OpenVPN attempts from unknown source

Hi, not sure if this is the correct place to put the question.
But the thing is, today I can see from the log on my router that there is two attempts to connect to my openvpnserver on the router.
Something I should care about?
I've followed a guide for setting up the openvpn server, so I believe it's safe enough.
If needed I could paste the openvpn server config..

Thanks

attemps:
Thu Oct 17 06:07:09 2019 daemon.err openvpn(vpnserver)[5024]: TLS Error: tls-crypt unwrapping failed from [AF_INET]146.88.240.4:53365

Thu Oct 17 09:54:09 2019 daemon.err openvpn(vpnserver)[5024]: TLS Error: tls-crypt unwrapping failed from [AF_INET]122.228.19.80:8832

There is not a whole lot you can do here, as soon as you open ports to the open internet, there will be nefarious parties from around the world, around the clock trying to exploit them. The most important part is to make sure sure that your setup is secure, other than that there is not much you can do…

  • Yes, you can restrict access (firewalling) to IP ranges you're commonly using yourself, but this has a high potential to lock yourself out.
  • Yes, you can auto-ban failed attempts, again with some potential of locking yourself out and not really that effective against botnets trying to brute force you from hundreds/ thousands/ tens of thousands different botnet zombies.
  • Yes, you can switch to non-standard ports, which will reduce the number of attempts somewhat, but the really dangerous attackers won't be deterred or fooled by that.
  • Yes, you can turn a blind eye and just reduce OpenVPN's verbosity levels.

Some of these might help to a certain extent, neither really is a solution by itself.

4 Likes

Make sure that your ciphers, key-exchange, and certificates are as secure as you can. Many guides are either outdated (suggesting now-inappropriate cipher/key-exchange) or aimed at ease of configuration, at the expense of security.

Past that, a more-sophisticated logger than default (syslog-ng or rsyslogd, for example), can manage your logs. With only one every four hours, that's "nothing". (I sometimes get hundreds in a ten-minute period.)

1 Like

Bit extra can be bought with fwknop, if you want to take it that far.

Port knocking doesn't add any security by itself, it merely adds another level of obscurity - yes, this can slow down a potential attacker, but it's not an effective means of security (and adds another service that could be exploited). Security should come from the cryptography, from using strong certificates and ciphers - port-knocking is just a smoke screen (which might blow up in your face, if handled wrongly) on top, in an age of radar, GPS and 24/7 satellite observation with a resolution of <10cm per pixel.

I did not say it added any level of security, it simple obscures ones open ports, probably leading to less of the above log entries, Personally I would not be worried about such logging if I had confidence in my configuration of all open services.

2 Likes

Same here! I open OpenVPN and after day i have many logging attempts.

IF i can compare it with WireGuard this is what i like:
https://www.wireguard.com/protocol/#dos-mitigation

We require authentication in the first handshake message sent because it does not require allocating any state on the server for potentially unauthentic messages. In fact, the server does not even respond at all to an unauthorized client; it is silent and invisible. The handshake avoids a denial of service vulnerability created by allowing any state to be created in response to packets that have not yet been authenticated.

So in short - OpenVPN respond and complaint in log that there is connection from that IPs.
On same issue "port knocking" WireGuard will remain silent to other side.

Thanks for your replies. I will monitor and see how bad it is before I do any of your suggestions :slight_smile:

I followed the openwrt openvpn basic installation guide: https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic

Thanks again

1 Like

This is normal and you have no need to do anything with trivial port scans or failed authentication attempts unless it affects performance or results in DoS.

The OpenVPN basic how-to assumes that you have an up-to-date OpenWrt release/snapshot which is considered secure enough to use with default settings.

1 Like

Ok, I'm making sure to update with davidc502 newest software every month so guess I'm ok :slight_smile: