On Sun, Dec 3, 2017 at 10:56 AM, Randy <thejun...@gmail.com> wrote:
> On Sunday, December 3, 2017 8:48:19 AM EST you wrote:
> > Kind Sir
> >
> > First, this looks like a fantastic port protection method. Thanks for
> your
> > work in writing it.
> >
> > I am trying to set this up for the first time on a Ubiquiti Edge-lite
> router
> > which uses debian wheezey (mips). The version in the Wheezey repos is
> > quite dated
> >
> > user@Host ~ $ sudo fwknopd -V
> > [-] file: /etc/fwknop/fwknopd.conf permissions should only be user
> > read/write (0600, -rw-------)
> > fwknopd server 2.0.0rc2
> >
> > I have also installed to a host on my lan and it does not report this
> > permission issue. So I assume that the warning is from fwknop and not
> the
> > Edge Os on the router and plan on changing it. Although I may compile
> the
> > newest version instead. But that caries it own set of problems as the
> > router is not a very good compiler, so I would need to compile on a
> > computer which is not of the same architecture.
> >
> > More important is that I am not understanding how to work around an issue
> > with the first step in your tutorial. It says;
> >
> > "From spaclient generate encryption and HMAC keys along with the ssh
> access
> > request arguments to spaserver.domain.com. In the fwknop command below
> the
> > client IP '1.1.1.1' is used in the argument: '-a 1.1.1.1', and assumes
> this
> > IP is known to the user. This is the externally routable IP of the client
> > system (i.e. past any NAT device), and will certainly be different for
> your
> > particular network. Using the -a argument is the most secure method of
> > generating an SPA packet since it encrypts IP to be allowed through the
> > remote firewall within the SPA packet vs. having to trust the network
> layer
> > header. The fwknop client can also resolve your externally routable IP
> via
> > the -R argument which causes fwknop to issue an HTTPS request (via wget
> > --secure- protocol ...) to an IP resolution script hosted on
> > cipherdyne.org. However, if you are concerned about a local network
> admin
> > or other entity discovering usage of the fwknop client through traffic
> > analysis you should not use this option since DNS and HTTPS requests to
> > cipherdyne.org are rather obvious."
> >
> > My issue is that for my case use the remote IP will almost never be known
> > before hand. What I am trying to do. I have a couple of IP-Cameras
> that I
> > would like to put into service for security reasons but they call home to
> > the manufactures servers and I don't trust them. When these cameras are
> > allowed to talk freely the output is accessible from a cell phone app and
> > that is a nice feature, but only when I want that access to exist. Hence
> > fwknop, which, if I understand its capabilities correctly will allow me
> to
> > slap the router on some port and have it open access for the cameras to
> > talk to the manufactures servers there by giving me access via my cell to
> > the camera output. When I am done, a second slap of the router and the
> > access will be terminated.
> >
> > The tutorial never says, and I have not been able to locate how to work
> > around the "assumption that the ip" is known or can be discovered when
> the
> > key is generated. So, not being able to get that ip, as it will always
> be
> > different, depending which towers and network the phone will be on, can I
> > just omit that part of the command?
> >
> > Another issue that I will have to deal with is that I did not install the
> > gpg suggested packages into the router as they wanted to drag in a bunch
> of
> > other dependencies and space is limited on the router and I want to keep
> > the footprint as small as possible.
> >
> > Any help or guidance you can share with me will be greatly appreciated.
> I
> > hope to write a tutorial for the users of the Ubiquiti routers. The only
> > info I have been able to find is on a Ubuntu site and it is quite dated
> > also. Although I have not looked specifically at openwrt yet, but will do
> > so next.
> >
> > Thanks
> > Randy
>
> I did finally find the info about the -s -R -a switches and did get a
> successful
> key generation. But it seams according to the access.conf on the router it
> can't accept the keys.
>
> KEY vs KEY_BASE64 and HMAC_KEY_BASE64
>
> So I assuming that the older version can't use the keys.
>
Yes, 2.0.0rc2 is way old.
I would definitely recommend upgrading fwknopd - maybe with the cross
compiler approach?
It is important to use an HMAC for various security reasons.
Thanks,
--Mike
> --
> If it ain't broke tweek it
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Fwknop-discuss mailing list
> Fwknop-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
