Community discussions

MikroTik App
 
cezars
just joined
Topic Author
Posts: 22
Joined: Mon Mar 04, 2019 12:00 am

How to make Port knocking working on vpn/pptp connection ?

Sat May 30, 2020 4:46 pm

Hi,

How to make Port knocking working on vpn/pptp connection ?

I try this ( https://wiki.mikrotik.com/wiki/Port_Knocking ) but is not working on vpn/pptp connection

Anyone could help ?

Regards
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: How to make Port knocking working on vpn/pptp connection ?

Sat May 30, 2020 5:04 pm

How to make Port knocking working on vpn/pptp connection ?

I try this ( https://wiki.mikrotik.com/wiki/Port_Knocking ) but is not working on vpn/pptp connection

Anyone could help ?
Port knocking is intended and used primarily with normal/usual connections.
I really don't see a reason why one would need port-knocking with and over VPN/PPTP.
Just tell us more about your specific use-case.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: How to make Port knocking working on vpn/pptp connection ?

Sat May 30, 2020 5:09 pm

How to make Port knocking working on vpn/pptp connection ?

I try this ( https://wiki.mikrotik.com/wiki/Port_Knocking ) but is not working on vpn/pptp connection

Anyone could help ?
Port knocking is intended and used primarily with normal/usual connections.
I really don't see a reason why one would need port-knocking with and over VPN/PPTP.
Just tell us more about your specific use-case.
He probably wants to reduce the attack surface even more by placing the VPN/PPTP "service" behind a port-knock and not make it fully "public"
Otherwise you might have somebody trying 1000000000x logins bruteforce etc and to tackle this port-knock might be an option.
 
cezars
just joined
Topic Author
Posts: 22
Joined: Mon Mar 04, 2019 12:00 am

Re: How to make Port knocking working on vpn/pptp connection ?

Sat May 30, 2020 5:13 pm

This is the answer :

""He probably wants to reduce the attack surface even more by placing the VPN/PPTP "service" behind a port-knock and not make it fully "public"
Otherwise you might have somebody trying 1000000000x logins bruteforce etc and to tackle this port-knock might be an option.""

I tired to see 100000000000000000000000000000000000000000 bf logins

10:46:31 pptp,info TCP connection established from 141.98.81.42
10:46:31 pptp,ppp,error <183>: user admin authentication failed
10:46:31 pptp,info TCP connection established from 141.98.81.207
10:46:31 pptp,ppp,error <184>: user vpn authentication failed
10:46:32 pptp,info TCP connection established from 141.98.81.208
10:46:32 pptp,ppp,error <185>: user test authentication failed
10:46:32 pptp,info TCP connection established from 141.98.81.209
10:46:32 pptp,ppp,error <186>: user user authentication failed
10:46:32 pptp,info TCP connection established from 141.98.81.210
10:46:33 pptp,ppp,error <187>: user 1 authentication failed
10:46:33 pptp,info TCP connection established from 141.98.81.6
10:46:33 pptp,ppp,error <188>: user test authentication failed
10:46:33 pptp,info TCP connection established from 141.98.81.42
10:46:34 pptp,ppp,error <189>: user 123 authentication failed
10:46:34 pptp,info TCP connection established from 141.98.81.207
10:46:34 pptp,ppp,error <190>: user vpn authentication failed
13:55:49 pptp,info TCP connection established from 92.63.194.35
13:55:49 pptp,ppp,error <195>: user Admin authentication failed
13:55:49 pptp,info TCP connection established from 92.63.194.40
13:55:49 pptp,ppp,error <196>: user test1 authentication failed
13:55:50 pptp,info TCP connection established from 92.63.194.41
13:55:50 pptp,ppp,error <197>: user test authentication failed
13:55:50 pptp,info TCP connection established from 92.63.194.42
13:55:50 pptp,ppp,error <198>: user 111 authentication failed
13:55:51 pptp,info TCP connection established from 92.63.194.58
13:55:51 pptp,ppp,error <199>: user user1 authentication failed
13:55:51 pptp,info TCP connection established from 92.63.194.26
13:55:51 pptp,ppp,error <200>: user 1234 authentication failed
13:55:52 pptp,info TCP connection established from 92.63.194.35
13:55:52 pptp,ppp,error <201>: user admin authentication failed
13:55:52 pptp,info TCP connection established from 92.63.194.40
13:55:52 pptp,ppp,error <202>: user vpn authentication failed
13:55:52 pptp,info TCP connection established from 92.63.194.41

an the list goes......
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: How to make Port knocking working on vpn/pptp connection ?

