Knocker, a knock based access control system for your homelab
69 comments
·October 22, 2025tptacek
hatradiowigwam
Fail2ban is not in the same realm as port knocking, and to "bin it" would be foolish security posture at best, and negligent at worst.
mdhb
I’m not super familiar with the intricacies of fail2ban and don’t currently understand why op made that claim but would very much like to know more because he is talking about a topic he is highly regarded for and I respect that. I just don’t have the context.
slightwinder
Every door you close, is one less someone can break.
Every complex services running, is a door someone can potentially break. Even with the most secure and battle tested service, you never know where someone fucked up and introduced an exploit or backdoor. Happened too often to be not a concern. XZ Utils backdoor for example was just last year.
> Your network authentication should not be a fun game or series of Rube Goldberg contraptions.
If there is no harm, who cares...
mdhb
Just to be super clear.. using this in place of something like WireGuard is absolutely not an improvement. It’s actively worse in the majority of scenarios assuming you can manage to secure your keys.
slightwinder
Yes, of course, should this just be an optional gadget for a setup, which is already as safe as possible for the situation. After all, when the port has been opened, your setup is also open for attacks. The knockers purpose is to reduce the timeframe of when your system is accessible for attackers.
mdhb
I mostly agree.. there’s a couple of very specific scenarios where maybe something like knockd makes sense I think but they are all scenarios where you’re doing things covertly, not as a general authentication mechanism.
As a side note I just happen to be reading a book at the moment that contains a fairly detailed walkthrough of the procedure required to access the Russian SVRs headquarters in New York in 1995.
Think of this as an analogue version and in no way a perfect analogy but it does include a step that has more or less the same security properties as this… anyways here’s a relevant quote:
“After an SVR officer passed through various checkpoints in the mission’s lower floors, he would take an elevator or stairs to an eighth-floor lobby that had two steel doors. Neither had any identifying signs.
One was used by the SVR, the other by the GRU. The SVR’s door had a brass plate and knob, but there was no keyhole. To open the door, the head of the screw in the lower right corner of the brass plate had to be touched with a metal object, such as a wedding ring or a coin.
The metal would connect the screw to the brass plate, completing an electrical circuit that would snap open the door’s bolt lock and sometimes shock the person holding the coin.The door opened into a small cloakroom. No jackets or suit coats were allowed inside the rezidentura because they could be used to conceal documents and hide miniature cameras.
SVR officers left their coats, cell phones, portable computers, and all other electronic devices in lockers. A camera videotaped everyone who entered the cloakroom. It was added after several officers discovered someone had stolen money from wallets left in jackets. Another solid steel door with a numeric lock that required a four-digit code to open led from the cloakroom into the rezidentura.
A male secretary sat near the door and kept track of who entered, exited, and at what times. A hallway to the left led to the main corridor, which was ninety feet long and had offices along either side. ”
Excerpt from Comrade J by Pete Earley
As another funny side note… I once discovered years ago that the North Koreans had a facility like this that they used to run a bunch of financing intelligence operations using drugs in Singapore where I was at the time and thought it would be funny to go and visit. It was in a business complex rather than a dedicated diplomatic facility from memory. But as I recall it was a similar scenario of unmarked door with no keyhole.
tptacek
WireGuard is designed to be silent preceding a cryptographically authenticated INIT message. It's a superset of whatever security features you'd get from "knocking".
akerl_
In fairness, most of the fervor for these kind of knock-based flows predate Wireguard existing. They come from the era where OpenVPN and friends were the common practice in that space, and I would not have considered "add OpenVPN" to be a rational way to improve the security of anything I was doing.
mdhb
I’m not arguing with you or pretending to not know the difference. I’m saying that is the right answer 999/1000 but there are other scenarios as well.
myzek
I don't want to be a hater, but exposing access to your homelab through a "fully vibe coded" application (it's mentioned at the bottom of the README) is probably not a good idea.
The idea itself sounds fun though
jamesbelchamber
I guess at least they're being honest, but I would agree - there's a large delta between Al-assistance and Al-driven, and "vibe coding" is one step further (just accepting everything Al does without critique, so long as it "works").
Great for prototyping, really bad for exposing anything of any value to the internet.
