OpenVPN Connection Error Logs

[atkinsom]

I've just started getting the errors in my system logs below. It says that I might be getting attacked by an outside source in the log. Is this correct? If so is there some other way of stopping this type of attack like having packets dropped? Bit of a newbie on this stuff. Using Tun/TCP/443 in order to get through some outside firewalls that block port 1194

Mar 12 00:13:41 openvpn[1006]: TCP connection established with [AF_INET6]::ffff:208.93.152.79:41056
Mar 12 00:13:41 openvpn[1006]: 208.93.152.79 TCP connection established with [AF_INET6]::ffff:208.93.152.79:41486
Mar 12 00:13:41 openvpn[1006]: 208.93.152.79 Connection reset, restarting [0]
Mar 12 00:13:41 openvpn[1006]: 208.93.152.79 SIGUSR1[soft,connection-reset] received, client-instance restarting
Mar 12 00:13:41 openvpn[1006]: 208.93.152.79 WARNING: Bad encapsulated packet length from peer (32814), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Mar 12 00:13:41 openvpn[1006]: 208.93.152.79 Connection reset, restarting [0]
Mar 12 00:13:41 openvpn[1006]: 208.93.152.79 SIGUSR1[soft,connection-reset] received, client-instance restarting
Mar 12 00:13:41 openvpn[1006]: TCP connection established with [AF_INET6]::ffff:208.93.152.79:44128
Mar 12 00:13:41 openvpn[1006]: 208.93.152.79 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Mar 12 00:13:41 openvpn[1006]: 208.93.152.79 Connection reset, restarting [0]
Mar 12 00:13:41 openvpn[1006]: 208.93.152.79 SIGUSR1[soft,connection-reset] received, client-instance restarting
Mar 12 00:13:42 openvpn[1006]: TCP connection established with [AF_INET6]::ffff:208.93.152.79:44422
Mar 12 00:13:42 openvpn[1006]: 208.93.152.79 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Mar 12 00:13:42 openvpn[1006]: 208.93.152.79 Connection reset, restarting [0]
Mar 12 00:13:42 openvpn[1006]: 208.93.152.79 SIGUSR1[soft,connection-reset] received, client-instance restarting
Mar 12 00:13:42 openvpn[1006]: TCP connection established with [AF_INET6]::ffff:208.93.152.79:44706
Mar 12 00:13:42 openvpn[1006]: 208.93.152.79 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Mar 12 00:13:42 openvpn[1006]: 208.93.152.79 Connection reset, restarting [0]
Mar 12 00:13:42 openvpn[1006]: 208.93.152.79 SIGUSR1[soft,connection-reset] received, client-instance restarting
Mar 12 00:13:43 openvpn[1006]: TCP connection established with [AF_INET6]::ffff:208.93.152.79:45006
Mar 12 00:13:43 openvpn[1006]: 208.93.152.79 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Mar 12 00:13:43 openvpn[1006]: 208.93.152.79 Connection reset, restarting [0]
Mar 12 00:13:43 openvpn[1006]: 208.93.152.79 SIGUSR1[soft,connection-reset] received, client-instance restarting
Mar 12 00:13:43 openvpn[1006]: TCP connection established with [AF_INET6]::ffff:208.93.152.79:45190
Mar 12 00:13:43 openvpn[1006]: 208.93.152.79 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Mar 12 00:13:43 openvpn[1006]: 208.93.152.79 Connection reset, restarting [0]
Mar 12 00:13:43 openvpn[1006]: 208.93.152.79 SIGUSR1[soft,connection-reset] received, client-instance restarting
Mar 12 00:13:54 sd-idle-2.6[476]: spinning up /dev/sda after 3 hours 55 mins
