Multiple connection attempts from multiple IPs

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
HMP
OpenVpn Newbie
Posts: 2
Joined: Fri Sep 07, 2018 1:47 pm

Multiple connection attempts from multiple IPs

Post by HMP » Fri Sep 07, 2018 1:58 pm

Hi,

I've set up an OpenVPN server that has 5-7 connected clients, each with its own certificate.

Today I've noticed that in the last couple of days, there's been multiple connections attempts from very diferent IPs... I don't know any of these IPs...

Fri Sep 07 13:59:34 2018 120.149.170.194 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Sep 07 13:59:34 2018 120.149.170.194 TLS Error: TLS handshake failed
Fri Sep 07 14:00:57 2018 114.77.238.245 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Sep 07 14:00:57 2018 114.77.238.245 TLS Error: TLS handshake failed
Fri Sep 07 14:09:41 2018 31.167.81.193 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Sep 07 14:09:41 2018 31.167.81.193 TLS Error: TLS handshake failed
Fri Sep 07 14:19:23 2018 91.109.251.1 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Sep 07 14:19:23 2018 91.109.251.1 TLS Error: TLS handshake failed
Fri Sep 07 14:20:11 2018 212.24.52.254 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Sep 07 14:20:11 2018 212.24.52.254 TLS Error: TLS handshake failed

I have hundreds and hundreds of these messages in the server log...
Should I be worried?


Thanks!

rdk@krupczak.org
OpenVPN User
Posts: 16
Joined: Mon Jan 28, 2013 1:57 pm

Re: Multiple connection attempts from multiple IPs

Post by rdk@krupczak.org » Mon Sep 10, 2018 12:23 pm

I'm seeing hundreds, thousands of these every morning in my firewall log report. These messages were virtually non-existent a month ago. Now, its nightly. The addresses are all over the map. I think somebody has written some kind of exploit script and all the bad guys are using it now.

Any idea what exploit they are looking for?

Bobby

rdk@krupczak.org
OpenVPN User
Posts: 16
Joined: Mon Jan 28, 2013 1:57 pm

Re: Multiple connection attempts from multiple IPs

Post by rdk@krupczak.org » Tue Sep 11, 2018 1:02 pm

Hi!

I googled around and created a fail2ban rule to deal with these bad guys. I'd still love to know what happened to warrant these attempts.

Bobby

HMP
OpenVpn Newbie
Posts: 2
Joined: Fri Sep 07, 2018 1:47 pm

Re: Multiple connection attempts from multiple IPs

Post by HMP » Wed Sep 19, 2018 3:18 pm

Hey Bobby,

I don't really know how to use fail2ban on windows but I've added '--tls-auth' and the connections attempts reduced a lot.

See https://community.openvpn.net/openvpn/w ... --tls-auth

HMP

rdk@krupczak.org
OpenVPN User
Posts: 16
Joined: Mon Jan 28, 2013 1:57 pm

Re: Multiple connection attempts from multiple IPs

Post by rdk@krupczak.org » Sun Sep 23, 2018 1:40 am

Hi!

Thanks for the suggestion.

I'll look into tls-auth.

This is on top of the normal ssl certificates?

Bobby

rdk@krupczak.org
OpenVPN User
Posts: 16
Joined: Mon Jan 28, 2013 1:57 pm

Re: Multiple connection attempts from multiple IPs

Post by rdk@krupczak.org » Tue Sep 25, 2018 12:27 am

Hi!

Another bit of info. I reported the openvpn probes to several ISPs and one responded.

He said the openvpn traffic was not originating in their network. What is happening is a openvpn DDOS amplification attack. A bad guy sends an openvpn packet to me, using a false source address, and my openvpn server sends an error message back to the forged source address. Thus, I was unwittingly participating in an DDOS amplification attacked.

I enabled tls-auth and that seems to have greatly reduced the amount of erroneous tls handshake failure messages I'm sending.

Thanks,

Bobby

wlad50
OpenVpn Newbie
Posts: 2
Joined: Tue Sep 25, 2018 7:58 am

Re: Multiple connection attempts from multiple IPs

Post by wlad50 » Wed Sep 26, 2018 10:04 am

im using iptables rules to block countries ....

Post Reply