(Not Anti-Al, just pro-sensible)
nextlevelwizard
Github should have "LLM" as language for repos that self report to be vibe coded or at least this kind of disclosure should be at the top of the readme not after thought.
Also the "If you're Anti-AI please don't use this." is pretty funny :D I guess I must be "Anti-AI" when I think this kind of code is wild to rely on.
Eisenstein
I fully support the AI self-disclosure, but what I wonder what it is about AI generated code that makes this a separate problem from any other code where you don't know the programmer's competence?
Is it because the AI can generate code that looks like it was made by a competent programmer, and is therefore deceiving you?
But whatever the reason, I think that if we use it as a way to shame the people who do tell us then we can be assured that willingness to disclose it going forward will be pretty abysmal.
xenophonf
> Great for prototyping
I must be Doing It Wrong(TM), because my experience has been pretty negative overall. Is there like a FAQ or a HOWTO or hell even a MAKE.MONEY.FAST floating around that might clue me in?
sandblast
I guess I have to implement the habit of checking such things, since I never assume such a possibility. I prefer this info to be at the top of the readme, though – much more information value than the logo that deceived me into thinking this is a mature project.
Regardless; what benefits this would have over Wireguard?
gregoriol
Github should have a tag about it on projects
V__
> If you're Anti-AI please don't use this.
I'm pro security. The gall to put something out there, pretend it being vibe coded is not a big deal and possibly exposing hundreds of people to security issues. Jesus.
sanex
It's open source. Audit it like you would any other service that exposed your homelab to the Internet. How do you know XYZ repo isn't coded for some bootcampers capstone project? I bet those are even less secure.
Edit: should have mentioned I am a bootcamp grad, not just throwing random shade.
OrderlyTiamat
If I had to audit security services for exposing homelab to the internet, I wouldn't use those services in the first place. I'm fine trying things out, but this is a very important security boundary, and it's a solved problem. Why risk it with an auditor who does it for a hobby (me)?
QuantumNomad_
> How do you know XYZ repo isn't coded for some bootcampers capstone project?
I gate access to my homelab using Wireguard.
Wireguard is widely deployed across the world, and has been worked on for years.
No random new repo that was vibe coded can measure up in the slightest to that.
abujazar
Nowadays public facing client IPs are often shared by thousands of users behind CGNAT. IP based firewall rules are useful when the peers have their own static IP address, but provide no real security when the IP address is shared.
This is vibe coded security through obscurity, i. e. quite useless. Use Tailscale or a self hosted VPN.
nextlevelwizard
It could be fun extra layer. Like of course you should always use VPN, but maybe a magic packet so your VPN server even opens a port could be fun.
mano78
I implemented something similar as a caddy module, then I realized that if I was connected to a public wifi network I was actually authorizing the whole bunch of people that were connected to it with me. How do you avoid this, or is it just not important?
OJFord
It shouldn't be your only layer of security, and then it's not important. Think of it as replacing explicit IP black/whitelisting - you still want a login wall or something, but now you restrict access to guess logins or otherwise obtain access through app vulnerabilities etc.
teddyh
It’s the third option: Port knocking is stupid.
symbogra
I implemented port knocking couple decades ago as a teenager and it was stupid then too.
null
TuxPowered
> How do you avoid this
IPv6 of course.
> or is it just not important
Port knocking not a security feature anyway.
scottydelta
When every problem seems like a nail then every solution you come up with is a hammer.
This is what it feels like people using AI for everything.
AI is not good at telling you best solution but it will tell you that you can build it yourself since that approach is what AI is good at.
Using self hosted vpn, cloudflare zero trust or Tailscale is the easiest way to go.
I self host extensively and have multiple self hosted VPN(OpenVPN and WireGuard) along with Tailscale and cloudflare protecting my infra.
OutOfHere
If you're getting people to rely on external dependency services, e.g. Cloudflare or Tailscale, then you're a part of the problem, not the solution!
foofoo12
Also FWIW, if you're using nftables you can set up port knocking: https://wiki.nftables.org/wiki-nftables/index.php/Port_knock...
lucideer
> This is ideal for homelab environments where you want to expose services to the internet without a persistent VPN connection, while minimizing your public-facing attack surface.
