[prev in list] [next in list] [prev in thread] [next in thread]
List: fwknop-discuss
Subject: Re: [Fwknop-discuss] Equivalent fwknop2 mobile client configuration?
From: Jonathan Bennett <jbscience87 () gmail ! com>
Date: 2020-11-02 1:34:33
Message-ID: CAB-pspdOR8z0kjj4yBRvW3+Lxq9NYuLivoFM6B+W2Tm8t7z_Ew () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hey Andrew. I'll try to do some testing when I can, but what immediately
jumps out at me is that the Android port is configured with both a TCP and
UDP port. Have you tried it with just the TCP port?
The other thing you can do is run Fwknop on the router in verbose mode, and
get the exact details on the differences between the packets.
Cheers
Jonathan
On Sun, Nov 1, 2020, 4:53 PM Andrew Leer <helpdeskaleer@gmail.com> wrote:
> Hi,
>
> I'm running fwknop on OpenWRT. While it's been great and works as
> advertised using the bash client, I'm having a bit of trouble getting it to
> work correctly from the fwknop2 client on my android phone, even though I
> scanned the QR Code from OpenWRT Luci to set it up on the phone.
>
> The difference between the results of the two configurations is visible in
> the OpenWRT router logs where fwknopd reports what it has done to the
> firewall configuration.
>
> Here is an example of how the bash client appears to work correctly:
>
> I have the following stanza in my fwknop client configuration:
>
> [someprofile]
> ACCESS tcp/41453
> SPA_SERVER some.spaserver.com
> KEY_BASE64 ...
> HMAC_KEY_BASE64 ...
> USE_HMAC Y
> RESOLVE_IP_HTTPS Y
>
> I then use the following command to get it to connect and open the port
> for me:
>
> fwknop -N 192.168.38.39:22 -v -n someprofile
>
> And then the logs on the router look a bit like this, with the `Removed
> rule 1 from FWKNOP_PREROUTING...` occuring later after I've tried to
> connect...and of course it does connect as intended. The rules are
> removed, and nobody can connect after that.
>
> # CORRECT
> Sun Nov 1 21:26:33 2020 daemon.info fwknopd[1344]: (stanza #1) SPA
> Packet from IP: 173.190.104.111 received with access source match
> Sun Nov 1 21:26:33 2020 daemon.warn fwknopd[1344]: (stanza #1) SPA packet
> from 173.190.104.111 requested NAT access, but is not enabled/support
> Sun Nov 1 21:26:46 2020 daemon.info fwknopd[1344]: (stanza #1) SPA
> Packet from IP: 173.190.104.111 received with access source match
> Sun Nov 1 21:26:46 2020 daemon.info fwknopd[1344]: Added FORWARD rule to
> FWKNOP_FORWARD for 173.190.104.111 -> 0.0.0.0/0 tcp/41453, expires at
> Sun Nov 1 21:26:46 2020 daemon.info fwknopd[1344]: Added DNAT rule to
> FWKNOP_PREROUTING for 173.190.104.111 -> 0.0.0.0/0 tcp/41453, expires at
> Sun Nov 1 21:27:16 2020 daemon.info fwknopd[1344]: Removed rule 1 from
> FWKNOP_FORWARD with expire time of 1604266036
> Sun Nov 1 21:27:16 2020 daemon.info fwknopd[1344]: Removed rule 1 from
> FWKNOP_PREROUTING with expire time of 1604266036
>
> As a side note, it occured to me that maybe my `-N 192.168.38.39` argument
> probably does nothing because of the `requested NAT access, but is not
> enabled/support` log entry...but since it works, I just leave it in there.
>
> ----
>
> However...when I use fwknop2 on the phone something completely different
> happens and the correct rules are not added.
