[slightwinder]

Every door you close, is one less someone can break.

Every complex services running, is a door someone can potentially break. Even with the most secure and battle tested service, you never know where someone fucked up and introduced an exploit or backdoor. Happened too often to be not a concern. XZ Utils backdoor for example was just last year.

> Your network authentication should not be a fun game or series of Rube Goldberg contraptions.

If there is no harm, who cares...

[mdhb]

Just to be super clear.. using this in place of something like WireGuard is absolutely not an improvement. It’s actively worse in the majority of scenarios assuming you can manage to secure your keys.

[tptacek]

Just to clarify: it's actively worse in every scenario. It's engineering malpractice.

[DaSHacka]

I somehow doubt that it is quite truly worse in every single scenario, and that there is not one single scenario that port knocking may be better utilized than WireGuard.

I also find it hard to believe it is engineering malpractice to use one technology over another.

What happens if there is a vulnerability in WireGuard? Or if WireGuard traffic is not allowed in or out of a network due to a policy or security restriction?

[slightwinder]

Yes, of course, should this just be an optional gadget for a setup, which is already as safe as possible for the situation. After all, when the port has been opened, your setup is also open for attacks. The knockers purpose is to reduce the timeframe of when your system is accessible for attackers.