To an untrained eye, the wording here could be construed to imply that this is more secure than a VPN. Might be worth a reword to clarify why one might prefer it want to over a VPN.
dugite-code
I use fwknop in a similar manner, the main advantage it has is it's using an encrypted UDP packet. It's ability to call shell scripts for more advanced uses is its best feature. I have a packet set up for a rolling restart of all my services as well as ssh access
yaris
The authentication part does not look much different from password authentication (key ≈ password), and the "Configurable TTL" bit is somewhat confusing, the first part of the sentence assigns the TTL to API keys but the second part says it applies to IPs being whitelisted. I would expect that TTL for a key means that after the TTL expires the key itself becomes unusable.
Halan
IP based exclusion should not be considered a security measure, not even for a low risk environment like a home lab
password4321
> IP based exclusion should not be considered a security measure
Apologies in advance if I'm missing something obvious here, but are you saying an IP allow list is not a standard security practice? If so I'd appreciate further explanation.
abujazar
It's useful when the client always has its own static IP that _doesn't change_ between sessions. In this case, where the public facing IP may be shared by thousands of users, it provides no real security. All you'd have to do to gain access would be getting the client IP and finding some way of getting on the same network. Which in many cases could be as easy as subscribing to the same cell network or other ISP, or connecting to the guest wifi network of an office building.
password4321
Thanks for filling in the details. I agree that an IP allow list works best for users who are alone on an IP that doesn't change often, which is the case for a majority of home internet users but not when they're away from home.
eastabrooka
Its 2025, Just use Tailscale.
lucideer
If you're running a homelab, the likelihood that you're interested in removing cloud-dependencies from your stack is above average. If that's the case, Tailscale is out.
Tailscale is just an added unnecessary external dependency layer (& security attack surface) on top of vanilla Wireguard. And in 2025 it's easier to run vanilla Wireguard than it's ever been.
fragmede
It exists on a spectrum. Time for hobbies including homelabbing is limited, so while someone who's retired and has all the time in the world to tinker can go self host every last single thing, I'd bet that more people just want to be able to have something that works without a huge depency on the cloud. As long as the bits are on the hard drive in my basement, how the packets get routed around is less critical, to some people, I imagine.
Everybody's got their own set of beliefs and understandings, and they get to decide how they want their homelab to work.
For me, tailscale fits in just right. Others can come to their own conclusion based on how they feel about networking and points of failure and depency and all that.
aspenmayer
Also, Headscale exists.
lucideer
I haven't tried Headscale but isn't it more complicated than Wireguard?
The selling point of Tailscale is that they simplify Wireguard UX by adding a proprietary control server - this adds complexity to the stack (extra component) but simplifies user experience (Tailscale run the control server for you).
Headscale seems like it's complicating the stack (adding an extra component) as well as complicating the user experience (you have to maintain two components yourself now instead of just the one Wireguard instance).
Granted I presume the Headscale control server might simplify management of your Wireguard instance but... you're still maintaining the control server yourself.
TZubiri
Port knocking is a very hacky technique that was used:
1- In the 90s were security was whatever
2- In modern days as a way to keep your logs squeaky clean ( although you get 99% there with custom ports)
3- As a cute warm up exercise that you code yourself with what's available in your system. (iptables? a couple of python scripts communicating with each other?)
It's not a security mechanism, and downloading external dependencies or code (especially if vibecoded) is a net loss (by a huge margin).
It's also a waste of time to overengineer for the reasons noted above, I've seen supposedly encrypted port knocking implementations. It feels as if someone had a security checklist and then a checklist for that checklist.
imiric
There's nothing "hacky" about port knocking. It was never meant to be a complete security solution—nothing is.
But it works very well as an additional layer of security. Sec nerds often scoff at "security through obscurity", but it is a very valid strategy. Running sshd on a random high port is not inherently more secure, but it avoids the vast majority of dumb scanners that spam port 22, which is why all my systems do that. Camouflage is underrated, yet wildly effective. You can see how well it works in nature.
In any case, this is not a port knocking solution anyway, as I mentioned in another comment.
I will never, ever understand this "single-packet authentication" "port knocking" fetish. It has never made sense. Bin it, along with fail2ban, and just set up WireGuard.
Your network authentication should not be a fun game or series of Rube Goldberg contraptions.