>
> I scanned the QR code to enter the configuration and I end up with a
> config on the phone client something like this:
>
> Nickname: QR Code Test
> Server Address: some.spaserver.com
> Use Legacy Mode (unchecked)
> Use Random Server Port (unchecked)
> Server Port: 62201
> Protocol: UDP
> Use GPG (unchecked)
> Rijndael Key: ...
> Key Is Base 64 (checked)
> SPA Digest Type: SHA256
> HMAC Key: ...
> HMAC Is Base 64 (checked)
> SPA HMAC Type: SHA256
> Allow IP: Source IP
> Message Type: Nat Access
> Access Ports: tcp/41453,udp/41453
> Firewall Timeout: 60
> Keep open: (checked)
> Internal IP: 192.168.38.39
> Internal Port: 22
>
> And that results in the following log entries on OpenWRT and being unable
> to connect...
> Sun Nov 1 21:13:55 2020 daemon.info fwknopd[1344]: Removed rule 1 from
> FWKNOP_INPUT with expire time of 1604265235
> Sun Nov 1 21:13:55 2020 daemon.info fwknopd[1344]: Removed rule 2 from
> FWKNOP_INPUT with expire time of 1604265235
> Sun Nov 1 21:13:58 2020 daemon.info fwknopd[1344]: (stanza #1) SPA
> Packet from IP: 172.58.206.251 received with access source match
> Sun Nov 1 21:13:58 2020 daemon.info fwknopd[1344]: Added access rule to
> FWKNOP_INPUT for 172.58.206.251 -> 0.0.0.0/0 tcp/41453,udp/41453, expir
> Sun Nov 1 21:13:58 2020 daemon.info fwknopd[1344]: Added access rule to
> FWKNOP_INPUT for 172.58.206.251 -> 0.0.0.0/0 tcp/41453,udp/41453, expir
> Sun Nov 1 21:14:09 2020 daemon.info fwknopd[1344]: Removed rule 1 from
> FWKNOP_INPUT with expire time of 1604265249
> Sun Nov 1 21:14:09 2020 daemon.info fwknopd[1344]: Removed rule 2 from
> FWKNOP_INPUT with expire time of 1604265249
>
> The configuration of the fwknop2 client is a bit more complicated, just
> for the fact that it's in a GUI and not a text file; I was wondering if
> anyone could point me in the right direction as to what the equivalent
> configuration to my first example would be in fwknop2.
>
> Thank you,
>
> Andrew J. Leer
> _______________________________________________
> Fwknop-discuss mailing list
> Fwknop-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>
[Attachment #5 (text/html)]
<div dir="auto"><div>Hey Andrew. I'll try to do some testing when I can, but what \
immediately jumps out at me is that the Android port is configured with both a TCP \
and UDP port. Have you tried it with just the TCP port? </div><div \
dir="auto"><br></div><div dir="auto">The other thing you can do is run Fwknop on the \
router in verbose mode, and get the exact details on the differences between the \
packets. </div><div dir="auto"><br></div><div dir="auto">Cheers</div><div \
dir="auto">Jonathan<br><br><div class="gmail_quote" dir="auto"><div dir="ltr" \
class="gmail_attr">On Sun, Nov 1, 2020, 4:53 PM Andrew Leer <<a \
href="mailto:helpdeskaleer@gmail.com" target="_blank" \
rel="noreferrer">helpdeskaleer@gmail.com</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><div dir="ltr">Hi,<div><br></div><div>I'm \
running fwknop on OpenWRT. While it's been great and works as advertised \
using the bash client, I'm having a bit of trouble getting it to work correctly \
from the fwknop2 client on my android phone, even though I scanned the QR Code from \
OpenWRT Luci to set it up on the phone.<br><br>The difference between the results of \
the two configurations is visible in the OpenWRT router logs where fwknopd reports \
