[ASUS RT-AC66U] Suspicious OpenVPN activity in System Log

[deckard]

I have an ASUS RT-AC66U running stock firmware v3.0.0.4.382_50470.
I recently set up the integrated OpenVPN server on the router and it's been working well.
I mainly use it to connect to a PC on my LAN via Remote Desktop while at work.
I have configured it using the strictest security possible that the version of OpenVPN server in this router allows.

Today, I went to check the System Log while troubleshooting some WAN connectivity issues and noticed the following:

Nov 17 14:54:43 vpnserver1[15415]: OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Apr 27 2018
Nov 17 14:54:43 vpnserver1[15415]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Nov 17 14:54:43 vpnserver1[15415]: Diffie-Hellman initialized with 2048 bit key
Nov 17 14:54:43 vpnserver1[15415]: Socket Buffers: R=[118784->118784] S=[118784->118784]
Nov 17 14:54:43 vpnserver1[15415]: TUN/TAP device tun21 opened
Nov 17 14:54:43 vpnserver1[15415]: TUN/TAP TX queue length set to 100
Nov 17 14:54:43 vpnserver1[15415]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov 17 14:54:43 vpnserver1[15415]: /sbin/ifconfig tun21 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Nov 17 14:54:43 vpnserver1[15415]: /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Nov 17 14:54:43 miniupnpd[15416]: version 1.9 started
Nov 17 14:54:43 miniupnpd[15416]: HTTP listening on port 57547
Nov 17 14:54:43 miniupnpd[15416]: Listening for NAT-PMP/PCP traffic on port 5351
Nov 17 14:54:43 vpnserver1[15421]: UDPv4 link local (bound): [undef]
Nov 17 14:54:43 vpnserver1[15421]: UDPv4 link remote: [undef]
Nov 17 14:54:43 vpnserver1[15421]: MULTI: multi_init called, r=256 v=256
Nov 17 14:54:43 vpnserver1[15421]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Nov 17 14:54:43 vpnserver1[15421]: Initialization Sequence Completed

I have not used the VPN connection at all today and because of my inexperience with VPN and slightly paranoid eyes, this looks like a VPN connection attempt.

Can someone explain what I am looking at?

Thanks in advance!

 

[RMerlin]

I have not used the VPN connection at all today and because of my inexperience with VPN and slightly paranoid eyes, this looks like a VPN connection attempt.

This is simply the OpenVPN server starting. There's nothing in there about any connection attempt.

 

[deckard]

Hi RMerlin - Thanks so much for your reply! When I poured over the rest of the log, I did notice that sequence of events happening at regular intervals and there was no external IP shown vs. when I know I was connected remotely. Again, wasn't sure what I was looking at. Appreciate the clarification!