I recently got around to try out fwknop and I must say it's really sweet!
One question popped up though:
I can't figure out what one would gain in security against a MITM attack using the resolving of ones public IP, if one would be located behind a NAT'ing router? Somewhere in the documentation, there was a note about an attacker being on the same private net, but what kind of configuration would protect against that (except the obvious with using encrypted communication as usual).
As I am testing now, having two servers behind the same NAT firewall, one of them sends the SPA packet and both of them can connect openVPN to the receiving openVPN server. Now this is ok because I want them to be able to connect, but as I see it, it defeats the whole purpose of fwknop, as I can't trust the NAT'ed net.