User Tools

Site Tools



Fwknop provides support for Single Packet Authorization (SPA), which is a modern replacement for port knocking. More information can be found at


There are a handful of clients for Fwknop. The command line interface is the "fwknop" binary, available in Openwrt and most Linux distros. There is also an Android client, fwknop2, available on the Google play store and f-droid. Lastly, there is a cross-platform graphical client, fwknop-gui, available at and available for Linux, Mac, and Windows.



The easiest way to get the Fwknop server running is to install Luci-app-fwknop


The Luci app installation will automatically generate a set of keys. If the default settings are acceptable, then all that needs to be changed here is to check the top checkbox to enable the config file overwrite. The qr code contains the two keys, and can be used to import keys into the fwknop Android app.

Any valid option can be configured from the Luci app, but a few are included by default.

The SOURCE option defines the IP or IPs that are allowed to send valid SPA packets. If an otherwise valid packet arrives from an IP not listed, it will be ignored. The default value is ANY, which indicates that any source IP can be valid.

The KEY_BASE64 or KEY option defines the primary key used to generate and validate the SPA packet.

The Key type option defines whether the key is plain text, or is Base64 encoded. A Base64 key is translated to Binary, which allows for a larger keyspace than a plain text key.

The HMAC_KEY_BASE64 or HMAC_KEY option defines the HMAC message verification key. This field is optional and can be left blank to indicate no HMAC verification.

The HMAC Key type indicates whether the HMAC key is plaintext or Base64 encoded.

OPEN_PORTS defines the protocol and port to open when a valid SPA packet is received. If left blank, this information will be derived from the SPA packet. If populated, this must be in the format of protocol/portnumber, ex: tcp/22 or udp/22.

FW_ACCESS_TIMEOUT defines in seconds the length of time that a port will remain open by default. Note that even after the port closes, the established connection will persist until terminated.

REQUIRE_SOURCE_ADDRESS causes the server to require the source IP to be included in the SPA packet.

MAX_SPA_PACKET_AGE This is the maximum age in seconds that the server will accept. If left blank, it will default to 120 seconds.

PCAP_INTF This dictates which interface that Fwknop will listen on. The Luci app will try to select the correct interface on installation, based on which is the WAN port.

ENABLE_IPT_FORWARDING This selects whether an SPA packet can trigger port forwarding through to an internal host. Defaults to "y"

doc/howto/fwknop.txt · Last modified: 2016/08/15 00:12 by JBennett