Sat May 30, 2020 6:10 pm

Post your port-knocking code. For an analysis we would need all your firewall rules, ie. this output:
/ip firewall filter export hide-sensitive

An alternative method would be to change the VPN server port from the default 1194 to another port.
 
cezars
just joined
Topic Author
Posts: 22
Joined: Mon Mar 04, 2019 12:00 am

Re: How to make Port knocking working on vpn/pptp connection ?

Sat May 30, 2020 6:34 pm

# may/30/2020 18:26:00 by RouterOS 6.44
# software id = xxxx-xxxx
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = xxxxxxxxxxxx
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=\
    udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input in-interface=pppoe-out1
# in/out-interface matcher not possible when interface (wlan1) is slave - use mast
 r instead (bridge)
add action=accept chain=input comment=":FTP WAN IMPUT:" dst-port=21 \
    in-interface=wlan1 protocol=tcp
add action=drop chain=forward comment="Block acces to internet DVR" \
    src-address=192.168.88.241
add action=drop chain=input src-address=139.162.102.46
add action=drop chain=input src-address=216.218.206.74
add action=drop chain=input src-address=141.98.80.115
add action=drop chain=input src-address=216.218.206.98
add action=drop chain=input src-address=46.161.27.42
add action=drop chain=input src-address=216.218.206.114
add action=drop chain=input src-address=184.154.74.66
add action=drop chain=input src-address=216.218.206.78
add action=drop chain=input src-address=185.232.67.13
add action=drop chain=input src-address=198.108.67.48
add action=drop chain=input src-address=216.218.206.102
add action=drop chain=input src-address=216.218.206.126
add action=drop chain=input src-address=107.170.197.213
add action=drop chain=input src-address=80.82.77.240
add action=drop chain=input src-address=216.218.206.70
add action=drop chain=input src-address=115.236.61.202
add action=drop chain=input src-address=122.224.158.196
add action=drop chain=input src-address=184.154.47.2
add action=drop chain=input src-address=46.161.27.122
add action=drop chain=input src-address=141.98.80.128
add action=drop chain=input src-address=107.179.9.154
add action=drop chain=input src-address=179.43.143.149
add action=drop chain=input src-address=122.224.158.197
add action=drop chain=input src-address=115.236.61.205
add action=drop chain=input src-address=92.63.194.27
add action=drop chain=input src-address=92.63.194.91
add action=drop chain=input src-address=92.63.194.92
add action=drop chain=input src-address=92.63.194.93
add action=drop chain=input src-address=92.63.194.94
add action=drop chain=input src-address=92.63.194.95
add action=drop chain=input src-address=92.63.194.47
add action=drop chain=input src-address=45.83.91.106
add action=drop chain=input src-address=45.79.144.96
add action=drop chain=input src-address=139.162.102.46
add action=drop chain=input src-address=92.63.194.0/24
add action=drop chain=input src-address=212.164.39.143
add action=drop chain=input src-address=60.190.226.187
add action=drop chain=input comment="Drop SSH 22" dst-port=22 in-interface=\
    bridge log=yes log-prefix=SSHdrop protocol=tcp
add action=drop chain=input src-address=141.98.81.0/24
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp \
    tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
    protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=\
    1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=output content="530 Login incorrect" \
    protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
add action=drop chain=input src-address=162.243.141.140
add action=add-src-to-address-list address-list=port:9000 address-list-timeout=\
    1m chain=input dst-port=9000 protocol=tcp
add action=add-src-to-address-list address-list=secure address-list-timeout=1m \
    chain=input dst-port=6000 protocol=tcp src-address-list=port:9000
add action=accept chain=input src-address-list=secure
add action=drop chain=input
add action=drop chain=input src-address=223.71.167.165
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: How to make Port knocking working on vpn/pptp connection ?