what it has done to the firewall configuration.<br><br>Here is an example of how the \
bash client appears to work correctly:<br><br>I have the following stanza in my \
fwknop client configuration:<br><br><div>[someprofile]</div><div>ACCESS \
tcp/41453</div><div>SPA_SERVER <a \
href="http://some.spaserver.com/" rel="noreferrer noreferrer" \
target="_blank">some.spaserver.com</a></div><div>KEY_BASE64 \
...</div><div>HMAC_KEY_BASE64 ...</div><div>USE_HMAC \
Y</div><div>RESOLVE_IP_HTTPS Y</div><div><br></div></div><div>I then \
use the following command to get it to connect and open the port for \
me:<br><br><div>fwknop -N <a href="http://192.168.38.39:22/" rel="noreferrer \
noreferrer" target="_blank">192.168.38.39:22</a> -v -n \
someprofile</div><div><br></div>And then the logs on the router look a bit like this, \
with the `Removed rule 1 from FWKNOP_PREROUTING...` occuring later after I've \
tried to connect...and of course it does connect as intended. The rules are \
removed, and nobody can connect after that.<br><br><div># CORRECT</div><div>Sun Nov \
1 21:26:33 2020 <a href="http://daemon.info/" rel="noreferrer noreferrer" \
target="_blank">daemon.info</a> fwknopd[1344]: (stanza #1) SPA Packet from IP: \
173.190.104.111 received with access source match</div><div>Sun Nov 1 21:26:33 2020 \
daemon.warn fwknopd[1344]: (stanza #1) SPA packet from 173.190.104.111 requested NAT \
access, but is not enabled/support</div><div>Sun Nov 1 21:26:46 2020 <a \
href="http://daemon.info/" rel="noreferrer noreferrer" \
target="_blank">daemon.info</a> fwknopd[1344]: (stanza #1) SPA Packet from IP: \
173.190.104.111 received with access source match</div><div>Sun Nov 1 21:26:46 2020 \
<a href="http://daemon.info/" rel="noreferrer noreferrer" \
target="_blank">daemon.info</a> fwknopd[1344]: Added FORWARD rule to FWKNOP_FORWARD \
for 173.190.104.111 -> <a href="http://0.0.0.0/0" rel="noreferrer noreferrer" \
target="_blank">0.0.0.0/0</a> tcp/41453, expires at</div><div>Sun Nov 1 21:26:46 \
2020 <a href="http://daemon.info/" rel="noreferrer noreferrer" \
target="_blank">daemon.info</a> fwknopd[1344]: Added DNAT rule to FWKNOP_PREROUTING \
for 173.190.104.111 -> <a href="http://0.0.0.0/0" rel="noreferrer noreferrer" \
target="_blank">0.0.0.0/0</a> tcp/41453, expires at</div><div>Sun Nov 1 21:27:16 \
2020 <a href="http://daemon.info/" rel="noreferrer noreferrer" \
target="_blank">daemon.info</a> fwknopd[1344]: Removed rule 1 from FWKNOP_FORWARD \
with expire time of 1604266036</div><div>Sun Nov 1 21:27:16 2020 <a \
href="http://daemon.info/" rel="noreferrer noreferrer" \
target="_blank">daemon.info</a> fwknopd[1344]: Removed rule 1 from FWKNOP_PREROUTING \
with expire time of 1604266036<br><br>As a side note, it occured to me that maybe my \
`-N 192.168.38.39` argument probably does nothing because of the `requested NAT \
access, but is not enabled/support` log entry...but since it works, I just leave it \
in there.</div><div><br></div><div>----</div><div><br></div>However...when I use \
fwknop2 on the phone something completely different happens and the correct rules are \
not added.<br><br>I scanned the QR code to enter the configuration and I end up with \
a config on the phone client something like this:<br><br>Nickname: QR Code \
Test</div><div>Server Address: <a href="http://some.spaserver.com/" rel="noreferrer \
