VPN System Log

[Hello World]

Hi, I have my OpenVPN set to use TCP 443 so I can get past port filtering in many hotspots. However, my log is flooded with entries related to my VPN (see below). It appears I'm being scanned, but I'm not sure. Should I be concerned? Is there a setting I may have missed? Thanks.

Dec 24 22:31:14 openvpn[1318]: TCP connection established with [AF_INET6]::ffff:141.212.122.112:15135

Dec 24 22:31:14 openvpn[1318]: 141.212.122.112 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]

Dec 24 22:31:14 openvpn[1318]: 141.212.122.112 Connection reset, restarting [0]

Dec 24 22:31:14 openvpn[1318]: 141.212.122.112 SIGUSR1[soft,connection-reset] received, client-instance restarting

Dec 24 23:38:22 openvpn[1318]: TCP connection established with [AF_INET6]::ffff:71.6.202.198:57548

Dec 24 23:38:26 openvpn[1318]: 71.6.202.198 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]

Dec 24 23:38:26 openvpn[1318]: 71.6.202.198 Connection reset, restarting [0]

Dec 24 23:38:26 openvpn[1318]: 71.6.202.198 SIGUSR1[soft,connection-reset] received, client-instance restarting

Dec 25 00:00:32 openvpn[1318]: TCP connection established with [AF_INET6]::ffff:139.162.106.181:50792

Dec 25 00:00:32 openvpn[1318]: 139.162.106.181 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]

Dec 25 00:00:32 openvpn[1318]: 139.162.106.181 Connection reset, restarting [0]

Dec 25 00:00:32 openvpn[1318]: 139.162.106.181 SIGUSR1[soft,connection-reset] received, client-instance restarting

Dec 25 04:46:47 openvpn[1318]: TCP connection established with [AF_INET6]::ffff:71.6.202.198:59906

Dec 25 04:46:47 openvpn[1318]: 71.6.202.198 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]

is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]

Dec 25 07:46:41 openvpn[1318]: 184.105.247.194 Connection reset, restarting [0]

 

[ColinTaylor]

If you open a common port like that to the world that will happen.

 

[DonnyJohnny]

That happened to me too.. decided to close the 443 port. Lol..

You will realised that no matter what public ip u are being assigned by your isp, your ip is always being scanned.. especially tcp port.

I think if you use 443 udp, you will not see that problem, however, a lot of hotspot block udp access too. So your choice...

I used http://www.ipfingerprints.com/portscan.php
Under advance, select NULL stealth for the 443 tcp, you will be able to simulate the problem u are facing.

Reason I decided to close is because I hate to see the log flooded with all those stuff and it make my router cpu work a bit harder.

I have not tested the 443 tcp port yet after installing Skynet to drop those ip scanning..

Maybe you want to try install Skynet and block those ip scanning and see if it helps... I think it will drop the ip before it communicate with openvpn server. Anyone can advise on this if it will work?

 

[RMerlin]

21,22,25,80,110,443 - all very common ports, all very active targets for malware. If you open any of these ports, expect it to get scanned on a regular basis.

 

[DonnyJohnny]

Hi RMerlin,
Just checking, If the port scanner ip is being blocked and dropped via ipset, it should stop it from connecting to openvpn server right?

 

[Adamm]

Just checking, If the port scanner ip is being blocked and dropped via ipset, it should stop it from connecting to openvpn server right?

If you are blocking an IP it shouldn't be able to make any type of connection, but with that being said, security through obscurity is always a good option, in this case using a unique port.

 

[DonnyJohnny]

Hi Adamm,
Thanks for the answer.

As OP mentioned, the reason is to bypass some hotspot blocking of uncommon or openvpn ports. They only allows common port. I have encountered these hotspot in my country shopping mall.

Definitely minimising the exposure of your network is important and I am obsessed with security.

I love the current work of Skynet and firehol are doing. Thank you.

 

[RMerlin]

Hi RMerlin,
Just checking, If the port scanner ip is being blocked and dropped via ipset, it should stop it from connecting to openvpn server right?

It will stop that IP, but not the thousands of others who will also scan you in the future.

If you are always connecting from the same IP, you might however do the opposite: drop all connection attempts to that port except for your that one IP.

 

[DonnyJohnny]

Hi RMerlin,

I am aware of the iptables to allow only certain ip to connect to that particular port. I am talking about dynamic ip of mobile network or public wifi.

Still researching on how do I make use of ddns to achieve it. I saw some script needed to look up for update of ip and update iptables accordingly but I am green in all these scripting. Can u advise on how could I achieve it using ddns?

To OP,

By the way, I started testing opening the port 443 TCP with Skynet on. It has been like 30 min and I see no unauthorised access to openvpn and I see the drop log that the ip accessing 443 is being blocked. Temporary you could use this method but the best is still what RMerlin and other suggested. Use unique ports or only allow certain ip to connect to that port and drop the rest trying to connect it.

Thanks.

 

[Hello World]

Thanks, Team.
Is there a risk in leaving 443 open? If they don't have the correct key (cert), they can't connect to my VPN server. Am I missing something? Also, I'm curious as to why when using the default OpenVPN port 1194, no one ever scans that port (everyone knowing OpenVPN uses that port).
Lastly, I appreciate the technique to only use a certain IP address to access my VPN. However, I use my VPN for hotspots and I can never know what their IP address is. Kind of defeats the purpose why I use one.
I'll give SkyNet a try.

Thanks

 

[RMerlin]

OpenVPN is fairly secure, especially if using certificate-based authentication. You will have to deal with the syslog spam however.

 

[Hello World]

Thanks Merlin.
On the VPN server config page, what's the difference between
Username/Password Authentication
Username / Password Auth. Only

If I select "only", will it stop the syslog spam?

 

[RMerlin]

Thanks Merlin.
On the VPN server config page, what's the difference between
Username/Password Authentication
Username / Password Auth. Only

If I select "only", will it stop the syslog spam?

No. If you get a connection to the port, it will generate a log entry.

If I remember correctly, enabling the second option will indicate that clients don't need to provide a properly signed client certificate - just the server certificate along with a valid username/password will be required.

 

[skeal]

Thanks Merlin.
On the VPN server config page, what's the difference between
Username/Password Authentication
Username / Password Auth. Only

If I select "only", will it stop the syslog spam?

If you turn on Username/Password Authentication you will need user name and password to connect. When using Username / Password Auth. Only. You bypass the need for a certificate.
This will not stop the log spam. What will stop lots of the spam is changing the verbosity to "0" but only if you are up and running and things are working. Logs are good to use for trouble shooting.

 

[DonnyJohnny]

Cert itself is very secure unless your cert is compromised or stolen. Don't really need password. If u select the second option, u may be exposed to brute force log in as it don't require cert verification.

I have tested it over night, leaving 443 open with Skynet blocking those malicious IP from connecting it. So far so good.

Good luck

 

[Hello World]

Thanks!

 

[martinr]

Hi RMerlin,
.....
Still researching on how do I make use of ddns to achieve it. I saw some script needed to look up for update of ip and update iptables accordingly but I am green in all these scripting. Can u advise on how could I achieve it using ddns.......

As to DDNS, the in-built Asus DDNS System (in your router GUI) is excellent. Unbelievably easy to set up and faultless in use.

 

[DonnyJohnny]

As to DDNS, the in-built Asus DDNS System (in your router GUI) is excellent. Unbelievably easy to set up and faultless in use.

Not talking about the router ip but the client ip. As the client ip keep changing, I read somewhere that need to give it a ddns so that can add to the iptables. However the ddns will be resolve once only when it first added to iptables. If the ip changed, the ip in the iptables will become invalid. I saw the script that will auto update the iptables once the client ip changed and updated in the ddns.

Example
https://unix.stackexchange.com/ques...ic-only-from-a-domain-with-dynamic-ip-address
https://www.geeklab.info/tag/dynamic-dns/

 

[elorimer]

Not talking about the router ip but the client ip. As the client ip keep changing, I read somewhere that need to give it a ddns so that can add to the iptables. However the ddns will be resolve once only when it first added to iptables. If the ip changed, the ip in the iptables will become invalid. I saw the script that will auto update the iptables once the client ip changed and updated in the ddns.

Example
https://unix.stackexchange.com/ques...ic-only-from-a-domain-with-dynamic-ip-address
https://www.geeklab.info/tag/dynamic-dns/

I don't think this will work like you think. If you are setting up a point to point connection, as from one router with a routable WAN ip to another, then maybe. But if you are sitting down at a hotspot, most likely you will pull a nonroutable ip address for your laptop, so you won't have anything for ddns to work with. The routable ip will be the coffeeshop's. You want the tunnel to be from your laptop to your router.

Give yourself a strong user name and password combination, save it on the laptop, and a strong password on the laptop, and let openvpn act like wonder woman's magic bracelets.

 

[DonnyJohnny]

Got what you mean. I didn’t notice whether the ip is routable or not. What is the connecting ip we saw in the openvpn server log. Is that the Coffeeshop routable ip or nonroutable ip assigned to my laptop?