Hooks in clients?

Sune Mølgaard sune at molgaard.org
Sat Nov 14 10:55:03 CET 2020

On 13/11/2020 17.58, Nicholas Capo wrote:
> On Fri, 2020-11-13 at 16:46 +0100, Sune Mølgaard wrote:
>> Hiya,
>> I am looking towards deploying WireGuard as my primary VPN
>> connection,
>> and wonder a bit if the various clients (Android, wg-quick, whatever
>> there is for macOS, iOS and Windows), could be made to include the
>> possibility of calling external programs upon (re-)connections, in my
>> case specifically for port knocking, but possibly useful for other
>> purposes as well?
>> In the cases of Android and iOS, I am a bit unsure about interaction
>> with other apps, so maybe, to begin with, just built-in port knocking
>> capabilities could be considered.
>> Any thoughts?
> In my experence there isn't really a case where the client gets
> disconnected (like a crash) and then needs to reconnect.
> For me the client always stays enabled, but if there is a problem at
> the remote end then packets don't go anywhere.
> In other words the traffic might get dropped by the remote (feels like
> no traffic *at all*), but I've never seen a situation where I was
> accedentially sending unencrypted traffic.
> Nicholas

Hi Nicholas,

Well, my worry was that if I used port knocking, then, since I also use
fail2ban on the server, the client (phone specifically), would change
IP-addresses, need to knock, or else get banned.

But if I understand Jason correctly (thank you, Jason), even if we
employ port knocking for a few other things, if we keep the WG port
open, it will actually look closed, unless one actually has a legitimate
client and client config.

Is that understanding correct?

Real programmers don't comment...
What was hard to write should be hard to read.

More information about the WireGuard mailing list