fwknop VS tailscale

sounds fun; i see the arch aur has a few options as well. have you tried https://www.cipherdyne.org/fwknop/ ?

Yes that's the basic idea, i tried to use fwknop first but it didn't do what i wanted it to do so i made my own

Port knocking. Or better yet FWKNOP. I'm disappointed I don't hear people talk about it more. The port isn't even open until you give the secret combination of knocks on a large number of ports. There's much more to it. I recommend listening to Episode 865 ofSecurity Now.

> Is this approach used elsewhere?

Yes, or at least in a similar fashion. An alternative variant of port knocking is SPA (Single Packet Authorization). Often SPA protocols use UDP and contain within the body field an encrypted payload containing all the required data to authenticate and authorize a particular request.

There are multiple different implementations of SPA: OpenSPA [1] (full disclosure: I am the author of OpenSPA), fwknop [2] just to name a few.

SDP (Software Defined Perimeter) often builds upon SPA technologies in order to achieve a form of zero trust access.

[1] - https://github.com/greenstatic/openspa

[2] - https://github.com/mrash/fwknop

I am currently re-writting the OpenSPA protocol (version 2) and I plan on playing around with eBPF as well, so thanks eeriedusk for paving the way :)

As an alternative to port knocking, there is: https://github.com/mrash/fwknop

fwknop is nice and simple

Sure, few links for when you dig in: http://iplists.firehol.org/, https://crowdsec.net/, https://www.zeroflux.org/projects/knock/, https://www.cipherdyne.org/fwknop/

An upgrade to port knocking is Single Packet Authorization [1]. It doesn’t suffer from the observability, and other, problems of port knocking.

[1] https://www.cipherdyne.org/fwknop/

Or keep the port closed like I do with my ssh port and use fwknop to open the port only when needed.

Tailscale - Built on WireGuard. Easy to use. Control server is closed source. Client code available with a BSD3 license + separate patents file.

Tailscale

I'm using the GitHub version of tailscaled on one of my Macs as a background daemon launched at boot. To upgrade to the latest version, try the following:

Tailscale is a VPN service that makes the devices and applications you own accessible anywhere in the world, securely and effortlessly. It enables encrypted point-to-point connections using the open source WireGuard® protocol, which means only devices on your private network can communicate with each other.

Might be possible to do using a VPN as long as you can get broadcast/multicast packets forwarded.

Tailscale unfortunately doesn't support it...yet?

https://github.com/tailscale/tailscale/issues/1013

Tailscale - Make depaware output patch compatible

Tailscale is another way of doing it. I'm using it to access my Pi's Samba shares from my phone but it works from Windows as well.