Sat May 30, 2020 7:20 pm

Concerning some config lines.

add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp


They needs to be reworked to include an ACL "match" now also. Without this ACL match, they are just publicly "open" for the world.
You want to add the "src-address-list" variable here, see example below (eg. src-address-list=Allowed_VPN_IP)

add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp src-address-list=Allowed_VPN_IP

Now you have to get the "Allowed_VPN_P" populated with IP's that matched you "port-knocking" sequence. You have to decide for yourself how many "stages" you want. In its most simple form 1 "port" can do the trick, but perhaps a sequence of 2 or 3 ports must be completed before you get "added" onto the "Allowed_VPN_IP" list. See below a multi-stage example. After port-knock is complete, you have 4 hours of time. (you can remove this or adapt the timing)
Within 15 seconds the sequences must arrive at the Mikrotik or the "intermediate" ACL's are flushed and the port-knock will not work. You can set this more aggresive. Experiment with it.
You can choose the PORT1/PORT2/PORT3/PORT_FINAL values yourself. Note that in this example I use a mix of TCP & UDP ports !!
Make sure the dst-address-list=WAN_IP is valid for your case.


add action=add-src-to-address-list address-list="Port Knock Phase 1" address-list-timeout=15s chain=input comment="Port Knock Phase 1" dst-address-list=WAN_IP dst-port=PORT1 in-interface="ISP_Interface" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH1 protocol=tcp
add action=add-src-to-address-list address-list="Port Knock Phase 2" address-list-timeout=15s chain=input comment="Port Knock Phase 2" dst-address-list=WAN_IP dst-port=PORT2 in-interface="ISP_Interface" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH2 protocol=tcp src-address-list="Port Knock Phase 1"
add action=add-src-to-address-list address-list="Port Knock Phase 3" address-list-timeout=15s chain=input comment="Port Knock Phase 3" dst-address-list=WAN_IP dst-port=PORT3 in-interface="ISP_Interface" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH3 protocol=udp src-address-list="Port Knock Phase 2"
add action=add-src-to-address-list address-list=Allowed_VPN_IP address-list-timeout=4h chain=input comment="VPN Port Knock Completed" dst-address-list=WAN_IP dst-port=FINAL_PORT in-interface="ISP_Interface" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-VPN-COMPLETED protocol=udp src-address-list="Port Knock Phase 3"


Make sure these lines are at the correct position in the overall input-chain, basically you want these BEFORE you start various drops ! So make sure you still "capture" inbound knocks on the access-lists before you start tossing away packets...
Hope this helps a bit.
 
cezars
just joined
Topic Author
Posts: 22
Joined: Mon Mar 04, 2019 12:00 am

Re: How to make Port knocking working on vpn/pptp connection ?

Sat May 30, 2020 7:51 pm

Many thanks for the help

Forget about one important thing i have dynamic ip (my ip changes on every restar/connect/etc....)(my ips provide custom domainname to connect to dynamic ip})

and used this port knoc example : https://wiki.mikrotik.com/wiki/Port_Knocking

And i prefer this method since i use vpn on laptop/mobile wen i travel to other country and i port knoc with browser so (tcp need it i guess)
 
cezars
just joined
Topic Author
Posts: 22
Joined: Mon Mar 04, 2019 12:00 am

Re: How to make Port knocking working on vpn/pptp connection ?

Tue Jul 06, 2021 10:42 pm

Concerning some config lines.

add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp


They needs to be reworked to include an ACL "match" now also. Without this ACL match, they are just publicly "open" for the world.
You want to add the "src-address-list" variable here, see example below (eg. src-address-list=Allowed_VPN_IP)

add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp src-address-list=Allowed_VPN_IP

Now you have to get the "Allowed_VPN_P" populated with IP's that matched you "port-knocking" sequence. You have to decide for yourself how many "stages" you want. In its most simple form 1 "port" can do the trick, but perhaps a sequence of 2 or 3 ports must be completed before you get "added" onto the "Allowed_VPN_IP" list. See below a multi-stage example. After port-knock is complete, you have 4 hours of time. (you can remove this or adapt the timing)
Within 15 seconds the sequences must arrive at the Mikrotik or the "intermediate" ACL's are flushed and the port-knock will not work. You can set this more aggresive. Experiment with it.
You can choose the PORT1/PORT2/PORT3/PORT_FINAL values yourself. Note that in this example I use a mix of TCP & UDP ports !!
Make sure the dst-address-list=WAN_IP is valid for your case.


