A layer 4 Single Packet Authentication (SPA) Server, used to conceal TCP/UDP ports on public facing machines and add an extra layer of security.

netguard-server: SPA service program responsible for authenticating knock packets and connection tracking.

netguard-tool: generate signing certificates, generate and send knock packets.

.
├── Makefile        # convenient compilation
├── crypto          # encryption and decryption crate
│   ├── Cargo.toml
│   └── src
├── server          # netguard-server implement
│   ├── Cargo.toml
│   ├── config      # config file used for running netguard-server
│   └── src
└── tool            # netguard-tool implement
    ├── Cargo.toml
    └── src

Run netguard-server on the server side to hide tcp port 10022:

$ netguard-server -c ./netguard.toml

On client site, Using netguard-tool to send TCP port knock packets.

The following command sends a knock packet to unlock TCP port 10022:

$ sudo ./netguard-tool auth --server 45.76.195.141 --protocol=tcp --unlock 10022 --key=./rsa_key

If want to unlock a UDP port, use --protocol=udp。

Two devices, one listening on port 10022 and then taken over by netguard-server:

Generating an RSA Key Pair with Default Options:

$ netguard-tool keygen

The parameters for the default option are equivalent to: netguard-tool keygen -a rsa -b 4096 -o .netguard/rsa

More parameter help:

$ netguard-tool keygen --help

Reload netguard-server config file:

$ pkill -HUP netguard-server

Build release version.

$ make release

or

$ cargo build --release

The nfqueue function is provided by iptables, before starting netguard-server, you need to make sure that iptables is started.

• Add query and reject connection Interfaces
• More certificate signing algorithms
• Hot update bin executable program
• Audit log
• Knock SDK APIs

• https://www.netfilter.org/
• https://github.com/landhb/DrawBridge