Knocker, a knock based access control system for your homelab

Original Article ↗ Hacker News Discussion ↗

AI-generated “vibe coded” security software

  • Many are uneasy about using an LLM‑generated project as an internet-facing security boundary, especially for homelabs.
  • Several argue the “vibe coded” disclaimer should be at the top of the README and that GitHub should have an “LLM”/AI language tag.
  • Others question why AI authorship is singled out vs unknown human competence, warning that shaming disclosures will discourage honesty.
  • Critics say LLM code tends to be tangled, overgrown, and often beyond the author’s ability to fully review, making it riskier for security use.

Port knocking and security-through-obscurity

  • A large contingent calls port knocking “stupid” or “hacky,” seeing it as security theater better replaced by WireGuard or equivalent.
  • Others defend it as an extra filter: reduces log noise, blocks scanners, and adds camouflage, but not a primary security control.
  • Some stress that in modern CGNAT/public Wi‑Fi scenarios, IP-based knocking/whitelisting provides little real security.

VPNs, WireGuard, and Tailscale vs Knocker

  • Many recommend WireGuard (or Tailscale/Headscale) as the proper way to gate homelabs, with WireGuard’s “silent until authenticated” behavior seen as strictly superior to knocking.
  • Tailscale draws mixed views: praised for easy NAT traversal and UX, criticized as an unnecessary cloud dependency for self‑hosters.
  • Knocker’s author positions it as more convenient when installing a VPN client everywhere (or on mobile alongside another VPN) is impractical.

Project design and threat model concerns

  • README wording about “minimizing attack surface” is seen as potentially misleading; commenters urge explicit clarification it is less secure than a VPN, just more convenient.
  • Several note this is essentially token-based auth driving temporary firewall rules, not classic multi-port “knocking.”
  • TTL confusion: clarified that TTL applies to how long an IP stays whitelisted, not to key lifetime.

Broader tooling and layering debates

  • Long subthreads argue over fail2ban and port knocking as “cargo-cult” vs useful layers that reduce noise and slow commodity attacks.
  • Some insist all external-facing services should be reachable only via a secure VPN; others accept multiple layers (VPN, SSH, fail2ban, knocking) depending on risk and convenience.

Name expectations / playful ideas

  • Several expected a physical knock-based system (desk/door knock patterns, audio sensors) and muse about building that instead.