add action=add-src-to-address-list address-list="Port Knock Phase 1" address-list-timeout=15s chain=input comment="Port Knock Phase 1" dst-address-list=WAN_IP dst-port=PORT1 in-interface="ISP_Interface" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH1 protocol=tcp
add action=add-src-to-address-list address-list="Port Knock Phase 2" address-list-timeout=15s chain=input comment="Port Knock Phase 2" dst-address-list=WAN_IP dst-port=PORT2 in-interface="ISP_Interface" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH2 protocol=tcp src-address-list="Port Knock Phase 1"
add action=add-src-to-address-list address-list="Port Knock Phase 3" address-list-timeout=15s chain=input comment="Port Knock Phase 3" dst-address-list=WAN_IP dst-port=PORT3 in-interface="ISP_Interface" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH3 protocol=udp src-address-list="Port Knock Phase 2"
add action=add-src-to-address-list address-list=Allowed_VPN_IP address-list-timeout=4h chain=input comment="VPN Port Knock Completed" dst-address-list=WAN_IP dst-port=FINAL_PORT in-interface="ISP_Interface" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-VPN-COMPLETED protocol=udp src-address-list="Port Knock Phase 3"


Make sure these lines are at the correct position in the overall input-chain, basically you want these BEFORE you start various drops ! So make sure you still "capture" inbound knocks on the access-lists before you start tossing away packets...
Hope this helps a bit.
Can you please make an example of this with by adding ips/filenames or a video if you can pls
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: How to make Port knocking working on vpn/pptp connection ?

Tue Jul 06, 2021 11:10 pm

Well, what are the names of your ISP-interfaces ? Are you using PPPoE or something? Then your "input" interface to filter against would be that name.
Not sure about the WAN_IP ACL that I used, if I had to create it myself or not, can't remember anymore.
It contains 1 dns-name that is updated through the /ip cloud DDNS client in RouterOS , so ###############.sn.mynetname.net (#### = serial number of you unit)

ISP_Interface would be the incoming interface, in my case I used the name of the PPPoE connection to my ISP.
If you use a cable-modem + DHCP you probable use etherX interface.

PORT1 / PORT2 / PORT3 / FINAL_PORT are just the values you may choose randomly between 1 en 64K (that is the actual port to knock on)
 
cezars
just joined
Topic Author
Posts: 22
Joined: Mon Mar 04, 2019 12:00 am

Re: How to make Port knocking working on vpn/pptp connection ?

Sat Jul 17, 2021 12:11 pm

Well, what are the names of your ISP-interfaces ? Are you using PPPoE or something? Then your "input" interface to filter against would be that name.
Not sure about the WAN_IP ACL that I used, if I had to create it myself or not, can't remember anymore.
It contains 1 dns-name that is updated through the /ip cloud DDNS client in RouterOS , so ###############.sn.mynetname.net (#### = serial number of you unit)

ISP_Interface would be the incoming interface, in my case I used the name of the PPPoE connection to my ISP.
If you use a cable-modem + DHCP you probable use etherX interface.

PORT1 / PORT2 / PORT3 / FINAL_PORT are just the values you may choose randomly between 1 en 64K (that is the actual port to knock on)
Sry for the late replay, i was gone for a wile, Yes i use pppoe (dynamic ip) but i have host name that redirect every time to my actual ip (hostname is provided by my IPS) and thanks agai for your time

Edit : Here is the link with img of my interface (as you can see in the logs my pptp is bf daily and thats why i need this port kn for pptp)

Image
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: How to make Port knocking working on vpn/pptp connection ?

Sat Jul 17, 2021 1:55 pm

Then the example below should work ;

I've even removed the "dst-address-list" WAN_IP and only use the effective interface the packet is coming is. You have only 1 PPPoE to an ISP so basic.
In the example below you need to knock TCP/1000 first, then within 15 seconds TCP/2000 then within 15 seconds TCP/3000 and then your IP-address from which you are knocking will be added with a duration of 4 hours to the Allowed_VPN_IP access-list.
THAT ACL you can then use to "filter" you rules on VPN ,say L2TP/SSTP/PPTP