Mar 12 00:18:54 sd-idle-2.6[476]: spinning down /dev/sda after 5 mins
Mar 12 01:15:13 openvpn[1006]: TCP connection established with [AF_INET6]::ffff:139.162.124.167:46234
Mar 12 01:15:14 openvpn[1006]: 139.162.124.167 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Mar 12 01:15:14 openvpn[1006]: 139.162.124.167 Connection reset, restarting [0]
Mar 12 01:15:14 openvpn[1006]: 139.162.124.167 SIGUSR1[soft,connection-reset] received, client-instance restarting
Mar 12 01:15:15 openvpn[1006]: TCP connection established with [AF_INET6]::ffff:139.162.124.167:48296
Mar 12 01:15:15 openvpn[1006]: 139.162.124.167 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Mar 12 01:15:15 openvpn[1006]: 139.162.124.167 Connection reset, restarting [0]
Mar 12 01:15:15 openvpn[1006]: 139.162.124.167 SIGUSR1[soft,connection-reset] received, client-instance restarting
Mar 12 01:15:15 openvpn[1006]: TCP connection established with [AF_INET6]::ffff:139.162.124.167:49674
Mar 12 01:15:20 openvpn[1006]: 139.162.124.167 Connection reset, restarting [0]
Mar 12 01:15:20 openvpn[1006]: 139.162.124.167 SIGUSR1[soft,connection-reset] received, client-instance restarting
Mar 12 01:15:20 openvpn[1006]: TCP connection established with [AF_INET6]::ffff:139.162.124.167:33074
Mar 12 01:15:26 openvpn[1006]: 139.162.124.167 Connection reset, restarting [0]
Mar 12 01:15:26 openvpn[1006]: 139.162.124.167 SIGUSR1[soft,connection-reset] received, client-instance restarting
Mar 12 01:15:26 openvpn[1006]: TCP connection established with [AF_INET6]::ffff:139.162.124.167:44394
Mar 12 01:15:41 openvpn[1006]: 139.162.124.167 Connection reset, restarting [0]
Mar 12 01:15:41 openvpn[1006]: 139.162.124.167 SIGUSR1[soft,connection-reset] received, client-instance restarting
Mar 12 01:15:41 openvpn[1006]: TCP connection established with [AF_INET6]::ffff:139.162.124.167:49106
Mar 12 01:15:46 openvpn[1006]: 139.162.124.167 Connection reset, restarting [0]
Mar 12 01:15:46 openvpn[1006]: 139.162.124.167 SIGUSR1[soft,connection-reset] received, client-instance restarting
Mar 12 01:15:46 openvpn[1006]: TCP connection established with [AF_INET6]::ffff:139.162.124.167:60694
Mar 12 01:15:57 openvpn[1006]: 139.162.124.167 Connection reset, restarting [0]
Mar 12 01:15:57 openvpn[1006]: 139.162.124.167 SIGUSR1[soft,connection-reset] received, client-instance restarting
Mar 12 03:58:28 dnsmasq-dhcp[596]: DHCPREQUEST(br0) 192.168.0.17 30:cd:a7:a4:98:e2
Mar 12 03:58:28 dnsmasq-dhcp[596]: DHCPACK(br0) 192.168.0.17 30:cd:a7:a4:98:e2 SLM2885FW
Mar 12 04:34:12 dnsmasq-dhcp[596]: DHCPREQUEST(br0) 192.168.0.15 00:09:34:29:e8:d0
Mar 12 04:34:12 dnsmasq-dhcp[596]: DHCPACK(br0) 192.168.0.15 00:09:34:29:e8:d0 dm600
Mar 12 07:20:09 openvpn[1006]: TCP connection established with [AF_INET6]::ffff:184.105.139.68:38892
Mar 12 07:20:10 openvpn[1006]: 184.105.139.68 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Mar 12 07:20:10 openvpn[1006]: 184.105.139.68 Connection reset, restarting [0]
Mar 12 07:20:10 openvpn[1006]: 184.105.139.68 SIGUSR1[soft,connection-reset] received, client-instance restarting

 

[RMerlin]

You're running OpenVPN on a very popular scan target (port 443). Not much you can do about it, every web scanner out there will regularly hit it.

