What's new

Foreign IP's on VPN logs-Prevention using "allow only specified clients" through jjfs?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

T.S.Fellow

Occasional Visitor
I have been monitoring my vpn server through Asus RTAC88U and noticed some activity that appears foreign. I wanted to confirm. I originally tried to do "allow only specified clients" and would get a ccd error. So I attempted to allow JJFS and add a config to the ccd for each unique user, but hit a snag understanding how to make that happen.
Instead I reverted to tls- crypt, thinking I would be safe. I run VPN at all times through my phone and wondering if this is activity from my phone while out and about, or if this is in fact foreign, and someone has been able to succeed at user name and password authorization. The IP changes, but does always remain 166.177.XXX.XXX, only the x's change. Did reverse lookup as well, and the IP has been from Kansas, and Georgia. The locations were a lawyers office from Kansas, and the state capitol in Georgia. Leads me to believe the IP is foreign and other servers have been compromised in those places.

How can I prevent foreign users on my asus vpn server the best way moving forward? Thanks.

Mar 11 18:36:12 ovpn-server1[809]: TCP connection established with [AF_INET6]::ffff:166.177.187.103:29275
Mar 11 18:36:12 ovpn-server1[809]: 166.177.187.103 TLS: Initial packet from [AF_INET6]::ffff:166.177.187.103:29275, sid=d2f7a63a eea174ff
Mar 11 18:36:12 ovpn-server1[809]: 166.177.187.103 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC88U, emailAddress=me@myhost.mydomain
Mar 11 18:36:12 ovpn-server1[809]: 166.177.187.103 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=client, emailAddress=me@myhost.mydomain
Mar 11 18:36:12 ovpn-server1[809]: 166.177.187.103 peer info: IV_GUI_VER=OC30Android
Mar 11 18:36:12 ovpn-server1[809]: 166.177.187.103 peer info: IV_VER=3.2
Mar 11 18:36:12 ovpn-server1[809]: 166.177.187.103 peer info: IV_PLAT=android
Mar 11 18:36:12 ovpn-server1[809]: 166.177.187.103 peer info: IV_NCP=2
Mar 11 18:36:12 ovpn-server1[809]: 166.177.187.103 peer info: IV_TCPNL=1
Mar 11 18:36:12 ovpn-server1[809]: 166.177.187.103 peer info: IV_PROTO=2
Mar 11 18:36:12 ovpn-server1[809]: 166.177.187.103 peer info: IV_LZO=1
Mar 11 18:36:12 ovpn-server1[809]: 166.177.187.103 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Mar 11 18:36:12 ovpn-server1[809]: 166.177.187.103 TLS: Username/Password authentication succeeded for username 'XXXXX'
Mar 11 18:36:12 ovpn-server1[809]: 166.177.187.103 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mar 11 18:36:12 ovpn-server1[809]: 166.177.187.103 [client] Peer Connection Initiated with [AF_INET6]::ffff:166.177.187.103:29275
Mar 11 18:36:12 ovpn-server1[809]: client/166.177.187.103 MULTI_sva: pool returned IPv4=XXX.XXX.XXX.XXX, IPv6=(Not enabled)
Mar 11 18:36:12 ovpn-server1[809]: client/166.177.187.103 MULTI: Learn: XXX.XXX.XXX.XXX -> client/166.177.187.103
Mar 11 18:36:12 ovpn-server1[809]: client/166.177.187.103 MULTI: primary virtual IP for client/166.177.187.103: XXX.XXX.XXX.XXX
Mar 11 18:36:12 ovpn-server1[809]: client/166.177.187.103 PUSH: Received control message: 'PUSH_REQUEST'
Mar 11 18:36:12 ovpn-server1[809]: client/166.177.187.103 SENT CONTROL [client]: 'PUSH_REPLY,route XXX.XXX.XXX.X 255.255.255.0 vpn_gateway 500,dhcp-option DNS XXX.XXX.XXX.X,redirect-gateway def1,route-gateway XXX.XXX.XXX.X,topology subnet,ping 15,ping-restart 60,ifconfig XXX.XXX.XXX.X 255.255.255.0,peer-id 0,cipher AES-128-GCM' (status=1)
Mar 11 18:36:12 ovpn-server1[809]: client/166.177.187.103 Data Channel: using negotiated cipher 'AES-128-GCM'
Mar 11 18:36:12 ovpn-server1[809]: client/166.177.187.103 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Mar 11 18:36:12 ovpn-server1[809]: client/166.177.187.103 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Mar 11 18:39:06 ovpn-server1[809]: client/166.177.187.103 write TCPv6_SERVER: Connection reset by peer (code=104)
Mar 11 18:39:06 ovpn-server1[809]: client/166.177.187.103 Connection reset, restarting [0]
Mar 11 18:39:06 ovpn-server1[809]: client/166.177.187.103 SIGUSR1[soft,connection-reset] received, client-instance restarting
 
The IP changes, but does always remain 166.177.XXX.XXX, only the x's change. Did reverse lookup as well, and the IP has been from Kansas, and Georgia. The locations were a lawyers office from Kansas, and the state capitol in Georgia. Leads me to believe the IP is foreign and other servers have been compromised in those places.
Those IP addresses (166.128.0.0-166.255.255.255) belong to "Service Provider Corporation" which provides IP addresses to mobile phone companies. So it looks like it's you using your phone.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top