add action=add-src-to-address-list address-list="Port Knock Phase 1" address-list-timeout=15s chain=input comment="Port Knock Phase 1" dst-port=1000 in-interface="pppoe-out1" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH1 protocol=tcp
add action=add-src-to-address-list address-list="Port Knock Phase 2" address-list-timeout=15s chain=input comment="Port Knock Phase 2" dst-port=2000 in-interface="pppoe-out1" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH2 protocol=tcp src-address-list="Port Knock Phase 1"
add action=add-src-to-address-list address-list="Port Knock Phase 3" address-list-timeout=15s chain=input comment="Port Knock Phase 3" dst-port=3000 in-interface="pppoe-out1" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH3 protocol=tcp src-address-list="Port Knock Phase 2"
add action=add-src-to-address-list address-list=Allowed_VPN_IP address-list-timeout=4h chain=input comment="VPN Port Knock Completed" dst-port=FINAL_PORT in-interface="ISP_Interface" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-VPN-COMPLETED protocol=udp src-address-list="Port Knock Phase 3"
 
cezars
just joined
Topic Author
Posts: 22
Joined: Mon Mar 04, 2019 12:00 am

Re: How to make Port knocking working on vpn/pptp connection ?

Sat Jul 17, 2021 2:02 pm

Then the example below should work ;

I've even removed the "dst-address-list" WAN_IP and only use the effective interface the packet is coming is. You have only 1 PPPoE to an ISP so basic.
In the example below you need to knock TCP/1000 first, then within 15 seconds TCP/2000 then within 15 seconds TCP/3000 and then your IP-address from which you are knocking will be added with a duration of 4 hours to the Allowed_VPN_IP access-list.
THAT ACL you can then use to "filter" you rules on VPN ,say L2TP/SSTP/PPTP


add action=add-src-to-address-list address-list="Port Knock Phase 1" address-list-timeout=15s chain=input comment="Port Knock Phase 1" dst-port=1000 in-interface="pppoe-out1" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH1 protocol=tcp
add action=add-src-to-address-list address-list="Port Knock Phase 2" address-list-timeout=15s chain=input comment="Port Knock Phase 2" dst-port=2000 in-interface="pppoe-out1" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH2 protocol=tcp src-address-list="Port Knock Phase 1"
add action=add-src-to-address-list address-list="Port Knock Phase 3" address-list-timeout=15s chain=input comment="Port Knock Phase 3" dst-port=3000 in-interface="pppoe-out1" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH3 protocol=tcp src-address-list="Port Knock Phase 2"
add action=add-src-to-address-list address-list=Allowed_VPN_IP address-list-timeout=4h chain=input comment="VPN Port Knock Completed" dst-port=FINAL_PORT in-interface="ISP_Interface" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-VPN-COMPLETED protocol=udp src-address-list="Port Knock Phase 3"
Many thx for the replay, i will try this wen i will return home and i will come with a reply if this work (if someone else need it)

Many thanks again for your time

One more question :

All of this code is used for all services ? bcs i dont see anywere pptp port 1723 i already use portknocking for ssh and other services but for the 1723 didnt work the code i use sould i add this code also :

add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp src-address-list=Allowed_VPN_IP
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: How to make Port knocking working on vpn/pptp connection ?

Sat Jul 17, 2021 2:38 pm

Oops, small corrections, I did not add a value on the very last step, so summary again :

In the example below you need to knock TCP/1000 first, then within 15 seconds TCP/2000 then within 15 seconds TCP/3000 and finally within 15seconds TCP/8000 and then your IP-address from which you are knocking will be added with a duration of 4 hours to the Allowed_VPN_IP access-list.
THAT ACL you can then use to "filter" you rules on VPN ,say L2TP/SSTP/PPTP

add action=add-src-to-address-list address-list="Port Knock Phase 1" address-list-timeout=15s chain=input comment="Port Knock Phase 1" dst-port=1000 in-interface="pppoe-out1" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH1 protocol=tcp
add action=add-src-to-address-list address-list="Port Knock Phase 2" address-list-timeout=15s chain=input comment="Port Knock Phase 2" dst-port=2000 in-interface="pppoe-out1" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH2 protocol=tcp src-address-list="Port Knock Phase 1"
add action=add-src-to-address-list address-list="Port Knock Phase 3" address-list-timeout=15s chain=input comment="Port Knock Phase 3" dst-port=3000 in-interface="pppoe-out1" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH3 protocol=tcp src-address-list="Port Knock Phase 2"
add action=add-src-to-address-list address-list=Allowed_VPN_IP address-list-timeout=4h chain=input comment="VPN Port Knock Completed" dst-port=8000 in-interface="pppoe-out1" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-VPN-COMPLETED protocol=tcp src-address-list="Port Knock Phase 2"
 
cezars
just joined
Topic Author
Posts: 22
Joined: Mon Mar 04, 2019 12:00 am

Re: How to make Port knocking working on vpn/pptp connection ?

Sat Jul 17, 2021 3:19 pm

Oops, small corrections, I did not add a value on the very last step, so summary again :

In the example below you need to knock TCP/1000 first, then within 15 seconds TCP/2000 then within 15 seconds TCP/3000 and finally within 15seconds TCP/8000 and then your IP-address from which you are knocking will be added with a duration of 4 hours to the Allowed_VPN_IP access-list.
THAT ACL you can then use to "filter" you rules on VPN ,say L2TP/SSTP/PPTP

add action=add-src-to-address-list address-list="Port Knock Phase 1" address-list-timeout=15s chain=input comment="Port Knock Phase 1" dst-port=1000 in-interface="pppoe-out1" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH1 protocol=tcp
add action=add-src-to-address-list address-list="Port Knock Phase 2" address-list-timeout=15s chain=input comment="Port Knock Phase 2" dst-port=2000 in-interface="pppoe-out1" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH2 protocol=tcp src-address-list="Port Knock Phase 1"
add action=add-src-to-address-list address-list="Port Knock Phase 3" address-list-timeout=15s chain=input comment="Port Knock Phase 3" dst-port=3000 in-interface="pppoe-out1" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH3 protocol=tcp src-address-list="Port Knock Phase 2"
add action=add-src-to-address-list address-list=Allowed_VPN_IP address-list-timeout=4h chain=input comment="VPN Port Knock Completed" dst-port=8000 in-interface="pppoe-out1" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-VPN-COMPLETED protocol=tcp src-address-list="Port Knock Phase 2"
One more question :

All of this code is used for all services ? bcs i dont see anywere pptp port 1723 i already use portknocking for ssh and other services but for the 1723 didnt work the code i use sould i add this code also :

add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp src-address-list=Allowed_VPN_IP

As you can see on my config im already using portknocking and i think some of the code from my config need to be removed
# may/30/2020 18:26:00 by RouterOS 6.44
# software id = xxxx-xxxx
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = xxxxxxxxxxxx
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=\
    udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input in-interface=pppoe-out1
# in/out-interface matcher not possible when interface (wlan1) is slave - use mast
 r instead (bridge)
add action=accept chain=input comment=":FTP WAN IMPUT:" dst-port=21 \
    in-interface=wlan1 protocol=tcp
add action=drop chain=forward comment="Block acces to internet DVR" \
    src-address=192.168.88.241
add action=drop chain=input src-address=139.162.102.46
add action=drop chain=input src-address=216.218.206.74
add action=drop chain=input src-address=141.98.80.115
add action=drop chain=input src-address=216.218.206.98
add action=drop chain=input src-address=46.161.27.42
add action=drop chain=input src-address=216.218.206.114
add action=drop chain=input src-address=184.154.74.66
add action=drop chain=input src-address=216.218.206.78
add action=drop chain=input src-address=185.232.67.13
add action=drop chain=input src-address=198.108.67.48
add action=drop chain=input src-address=216.218.206.102
add action=drop chain=input src-address=216.218.206.126
add action=drop chain=input src-address=107.170.197.213
add action=drop chain=input src-address=80.82.77.240
add action=drop chain=input src-address=216.218.206.70
add action=drop chain=input src-address=115.236.61.202
add action=drop chain=input src-address=122.224.158.196
add action=drop chain=input src-address=184.154.47.2
add action=drop chain=input src-address=46.161.27.122
add action=drop chain=input src-address=141.98.80.128
add action=drop chain=input src-address=107.179.9.154
add action=drop chain=input src-address=179.43.143.149
add action=drop chain=input src-address=122.224.158.197
add action=drop chain=input src-address=115.236.61.205
add action=drop chain=input src-address=92.63.194.27
add action=drop chain=input src-address=92.63.194.91
add action=drop chain=input src-address=92.63.194.92
add action=drop chain=input src-address=92.63.194.93
add action=drop chain=input src-address=92.63.194.94
add action=drop chain=input src-address=92.63.194.95
add action=drop chain=input src-address=92.63.194.47
add action=drop chain=input src-address=45.83.91.106
add action=drop chain=input src-address=45.79.144.96
add action=drop chain=input src-address=139.162.102.46
add action=drop chain=input src-address=92.63.194.0/24
add action=drop chain=input src-address=212.164.39.143
add action=drop chain=input src-address=60.190.226.187
add action=drop chain=input comment="Drop SSH 22" dst-port=22 in-interface=\
    bridge log=yes log-prefix=SSHdrop protocol=tcp
add action=drop chain=input src-address=141.98.81.0/24
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp \
    tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
    protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=\
    1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=output content="530 Login incorrect" \
    protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
add action=drop chain=input src-address=162.243.141.140
add action=add-src-to-address-list address-list=port:9000 address-list-timeout=\
    1m chain=input dst-port=9000 protocol=tcp
add action=add-src-to-address-list address-list=secure address-list-timeout=1m \
    chain=input dst-port=6000 protocol=tcp src-address-list=port:9000
add action=accept chain=input src-address-list=secure
add action=drop chain=input
add action=drop chain=input src-address=223.71.167.165
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: How to make Port knocking working on vpn/pptp connection ?

