Port knocking from Mikrotik

faber33 · December 21, 2022, 6:14am

Hello. I have an OpenVPN connection between two mikrotik. I would like to hide the OpenVPN port (1194) with Port Knocking. There are many descriptions on the Internet on how to configure it on the server side, but how to make the mikrotik client knock on the server before connecting?

Jotne · December 21, 2022, 10:13am

Not tested, but I guess you can use the fetch command some like this:

/tool fetch url="remote_host:8888" keep-result=no
/tool fetch url="remote_host:9999" keep-result=no
/tool fetch url="remote_host:5555" keep-result=no

anav · December 21, 2022, 1:04pm

WHY?
You have a vpn connection why do you think you need port knocking?

Nevermind, you should drop ovpn and simply use wireguard.

rextended · December 21, 2022, 10:59pm

+1000

nichky · December 22, 2022, 1:09am

@anav

depenс what u need , about the performance, yes with wireguard, u can get much more bandwidth then ovpn, but from other way ovpn has own advantages.

it’s works same as physical interface (TAP), so you can add vlan on that or put in the bridge, choice btw udp/tcp & port.

anav · December 22, 2022, 2:26am

I have yet to see a situation for the majority of users that wireguard doesnt solve.
If ovpn is so good, then why need port knocking.

So be consistent if you are going to espouse NOt wireguard at least have the courtesy to promote IKEv2. You also would do this knowing that OVPN is not fully implemented in ROS.

mkx · December 22, 2022, 9:22am

Adding additional protective layer around service endpoint (OVPN or any other) never hurts … and doesn’t have much to do with how “protected” service handles possible attacks. It’s just that some services are outright dangerous if exposed to the wild without any 3rd party protection due to known vulnerabilities, some don’t have similar problems … yet.
BTW, I’m pretty sure wireguard would work behind this additional shield just fine.

Jotne · December 22, 2022, 9:54am

I have some VPN tunnel (L2TP IPSec) for personal use only and I can see from the logs (Splunk) that there are always someone trying to open the tunnel, so I see the added security using Port Knocking.

On my work computer I can not use Wireguard, since I can not install any extra protocol doe to limited admin access, so that is not an option.

rextended · December 22, 2022, 9:57am

Sorry for that, but I can’t resist…
https://www.youtube.com/watch?v=nJaEy03MEK0

own3r1138 · December 22, 2022, 10:08am

lol

mkx · December 22, 2022, 10:19am

Great.

It’d get even better if doors actually opened after that port knocking sequence

rextended · December 22, 2022, 10:21am

:facepalm: