As I try to make any network that I setup to be as much invisible as possible from the outside world. I thought about how to prevent people from trying to login to my VPN.
For instance when you setup an L2Tp/IPSEC VPN. The default ports used are 500 and 4500. So anyone could try and login and if they fail they know there is an active internet connection and probably a VPN server running. I don’t want that!
So why not close these ports for everybody but the people on the allowed list? This would give us a problem when using the VPN from a phone so I had to come up with a plan to add the unknown but allowed IP address to my allowed list.
So I made a Knock on door rule. It works like this; When you connect on the publicIP on a specific port e.g. 12345. Your IP is added to an address list for 10 seconds. If you connect again but now on port 54321 within those 10 seconds and your ip is on the first list, you’ll be added to the allowed list for 24 hours. Only the second list is allowed to connect to ports 500 and 4500.

/ip firewall filter
 add action=add-src-to-address-list address-list="knocking_stage_1" \
 address-list-timeout=10s chain=input dst-port=12345 protocol=tcp
 add action=add-src-to-address-list address-list="ALLOWED_4_VPN" address-list-timeout=1d \
 chain=input dst-port=54321 protocol=tcp src-address-list="knocking_stage_1"
 add action=drop chain=input dst-port=500,4500 protocol=udp src-address-list=!"ALLOWED_4_VPN"

You can knock on your virtual door several ways. You can use nmap, but if you use TCP then you could just use any browser: “https://router_ip_address:port_number/”
If you want to, you can use layer 7 to include some sort of password. If you are on a Mac or other Linux based OS you can send a “Knock on door”, with the following command;

$ echo -n "SOME_TEXT_FOR_LAYER_7" > /dev/udp/YOUR_VPN_IP/YOUR_PORT_NUMBER