Large number of UNDEF connections to OpenVPN server

[ragnaroknroll]

I'm running an OpenVPN server on my Asus RT-AC86U router running Merlin v386.4. Just a short while ago, I observed a large number of connections with UNDEF common name in the VPN Status page of my GUI. Screenshot is attached. I think I just happened to open this status page in the middle of some kind of attack. The log files I pulled up from /jffs/syslog and /jffs/syslog-1 appear to be full of (hopefully) failed attempts. These log files only cover the last hour though, and I can't seem to be able to find the log files from earlier. I'm freaking out a bit at the moment. Could anyone please help me understand if I've been hacked? Anything I can do to protect myself?

 

[ragnaroknroll]

Just saw this thread: https://www.snbforums.com/threads/how-to-try-and-stop-openvpn-connection-attempts.76602/

Will go ahead and change my port number from the default value ASAP.

 

[Tech Junky]

Relax and take a deep breath.

OVPN causes some odd logs at times. I have seen similar oddities on my Linux box when I had to revert to OVPN from WG while I pestered my VPN provider to fix their routing issue with US servers.

https://www.snbforums.com/threads/how-to-try-and-stop-openvpn-connection-attempts.76602/

RE this... seems like they were getting scanned by bots and then bots trying to access their router.


So, is your WAN 74.133.171.53 ?

 

[ragnaroknroll]

Nope, that's not my IP address. My router is connected to a VPN provider as well, but that's not even an IP address related to this VPN provider. I can provide a portion of the syslog file I saved, but unsure if it has any personal information I should first remove before posting publicly. As you can tell, I'm pretty paranoid at the moment.

 

[eibgrad]

Most of the time this is due to using the well-known ports, something you should always avoid.

Franky, I'm even more paranoid. I don't keep my OpenVPN server running 24/7 anymore, only on-demand, by running it off a separate router that's plugged into a smart wifi AC adapter, controllable via my smartphone. 99% of the time that router is OFF and the OpenVPN server isn't even available except on the few occasions I actually need it. And that smart wifi AC adapter itself is on my IOT network, kept isolated from the private network.

 

[Tech Junky]

Well it comes back to a residential account.

Had to ask.

I wouldn't be too freaked out as the purpose of the VPN is to keep your data private. If that IP is hitting your WAN OVPN public IP then it's just a scanner hitting the OVPN Port trying to break in. Just change the port # to something a bit random or shut off the remote WAN access completely.

I get hundreds of hits per day from scanners and VPN everything. If I saw 2-way traffic from those though I would be investigating things a bit more.

I locked down my connection to only originate traffic and respond to traffic that was originated internally and drop everything else.

 

[ragnaroknroll]

Most of the time this is due to using the well-known ports, something you should always avoid.

Franky, I'm even more paranoid. I don't keep my OpenVPN server running 24/7 anymore, only on-demand, by running it off a separate router that's plugged into a smart wifi AC adapter, controllable via my smartphone. 99% of the time that router is OFF and the OpenVPN server isn't even available except on the few occasions I actually need it. And that smart wifi AC adapter itself is on my IOT network, kept isolated from the private network.

Gulp... I keep my work PC permanently connected to my home OpenVPN server, so that it can keep my files synchronised with my home PC all the time using Resilio Sync. Guess I'll have to live with this risk. But yes, have changed my port number away from the default. Hopefully that should help.

 

[ragnaroknroll]

Well it comes back to a residential account.

Had to ask.

I wouldn't be too freaked out as the purpose of the VPN is to keep your data private. If that IP is hitting your WAN OVPN public IP then it's just a scanner hitting the OVPN Port trying to break in. Just change the port # to something a bit random or shut off the remote WAN access completely.

View attachment 39290
View attachment 39291
I get hundreds of hits per day from scanners and VPN everything. If I saw 2-way traffic from those though I would be investigating things a bit more.

I locked down my connection to only originate traffic and respond to traffic that was originated internally and drop everything else.

Thanks for that. Helps me breathe easy a bit. Going from the syslog though, it's not just that IP. It seems to be some kind of synchronised scan/attack from a number of IPs. Pretty freaky...

Just out of curiosity, how would you be able to tell from the logs if the traffic was 1-way or 2-way?

 

[Tech Junky]

Just out of curiosity, how would you be able to tell from the logs if the traffic was 1-way or 2-way?

I don't know how Asus logs compare to syslog or the other tools I use but, if you PM them I can take a look and see if there's a way to parse them.

 

[ragnaroknroll]

Thank you so much for your offer of assistance @Tech Junky. Sending it right over.

 

[Tech Junky]

@ragnaroknroll

No problem.

 

[ragnaroknroll]

Just wanted to ask if there's any best practices out there on securing my OpenVPN server, which really needs to be open 24/7 for my own convenience. Is there anything more I can do apart from just changing my port number? I've currently followed the instructions from https://github.com/RMerl/asuswrt-merlin.ng/wiki/Static-ip-for-OpenVPN-clients to set up static IP addresses for 4 of my devices when they connect to my OpenVPN server. Each device has its own associated common name, username, password, and certificate. I will not really be connecting any other devices to my OpenVPN server; just these four, although these connections can come from different IP addresses when I travel. I can see a number of authentication related options under OpenVPN server that I don't quite understand. Anything I can change there to improve my security?

 

[Tech Junky]

I would say knockd might be an option to open the port on demand and close it when you're done via a script that can be applied / used.

 

[ragnaroknroll]

Thanks! Will take a look. I will have my work PC connected via OpenVPN 24/7 though. So the OpenVPN server port will be open all the time.