 

[atkinsom]

Ok thanks Merlin...had that feeling but just wanted confirmation. Cheers.

 

[netware5]

You're running OpenVPN on a very popular scan target (port 443). Not much you can do about it, every web scanner out there will regularly hit it.

This always happens if you are running OpenVPN on TCP 443. I am running the same configuration, because as a road warrior I need access to my home from anywhere around the globe. In many countries the government tries to limit using of VPNs, so the only viable option is to use TCP 443 or 80. As a result we should pay the price

 

[elorimer]

Not to hijack the thread (found it searching), but when I try to start OpenVPN on 443/tcp with 66b2 it fails to start with an error. 443/udp starts ok, but I don't think that gets through the blocking problem.

 

[RMerlin]

Not to hijack the thread (found it searching), but when I try to start OpenVPN on 443/tcp with 66b2 it fails to start with an error. 443/udp starts ok, but I don't think that gets through the blocking problem.

Post the error.

 

[elorimer]

Apr 29 10:34:11 rc_service: httpd 492:notify_rc restart_chpass;restart_vpnserver1
Apr 29 10:34:11 openvpn[1354]: event_wait : Interrupted system call (code=4)
Apr 29 10:34:11 openvpn[1354]: Closing TUN/TAP interface
Apr 29 10:34:11 openvpn[1354]: /usr/sbin/ip addr del dev tun21 10.8.0.1/24
Apr 29 10:34:11 openvpn[1354]: PLUGIN_CLOSE: /usr/lib/openvpn-plugin-auth-pam.so
Apr 29 10:34:11 openvpn[1354]: SIGTERM[hard,] received, process exiting
Apr 29 10:34:13 kernel: ADDRCONF(NETDEV_UP): tun21: link is not ready
Apr 29 10:34:13 kernel: device tun21 entered promiscuous mode
Apr 29 10:34:13 openvpn[29552]: WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional (or --client-cert-not-required) may accept clients which do not present a certificate
Apr 29 10:34:13 openvpn[29552]: OpenVPN 2.4.1 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 27 2017
Apr 29 10:34:13 openvpn[29552]: library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.08
Apr 29 10:34:13 openvpn[29553]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Apr 29 10:34:13 openvpn[29553]: Diffie-Hellman initialized with 2048 bit key
Apr 29 10:34:13 openvpn[29553]: TUN/TAP device tun21 opened
Apr 29 10:34:13 openvpn[29553]: TUN/TAP TX queue length set to 100
Apr 29 10:34:13 openvpn[29553]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Apr 29 10:34:13 openvpn[29553]: /usr/sbin/ip link set dev tun21 up mtu 1500
Apr 29 10:34:13 kernel: ADDRCONF(NETDEV_CHANGE): tun21: link becomes ready
Apr 29 10:34:13 openvpn[29553]: /usr/sbin/ip addr add dev tun21 10.8.0.1/24 broadcast 10.8.0.255
Apr 29 10:34:13 openvpn[29553]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Apr 29 10:34:13 openvpn[29553]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Apr 29 10:34:13 openvpn[29553]: setsockopt(IPV6_V6ONLY=0)
Apr 29 10:34:13 openvpn[29553]: TCP/UDP: Socket bind failed on local address [AF_INET6][undef]:443: Address already in use
Apr 29 10:34:13 openvpn[29553]: Exiting due to fatal error
Apr 29 10:34:13 openvpn[29553]: Closing TUN/TAP interface
Apr 29 10:34:13 openvpn[29553]: /usr/sbin/ip addr del dev tun21 10.8.0.1/24

I do have pixlserv-tls running:

Jul 31 20:00:41 pixelserv[1188]: Listening on :192.168.0.3:80
Jul 31 20:00:41 pixelserv[1188]: Listening on :192.168.0.3:443

EDIT: Nevermind. I thought because pixelserv was on a different IP, it wouldn't be a problem. But I moved pixelserv to another port, and then OpenVPN would start on TCP 443.