On 25/02/21 08:12, Marc SCHAEFER wrote:
On Wed, Feb 24, 2021 at 10:49:56PM +0000, tincanteksup wrote:
My idea (as daft as it is) would only serve one purpose: To hide a
listening TCP port. Because there would be no SYN-ACK from the server if
the SYN failed security checks.
This is what port knocking does: unfirewall the OpenVPN UDP or TCP port
if a password is given: the password being an specific sequence of
opens.
I was typing the exact same thing when I saw your post; this is indeed
what port knocking was invented for, and port knocking even helps in UDP
based setups. It is far easier & fast to be able to DROP traffic on any
UDP or TCP port if the right "knocking sequence" was not entered. It
would be interesting to see if that could be added/integrated into
OpenVPN, but the main problem is that "proper" port knocking requires a
user to be able to send raw packets. On linux this is possible, not sure
about Windows, but it's definitely a no-no on Android or iOS.
JJK
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