Sat Jul 17, 2021 4:26 pm

There is 2 things, this port-knocking thing only populates an (most of time dynamic) access-list and you decide what you want to do with it.
You have indeed already some statements like the ones below, but without the "src-address-list" field. Perhaps better to UPDATE these rules ? Not too sure if you paste again there are edited or ADDED again.
I don't use PPTP (nobody should actually, old obsolete and not secure anymore)
Very important is the ORDER of all these rules make sure your "port-knocks" are pretty up on the order before other DROP statements.

add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp src-address-list=Allowed_VPN_IP



Your construction with the SSH "blacklister" is a bit strange, but I see that basically if you try a couple of times to SSH to the box you are thrown on a ssh_blacklist. Better is to simply use the port-knock in general, then block EVERYTHING else anyway. No need to use CPU-cycles on this ssh_blacklist specific routine.

I use 3-stage port-knock generic as a "frontdoor" and than a final knock specific for the service I want to open. So 4-stages in total. Sure you could make 1 generic to cover all services too. Many solutions to the same problem.
 
cezars
just joined
Topic Author
Posts: 22
Joined: Mon Mar 04, 2019 12:00 am

Re: How to make Port knocking working on vpn/pptp connection ?

Sat Jul 17, 2021 5:12 pm

There is 2 things, this port-knocking thing only populates an (most of time dynamic) access-list and you decide what you want to do with it.
You have indeed already some statements like the ones below, but without the "src-address-list" field. Perhaps better to UPDATE these rules ? Not too sure if you paste again there are edited or ADDED again.
I don't use PPTP (nobody should actually, old obsolete and not secure anymore)
Very important is the ORDER of all these rules make sure your "port-knocks" are pretty up on the order before other DROP statements.

add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp src-address-list=Allowed_VPN_IP



Your construction with the SSH "blacklister" is a bit strange, but I see that basically if you try a couple of times to SSH to the box you are thrown on a ssh_blacklist. Better is to simply use the port-knock in general, then block EVERYTHING else anyway. No need to use CPU-cycles on this ssh_blacklist specific routine.

I use 3-stage port-knock generic as a "frontdoor" and than a final knock specific for the service I want to open. So 4-stages in total. Sure you could make 1 generic to cover all services too. Many solutions to the same problem.
I want to use one for all off services vpn,ssh,etc....
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to make Port knocking working on vpn/pptp connection ?

Sat Jul 17, 2021 5:59 pm

Add a hex to your network as a second router but only to use with Beta firmware and wireguard.
Done, it two shakes of a lambs tale, secure method to access the HEX and the main router via your smartphone MT app.
 
cezars
just joined
Topic Author
Posts: 22
Joined: Mon Mar 04, 2019 12:00 am

Re: How to make Port knocking working on vpn/pptp connection ?

