RFC 6238 TOTP + knockd = awesome!
Both the server (machine running the knockd daemon) and client need to be synced with a reliable NTP server in order for TOTP to generate the correct tokens
The script assumes you have already generated a hex secret as a file called secret in your home directory. If you do not yet have this file, it can be generated with openssl rand -hex 8 > secret. The file should be read-only (or read/write) e.g. chmod 0400 secret. Have the script run every minute by editing your crontab file with the line * * * * * /root/otpknock.sh
On the client side, simply run chmod +x otpknock-client.sh and ./otpknock-client.sh after modifying the IP/FQDN in the script.
Thanks to the /r/bash community to help bring this script to life :)