[sneak]

I view port knocking as just a very, very poor form of an unencrypted PSK (replayable) authentication step.

Just skip the plaintext password (the sequence of ports transmitted) and use certificate based auth, as you note below.

[tptacek]

It's part of a long line of cargo culted security things people do because it makes them feel on-the-ball; they're all anti-tiger rocks. Even before WireGuard, port knocking never made sense, and for most of its history it was actively harmful.