Sun Jul 18, 2021 3:44 pm

add action=add-src-to-address-list address-list="Port Knock Phase 1" address-list-timeout=15s chain=input comment="Port Knock Phase 1" dst-port=1000 in-interface="pppoe-out1" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH1 protocol=tcp
add action=add-src-to-address-list address-list="Port Knock Phase 2" address-list-timeout=15s chain=input comment="Port Knock Phase 2" dst-port=2000 in-interface="pppoe-out1" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH2 protocol=tcp src-address-list="Port Knock Phase 1"
add action=add-src-to-address-list address-list="Port Knock Phase 3" address-list-timeout=15s chain=input comment="Port Knock Phase 3" dst-port=3000 in-interface="pppoe-out1" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH3 protocol=tcp src-address-list="Port Knock Phase 2"
add action=add-src-to-address-list address-list=Allowed_VPN_IP address-list-timeout=4h chain=input comment="VPN Port Knock Completed" dst-port=8000 in-interface="pppoe-out1" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-VPN-COMPLETED protocol=tcp src-address-list="Port Knock Phase 2"
Can you make this for individual services ? ftp/vpn/port/etc ???
So i can chose services(port)
Bc if i use this i need to use portknock for every services right ?
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: How to make Port knocking working on vpn/pptp connection ?

Sun Jul 18, 2021 10:57 pm

As I said, the port-knock only puts a certain IP address on an address-list, that's it.
Do whatever you want with it then.

If you have some rules for FTP or SCP, just add the "src-address-list" field to make this rule only accessible from IP's on the portknock-ACL.
For VPN, you could make your IKE-rules or L2TP-stuff etc like you made, but add the "src-address-list" so not the whole world can initiate VPN.
So you already written them down. But you need to check carefully the order of the input rules, some trial & error and test until it works.

add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp src-address-list=Allowed_VPN_IP

Once your IP is on the "knock-list" ACL you can also protect your DNAT's with it. So basically only open services to internal hosts by adding again the "src-address-list" filter while creating the rule.
 
cezars
just joined
Topic Author
Posts: 22
Joined: Mon Mar 04, 2019 12:00 am

Re: How to make Port knocking working on vpn/pptp connection ?

Mon Jul 19, 2021 11:08 am

Many thanks to @jvanhambelgium for your time and patience. The configuration/code work perfect, if someone else want to use it and like @jvanhambelgium said you can use it for whatever u want to filter.

Again, thank you for your time jvanhambelgium

PS : for port-knocking on mobile i use this app (5sec delay): play.google.com/store/apps/details?id=com.xargsgrep.portknocker
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: How to make Port knocking working on vpn/pptp connection ?

Mon Jul 19, 2021 11:19 am

PS : for port-knocking on mobile i use this app (5sec delay): play.google.com/store/apps/details?id=com.xargsgrep.portknocker
I use the same app, indeed a good solid port-knocker.
 
Roberto69
just joined
Posts: 23
Joined: Fri Dec 24, 2021 9:09 am
Location: Slovenia
Contact:

Re: How to make Port knocking working on vpn/pptp connection ?

Fri Dec 24, 2021 9:15 am

Post your port-knocking code. For an analysis we would need all your firewall rules, ie. this output:
/ip firewall filter export hide-sensitive

An alternative method would be to change the VPN server port from the default 1194 to another port.
Hello,
I have the same problem on one of my routers. Would you be so kind and check my firewall rules also?

Thank You!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to make Port knocking working on vpn/pptp connection ?

Fri Dec 24, 2021 2:22 pm

jvan if you use portknocker instead of wireguard, you will get a lump fo coal for xmas! ;-)
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: How to make Port knocking working on vpn/pptp connection ?

Fri Dec 24, 2021 2:41 pm

jvan if you use portknocker instead of wireguard, you will get a lump fo coal for xmas! ;-)
I still use port-knocker. :shock: 8)
Once I migrate from RB3011 -> RB5009 on later 7.x release I probably will shift to WireGuard setup.

However the port-knock is more flexibel if there are more devices on the same LAN (eg. guest-house with multiple participants) that you would like to allow access for example your Plex server or other resources.
You only need to connect on the guest Wifi, issue the port-knock and then the public IP is registered. (and other users on the same guesthouse LAN are most likely using the same public IP to Internet)

If its just only your own device that needs access, wireguard will do fine!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to make Port knocking working on vpn/pptp connection ?

Fri Dec 24, 2021 6:59 pm

Multiple wireguard peers also works !

Who is online

Users browsing this forum: jaclaz, mstanciu, tarfox and 39 guests