Hi, I'm running fwknop on OpenWRT. While it's been great and works as advertised using the bash client, I'm having a bit of trouble getting it to work correctly from the fwknop2 client on my android phone, even though I scanned the QR Code from OpenWRT Luci to set it up on the phone.
The difference between the results of the two configurations is visible in the OpenWRT router logs where fwknopd reports what it has done to the firewall configuration. Here is an example of how the bash client appears to work correctly: I have the following stanza in my fwknop client configuration: [someprofile] ACCESS tcp/41453 SPA_SERVER some.spaserver.com KEY_BASE64 ... HMAC_KEY_BASE64 ... USE_HMAC Y RESOLVE_IP_HTTPS Y I then use the following command to get it to connect and open the port for me: fwknop -N 192.168.38.39:22 -v -n someprofile And then the logs on the router look a bit like this, with the `Removed rule 1 from FWKNOP_PREROUTING...` occuring later after I've tried to connect...and of course it does connect as intended. The rules are removed, and nobody can connect after that. # CORRECT Sun Nov 1 21:26:33 2020 daemon.info fwknopd[1344]: (stanza #1) SPA Packet from IP: 173.190.104.111 received with access source match Sun Nov 1 21:26:33 2020 daemon.warn fwknopd[1344]: (stanza #1) SPA packet from 173.190.104.111 requested NAT access, but is not enabled/support Sun Nov 1 21:26:46 2020 daemon.info fwknopd[1344]: (stanza #1) SPA Packet from IP: 173.190.104.111 received with access source match Sun Nov 1 21:26:46 2020 daemon.info fwknopd[1344]: Added FORWARD rule to FWKNOP_FORWARD for 173.190.104.111 -> 0.0.0.0/0 tcp/41453, expires at Sun Nov 1 21:26:46 2020 daemon.info fwknopd[1344]: Added DNAT rule to FWKNOP_PREROUTING for 173.190.104.111 -> 0.0.0.0/0 tcp/41453, expires at Sun Nov 1 21:27:16 2020 daemon.info fwknopd[1344]: Removed rule 1 from FWKNOP_FORWARD with expire time of 1604266036 Sun Nov 1 21:27:16 2020 daemon.info fwknopd[1344]: Removed rule 1 from FWKNOP_PREROUTING with expire time of 1604266036 As a side note, it occured to me that maybe my `-N 192.168.38.39` argument probably does nothing because of the `requested NAT access, but is not enabled/support` log entry...but since it works, I just leave it in there. ---- However...when I use fwknop2 on the phone something completely different happens and the correct rules are not added. I scanned the QR code to enter the configuration and I end up with a config on the phone client something like this: Nickname: QR Code Test Server Address: some.spaserver.com Use Legacy Mode (unchecked) Use Random Server Port (unchecked) Server Port: 62201 Protocol: UDP Use GPG (unchecked) Rijndael Key: ... Key Is Base 64 (checked) SPA Digest Type: SHA256 HMAC Key: ... HMAC Is Base 64 (checked) SPA HMAC Type: SHA256 Allow IP: Source IP Message Type: Nat Access Access Ports: tcp/41453,udp/41453 Firewall Timeout: 60 Keep open: (checked) Internal IP: 192.168.38.39 Internal Port: 22 And that results in the following log entries on OpenWRT and being unable to connect... Sun Nov 1 21:13:55 2020 daemon.info fwknopd[1344]: Removed rule 1 from FWKNOP_INPUT with expire time of 1604265235 Sun Nov 1 21:13:55 2020 daemon.info fwknopd[1344]: Removed rule 2 from FWKNOP_INPUT with expire time of 1604265235 Sun Nov 1 21:13:58 2020 daemon.info fwknopd[1344]: (stanza #1) SPA Packet from IP: 172.58.206.251 received with access source match Sun Nov 1 21:13:58 2020 daemon.info fwknopd[1344]: Added access rule to FWKNOP_INPUT for 172.58.206.251 -> 0.0.0.0/0 tcp/41453,udp/41453, expir Sun Nov 1 21:13:58 2020 daemon.info fwknopd[1344]: Added access rule to FWKNOP_INPUT for 172.58.206.251 -> 0.0.0.0/0 tcp/41453,udp/41453, expir Sun Nov 1 21:14:09 2020 daemon.info fwknopd[1344]: Removed rule 1 from FWKNOP_INPUT with expire time of 1604265249 Sun Nov 1 21:14:09 2020 daemon.info fwknopd[1344]: Removed rule 2 from FWKNOP_INPUT with expire time of 1604265249 The configuration of the fwknop2 client is a bit more complicated, just for the fact that it's in a GUI and not a text file; I was wondering if anyone could point me in the right direction as to what the equivalent configuration to my first example would be in fwknop2. Thank you, Andrew J. Leer
_______________________________________________ Fwknop-discuss mailing list Fwknop-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
