diff --git a/pkgs/tools/security/fwknop/default.nix b/pkgs/tools/security/fwknop/default.nix
new file mode 100644
index 000000000000..325d220a5235
--- /dev/null
+++ b/pkgs/tools/security/fwknop/default.nix
@@ -0,0 +1,66 @@
+{ stdenv, fetchFromGitHub, autoreconfHook, lib
+, libpcap, texinfo
+, iptables
+, gnupgSupport ? true, gnupg, gpgme # Increases dependencies!
+, wgetSupport ? true, wget
+, buildServer ? true
+, buildClient ? true }:
+
+stdenv.mkDerivation rec {
+  name = "${pname}-${version}";
+  pname = "fwknop";
+  version = "2.6.9";
+
+  src = fetchFromGitHub {
+    owner = "mrash";
+    repo = pname;
+    rev = version;
+    sha256 = "1509d1lzfmhavdwi65dwb0jaglpy8ciccgpcnhx9ks6s7irn923c";
+  };
+
+  nativeBuildInputs = [ autoreconfHook ];
+  buildInputs = [ libpcap texinfo ]
+    ++ stdenv.lib.optional gnupgSupport [ gnupg gpgme ]
+    ++ stdenv.lib.optional wgetSupport [ wget ];
+
+  configureFlags = ''
+    --sysconfdir=/etc
+    --localstatedir=/run
+    --with-iptables=${iptables}/sbin/iptables
+    ${lib.optionalString (!buildServer) "--disable-server"}
+    ${lib.optionalString (!buildClient) "--disable-client"}
+    ${lib.optionalString gnupgSupport ''
+      --with-gpgme
+      --with-gpgme-prefix=${gpgme}
+      --with-gpg=${gnupg}
+    ''}
+    ${lib.optionalString wgetSupport ''
+      --with-wget=${wget}/bin/wget
+    ''}
+  '';
+
+  # Temporary hack to copy the example configuration files into the nix-store,
+  # this'll probably be helpful until there's a NixOS module for that (feel free
+  # to ping me (@primeos) if you want to help).
+  preInstall = ''
+    substituteInPlace Makefile --replace\
+      "sysconfdir = /etc"\
+      "sysconfdir = $out/etc"
+    substituteInPlace server/Makefile --replace\
+      "wknopddir = /etc/fwknop"\
+      "wknopddir = $out/etc/fwknop"
+  '';
+
+  meta = with stdenv.lib; {
+    description =
+      "Single Packet Authorization (and Port Knocking) server/client";
+    longDescription = ''
+      fwknop stands for the "FireWall KNock OPerator", and implements an
+      authorization scheme called Single Packet Authorization (SPA).
+    '';
+    homepage = "https://www.cipherdyne.org/fwknop/";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ primeos ];
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index ee3ede2c8efb..640d4bfcf45c 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -1867,6 +1867,8 @@ with pkgs;
 
   fuse-7z-ng = callPackage ../tools/filesystems/fuse-7z-ng { };
 
+  fwknop = callPackage ../tools/security/fwknop { };
+
   exfat = callPackage ../tools/filesystems/exfat { };
 
   dos2unix = callPackage ../tools/text/dos2unix { };