Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to send centos packets on the MAC. Procedure #341

Open
Ran-Xing opened this issue Jan 6, 2022 · 10 comments
Open

Failed to send centos packets on the MAC. Procedure #341

Ran-Xing opened this issue Jan 6, 2022 · 10 comments

Comments

@Ran-Xing
Copy link

Ran-Xing commented Jan 6, 2022 

Client : Darwin xrsec.local 21.2.0 Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64 x86_64

Server : Linux VM-4-6-centos 4.18.0-348.7.1.el8_5.x86_64 #1 SMP Wed Dec 22 13:25:12 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

macos error

# macos
IP=""
KEY1="0sZirx/3/68oIAmyT4OubNm2r="
KEY2="Co2bACGJqQvEIFaOocnE+ozXI2aG5Tc3ZCpq5z1YFpfpVlgoMg=="
fwknop --destination $IP --access tcp/25002,udp/25002 --server-port 25005 --key-base64-rijndael $KEY1 --key-base64-hmac $KEY2 --source-ip $(curl -s cip.cc | grep IP | cut -d " " -f 2)
# centos
tcpdump udp port 25005

image

ubuntu success

# ubuntu
IP=""
KEY1="0sZirx/3/68oIAmyT4OubNm2r="
KEY2="Co2bACGJqQvEIFaOocnE+ozXI2aG5Tc3ZCpq5z1YFpfpVlgoMg=="
fwknop --destination $IP --access tcp/25002,udp/25002 --server-port 25005 --key-base64-rijndael $KEY1 --key-base64-hmac $KEY2 --source-ip $(curl -s cip.cc | grep IP | cut -d " " -f 2)
# centos
tcpdump udp port 25005

image
@Ran-Xing
Copy link
Author

Ran-Xing commented Jan 8, 2022 

fwknop --destination $IP --access tcp/25002,udp/25002 --server-port 25005 --key-base64-rijndael $KEY1 --key-base64-hmac $KEY2 --source-ip --verbose
[-] WARNING: Should use -a or -R to harden SPA against potential MITM attacks
SPA Field Values:
=================
   Random Value: 1116472761702543
       Username: xr
      Timestamp: 1641613567
    FKO Version: 3.0.0
   Message Type: 1 (Access msg)
 Message String: 0.0.0.0,tcp/25002,udp/25002
     Nat Access: <NULL>
    Server Auth: <NULL>
 Client Timeout: 0
    Digest Type: 3 (SHA256)
      HMAC Type: 3 (SHA256)
Encryption Type: 1 (Rijndael)
Encryption Mode: 2 (CBC)
   Encoded Data: xxxxxxxx
SPA Data Digest: xxxxxxxx
           HMAC: xxxxxxxx
 Final SPA Data: xxxxxxxx

Generating SPA packet:
            protocol: udp
         source port: <OS assigned>
    destination port: 25005
             IP/host: $IP
send_spa_packet: bytes sent: 225

@basbebe
Copy link

basbebe commented Apr 26, 2022

+1

macOS 12.3.1 does not send UDP packets out for me.
In I choose -P tcpraw or -P icmp (with sudo), packets get sent out.
No error message from fwknop, tcpdump shows no packet.

fwknop client 2.6.10, FKO protocol version 3.0.0

@Ran-Xing
Copy link
Author

@basbebe If yes, check if firewall software is installed
You can use tcpdump to check the packet sending status

I uninstalled Little Snitch and it works fine, including the newer M1

@basbebe
Copy link

basbebe commented Apr 26, 2022

@XRSec sudo nmap -sU -p 62201 [IP] shows up on the server.

Even after disabling little snitch and the macOS firewall, no udp packet gets sent by fwknop

Using tcpdump on the client and the server.

@Ran-Xing
Copy link
Author

@basbebe If you install this software, there will be this problem, but it is useless to disable it. You need to uninstall it completely. Please download the installation package and choose to uninstall the kernel module during the installation process.

@basbebe
Copy link

basbebe commented Apr 29, 2022

@XRSec Thanks for pointing this out, I will give it a try.

Though I don't want to do without little snitch so I might have to forego fwknop for now if there is no way to have them coexist…

@Ran-Xing
Copy link
Author

Ran-Xing commented Aug 3, 2022

hi, is there any new tool to replace this tool?

@jp-bennett
Copy link
Collaborator

hi, is there any new tool to replace this tool?

Honestly, Wireguard in UDP mode with a preshared key essentially provides the same protections.

@Ran-Xing
Copy link
Author

Ran-Xing commented Aug 3, 2022

@jp-bennett tks

@Ran-Xing
Copy link
Author

ervery one, this message is latest

Hello, 

I have talked again to our developers about this and we did some testing. 

We assume that you're trying to use a port range of like 25000 here. We only prevent DPI for ports above 49152, the default is above 60000. When we do DPI we change the timing and thus prevent fwknop from working. Rules don't help because we haven't a name. On Ventura, once Apple reliably comes up with a name, that shouldn't be a problem.


Kind regards from Vienna,

Benjamin Gangl
-- 
Objective Development Software GmbH
[https://obdev.at](https://www.obdev.at/)

https://twitter.com/littlesnitch
https://twitter.com/launchbar
https://twitter.com/micro_snitch

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jp-bennett @basbebe @Ran-Xing