I guess at least they're being honest, but I would agree - there's a large delta between Al-assistance and Al-driven, and "vibe coding" is one step further (just accepting everything Al does without critique, so long as it "works").

Great for prototyping, really bad for exposing anything of any value to the internet.

(Not Anti-Al, just pro-sensible)

I guess I have to implement the habit of checking such things, since I never assume such a possibility. I prefer this info to be at the top of the readme, though – much more information value than the logo that deceived me into thinking this is a mature project.

Regardless; what benefits this would have over Wireguard?

It’s getting scary how many security related apps are being vibe coded by people with very little security experience (not a knock heh on op, they could very well be experienced).

Suggesting people don't shoot themselves with a loaded gun is not being a hater, it's being a good person.

> If you're Anti-AI please don't use this.

I'm pro security. The gall to put something out there, pretend it being vibe coded is not a big deal and possibly exposing hundreds of people to security issues. Jesus.

It's open source. Audit it like you would any other service that exposed your homelab to the Internet. How do you know XYZ repo isn't coded for some bootcampers capstone project? I bet those are even less secure.

Edit: should have mentioned I am a bootcamp grad, not just throwing random shade.

I mean it's just using firewalld. You can't inspect the rules. For me it's simple enough that it shouldn't be a big security issue, but I understand and that's why I wrote that in the readme.

Fail2ban is not in the same realm as port knocking, and to "bin it" would be foolish security posture at best, and negligent at worst.

Knocking can cut down on grinding. I have in the past created setups where you had to knock prior to establishing a VPN connection, and given the semi-regular problems with VPN implementations I really don't feel bad about that. Fortigate, Sonicwall, Cisco, Ivanti, etc - sure a big part of it is "don't run VPNs based on big legacy codebases" but who's to say there won't be implementation problems found (or introduced given "Jia Tan" style attacks) in Wireguard?

Is knocking incredibly weak security through obscurity? Sure, but part of what it does is cut down on log volume.

Every door you close, is one less someone can break.

Every complex services running, is a door someone can potentially break. Even with the most secure and battle tested service, you never know where someone fucked up and introduced an exploit or backdoor. Happened too often to be not a concern. XZ Utils backdoor for example was just last year.

> Your network authentication should not be a fun game or series of Rube Goldberg contraptions.

If there is no harm, who cares...

I use tailscale for this. But I can't have two vps running at the same time on android, nor do I want to install tailscale on every device I own. I created knocker exactly for this reason.

Do you have a guide to using wireguard in this way?

I mostly agree.. there’s a couple of very specific scenarios where maybe something like knockd makes sense I think but they are all scenarios where you’re doing things covertly, not as a general authentication mechanism.

As a side note I just happen to be reading a book at the moment that contains a fairly detailed walkthrough of the procedure required to access the Russian SVRs headquarters in New York in 1995.

Think of this as an analogue version and in no way a perfect analogy but it does include a step that has more or less the same security properties as this… anyways here’s a relevant quote:

“After an SVR officer passed through various checkpoints in the mission’s lower floors, he would take an elevator or stairs to an eighth-floor lobby that had two steel doors. Neither had any identifying signs.

One was used by the SVR, the other by the GRU. The SVR’s door had a brass plate and knob, but there was no keyhole. To open the door, the head of the screw in the lower right corner of the brass plate had to be touched with a metal object, such as a wedding ring or a coin.

The metal would connect the screw to the brass plate, completing an electrical circuit that would snap open the door’s bolt lock and sometimes shock the person holding the coin.The door opened into a small cloakroom. No jackets or suit coats were allowed inside the rezidentura because they could be used to conceal documents and hide miniature cameras.

SVR officers left their coats, cell phones, portable computers, and all other electronic devices in lockers. A camera videotaped everyone who entered the cloakroom. It was added after several officers discovered someone had stolen money from wallets left in jackets. Another solid steel door with a numeric lock that required a four-digit code to open led from the cloakroom into the rezidentura.

A male secretary sat near the door and kept track of who entered, exited, and at what times. A hallway to the left led to the main corridor, which was ninety feet long and had offices along either side. ”

Excerpt from Comrade J by Pete Earley

As another funny side note… I once discovered years ago that the North Koreans had a facility like this that they used to run a bunch of financing intelligence operations using drugs in Singapore where I was at the time and thought it would be funny to go and visit. It was in a business complex rather than a dedicated diplomatic facility from memory. But as I recall it was a similar scenario of unmarked door with no keyhole.

I view port knocking as just a very, very poor form of an unencrypted PSK (replayable) authentication step.

Just skip the plaintext password (the sequence of ports transmitted) and use certificate based auth, as you note below.

It could be fun extra layer. Like of course you should always use VPN, but maybe a magic packet so your VPN server even opens a port could be fun.

It shouldn't be your only layer of security, and then it's not important. Think of it as replacing explicit IP black/whitelisting - you still want a login wall or something, but now you restrict access to guess logins or otherwise obtain access through app vulnerabilities etc.

It's a compromise.It's not as secure as using a VPN, but it's way more convenient, since only one device has to have a knocker client on it without needing any sort of VPN.

The likelihood of someone is on the same network as you noticing your servic, try to hack it, before the TTL expires again is IMO quite low.

This is without taking into account that the services themselves have their own security and login processes, getting a port open doesn't mean the service is hacked.

It’s the third option: Port knocking is stupid.

<https://news.ycombinator.com/item?id=39898061>

> How do you avoid this

IPv6 of course.

> or is it just not important

Port knocking not a security feature anyway.

Tailscale is not as easy as this. It has to be installed on every device or at the router level.

And it will not work on mobile if you already use another VPN.

If you're getting people to rely on external dependency services, e.g. Cloudflare or Tailscale, then you're a part of the problem, not the solution!

https://www.youtube.com/watch?v=zE5PGeh2K9k&list=PL6AGg52_Gz...

That's what I thought was well, like a Morse code detector tied to the lock on the door or something lol

Sorry if i wasn't clear. It isn't more secure, it's just more convenient because it works in every network, without needing to set up a VPN connection on each device.

I created this because I always have a VPN on my devices, and I can't have tailscale running with that, in addition to tailscale killing my battery life on android.

> Why not just run a reverse proxy in front of (whatever service you're trying to protect) and use the API keys there?

Because it breaks the clients of most homelab services.

That's what authelia does.

The TTL is for the whitelist. The whitelist rules aren't permanent.

> IP based exclusion should not be considered a security measure

Apologies in advance if I'm missing something obvious here, but are you saying an IP allow list is not a standard security practice? If so I'd appreciate further explanation.

I use this thing called sshd that listens on only a single port and its main advantage is that it uses actual cryptography to authenticate using a client keypair.

There's nothing "hacky" about port knocking. It was never meant to be a complete security solution—nothing is.

But it works very well as an additional layer of security. Sec nerds often scoff at "security through obscurity", but it is a very valid strategy. Running sshd on a random high port is not inherently more secure, but it avoids the vast majority of dumb scanners that spam port 22, which is why all my systems do that. Camouflage is underrated, yet wildly effective. You can see how well it works in nature.

In any case, this is not a port knocking solution anyway, as I mentioned in another comment.

>Cut-and-a-hair-shave knock

TIL that that has a name.[1] All I ever knew it as was "the knock from Roger Rabbit".

[1]https://en.wikipedia.org/wiki/Shave_and_a_Haircut

I was thinking exactly the same thing. Or maybe a knock on the door before you enter to set stuff in your room to a certain state.

Yeah the urge to post a "What Knockers!" Gene Wilder gif is strong. Good thing HN doesn't allow that.

More adoption and proliferation of vibe coded apps like yours and the OPs is going to end up being a major disaster. I find it strange for you to say you “released” this when, in the modern era, what you linked is the equivalent of a pastebin bash script.

In your case, it looks like ChatGPT has barfed more lines of readme than lines of code!

If you're running a homelab, the likelihood that you're interested in removing cloud-dependencies from your stack is above average. If that's the case, Tailscale is out.

Tailscale is just an added unnecessary external dependency layer (& security attack surface) on top of vanilla Wireguard. And in 2025 it's easier to run vanilla Wireguard than it's ever been.