noreferrer" target="_blank">some.spaserver.com</a></div><div>Use Legacy Mode \
(unchecked)</div><div>Use Random Server Port (unchecked)</div><div>Server Port: \
62201<br>Protocol: UDP</div><div>Use GPG (unchecked)</div><div>Rijndael Key: \
...</div><div>Key Is Base 64 (checked)</div><div>SPA Digest Type: \
SHA256</div><div>HMAC Key: ...</div><div>HMAC Is Base 64 (checked)</div><div>SPA HMAC \
Type: SHA256</div><div>Allow IP: Source IP</div><div>Message Type: Nat \
Access</div><div>Access Ports: tcp/41453,udp/41453</div><div>Firewall Timeout: \
60</div><div>Keep open: (checked)</div><div>Internal IP: \
192.168.38.39</div><div>Internal Port: 22</div><div><br></div><div>And that results \
in the following log entries on OpenWRT and being unable to connect...<br><div>Sun \
Nov 1 21:13:55 2020 <a href="http://daemon.info/" rel="noreferrer noreferrer" \
target="_blank">daemon.info</a> fwknopd[1344]: Removed rule 1 from FWKNOP_INPUT with \
expire time of 1604265235</div><div>Sun Nov 1 21:13:55 2020 <a \
href="http://daemon.info/" rel="noreferrer noreferrer" \
target="_blank">daemon.info</a> fwknopd[1344]: Removed rule 2 from FWKNOP_INPUT with \
expire time of 1604265235</div><div>Sun Nov 1 21:13:58 2020 <a \
href="http://daemon.info/" rel="noreferrer noreferrer" \
target="_blank">daemon.info</a> fwknopd[1344]: (stanza #1) SPA Packet from IP: \
172.58.206.251 received with access source match</div><div>Sun Nov 1 21:13:58 2020 \
<a href="http://daemon.info/" rel="noreferrer noreferrer" \
target="_blank">daemon.info</a> fwknopd[1344]: Added access rule to FWKNOP_INPUT for \
172.58.206.251 -> <a href="http://0.0.0.0/0" rel="noreferrer noreferrer" \
target="_blank">0.0.0.0/0</a> tcp/41453,udp/41453, expir</div><div>Sun Nov 1 \
21:13:58 2020 <a href="http://daemon.info/" rel="noreferrer noreferrer" \
target="_blank">daemon.info</a> fwknopd[1344]: Added access rule to FWKNOP_INPUT for \
172.58.206.251 -> <a href="http://0.0.0.0/0" rel="noreferrer noreferrer" \
target="_blank">0.0.0.0/0</a> tcp/41453,udp/41453, expir</div><div>Sun Nov 1 \
21:14:09 2020 <a href="http://daemon.info/" rel="noreferrer noreferrer" \
target="_blank">daemon.info</a> fwknopd[1344]: Removed rule 1 from FWKNOP_INPUT with \
expire time of 1604265249</div><div>Sun Nov 1 21:14:09 2020 <a \
href="http://daemon.info/" rel="noreferrer noreferrer" \
target="_blank">daemon.info</a> fwknopd[1344]: Removed rule 2 from FWKNOP_INPUT with \
expire time of 1604265249</div><div><br></div><div>The configuration of the fwknop2 \
client is a bit more complicated, just for the fact that it's in a GUI and not a \
text file; I was wondering if anyone could point me in the right direction as to what \
the equivalent configuration to my first example would be in fwknop2.<br><br>Thank \
you, </div><div><br></div><div>Andrew J. Leer</div></div></div></div> \
_______________________________________________<br> Fwknop-discuss mailing list<br>
<a href="mailto:Fwknop-discuss@lists.sourceforge.net" rel="noreferrer noreferrer" \
target="_blank">Fwknop-discuss@lists.sourceforge.net</a><br> <a \
href="https://lists.sourceforge.net/lists/listinfo/fwknop-discuss" rel="noreferrer \
noreferrer noreferrer" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/fwknop-discuss</a><br> \
</blockquote></div></div></div>
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic