at 8:48 AM, Randy <thejun...@gmail.com> wrote:
> Kind Sir
>
> First, this looks like a fantastic port protection method. Thanks for your
> work in writing it.
>
> I am trying to set this up for the first time on a Ubiquiti Edge-lite
> router
> which uses debian wheezey (mips). The version in the Wheezey repos is
> quite
> dated
>
> user@Host ~ $ sudo fwknopd -V
> [-] file: /etc/fwknop/fwknopd.conf permissions should only be user
> read/write
> (0600, -rw-------)
> fwknopd server 2.0.0rc2
>
> I have also installed to a host on my lan and it does not report this
> permission issue. So I assume that the warning is from fwknop and not the
> Edge Os on the router and plan on changing it. Although I may compile the
> newest version instead. But that caries it own set of problems as the
> router
> is not a very good compiler, so I would need to compile on a computer
> which is
> not of the same architecture.
>
>
You may be able to cross-compile a more recent version of fwknop by using
the '--host' argument to the './configure' command like this:
https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Hosts-and-Cross_002dCompilation.html
> More important is that I am not understanding how to work around an issue
> with
> the first step in your tutorial. It says;
>
> "From spaclient generate encryption and HMAC keys along with the ssh access
> request arguments to spaserver.domain.com. In the fwknop command below the
> client IP '1.1.1.1' is used in the argument: '-a 1.1.1.1', and assumes
> this IP
> is known to the user. This is the externally routable IP of the client
> system
> (i.e. past any NAT device), and will certainly be different for your
> particular network. Using the -a argument is the most secure method of
> generating an SPA packet since it encrypts IP to be allowed through the
> remote
> firewall within the SPA packet vs. having to trust the network layer
> header.
> The fwknop client can also resolve your externally routable IP via the -R
> argument which causes fwknop to issue an HTTPS request (via wget --secure-
> protocol ...) to an IP resolution script hosted on cipherdyne.org.
> However, if
> you are concerned about a local network admin or other entity discovering
> usage of the fwknop client through traffic analysis you should not use this
> option since DNS and HTTPS requests to cipherdyne.org are rather obvious."
>
> My issue is that for my case use the remote IP will almost never be known
> before hand. What I am trying to do. I have a couple of IP-Cameras that I
> would like to put into service for security reasons but they call home to
> the
> manufactures servers and I don't trust them. When these cameras are
> allowed
> to talk freely the output is accessible from a cell phone app and that is a
> nice feature, but only when I want that access to exist. Hence fwknop,
> which,
> if I understand its capabilities correctly will allow me to slap the
> router on
> some port and have it open access for the cameras to talk to the
> manufactures
> servers there by giving me access via my cell to the camera output. When
> I am
> done, a second slap of the router and the access will be terminated.
>
Yes, I think sounds reasonable if I'm understanding your use case properly.
Note that one potential issue from the mobile side of things is that
sometimes the IP associated to your phone may change fairly rapidly
depending on how the carrier routes traffic. At least, we've seen this type
of behavior reported before. Overall, I think it should likely work though.
>
> The tutorial never says, and I have not been able to locate how to work
> around
> the "assumption that the ip" is known or can be discovered when the key is
> generated. So, not being able to get that ip, as it will always be
> different,
> depending which towers and network the phone will be on, can I just omit
> that
> part of the command?
>
You mentioned the -R, -s, and -a switches in your next email - those
provide the answer.
>
> Another issue that I will have to deal with is that I did not install the
> gpg
> suggested packages into the router as they wanted to drag in a bunch of
> other
> dependencies and space is limited on the router and I want to keep the
> footprint as small as possible.
>
GPG is not a requirement - it is an optional capability for those that want
to encrypt and sign SPA packets with GPG. You can achieve perfectly
reasonable security with AES and an HMAC, and in this case GPG is not
required at all.
Thanks,
--Mike
>
> Any help or guidance you can share with me will be greatly appreciated. I
> hope to write a tutorial for the users of the Ubiquiti routers. The only
> info
> I have been able to find is on a Ubuntu site and it is quite dated also.
> Although I have not looked specifically at openwrt yet, but will do so
> next.
>
> Thanks
> Randy
>
>
> --
> If it ain't broke tweek it
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Fwknop-discuss mailing list
> Fwknop-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
