OpenVPN Support Forum

Hi,

I've set up an OpenVPN server that has 5-7 connected clients, each with its own certificate.

Today I've noticed that in the last couple of days, there's been multiple connections attempts from very diferent IPs... I don't know any of these IPs...

Fri Sep 07 13:59:34 2018 120.149.170.194 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Sep 07 13:59:34 2018 120.149.170.194 TLS Error: TLS handshake failed
Fri Sep 07 14:00:57 2018 114.77.238.245 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Sep 07 14:00:57 2018 114.77.238.245 TLS Error: TLS handshake failed
Fri Sep 07 14:09:41 2018 31.167.81.193 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Sep 07 14:09:41 2018 31.167.81.193 TLS Error: TLS handshake failed
Fri Sep 07 14:19:23 2018 91.109.251.1 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Sep 07 14:19:23 2018 91.109.251.1 TLS Error: TLS handshake failed
Fri Sep 07 14:20:11 2018 212.24.52.254 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Sep 07 14:20:11 2018 212.24.52.254 TLS Error: TLS handshake failed

I have hundreds and hundreds of these messages in the server log...
Should I be worried?


Thanks!

I'm seeing hundreds, thousands of these every morning in my firewall log report. These messages were virtually non-existent a month ago. Now, its nightly. The addresses are all over the map. I think somebody has written some kind of exploit script and all the bad guys are using it now.

Any idea what exploit they are looking for?

Bobby

Hi!

I googled around and created a fail2ban rule to deal with these bad guys. I'd still love to know what happened to warrant these attempts.

Bobby

Hey Bobby,

I don't really know how to use fail2ban on windows but I've added '--tls-auth' and the connections attempts reduced a lot.

See https://community.openvpn.net/openvpn/w ... --tls-auth

HMP

Hi!

Thanks for the suggestion.

I'll look into tls-auth.

This is on top of the normal ssl certificates?

Bobby

Hi!

Another bit of info. I reported the openvpn probes to several ISPs and one responded.

He said the openvpn traffic was not originating in their network. What is happening is a openvpn DDOS amplification attack. A bad guy sends an openvpn packet to me, using a false source address, and my openvpn server sends an error message back to the forged source address. Thus, I was unwittingly participating in an DDOS amplification attacked.

I enabled tls-auth and that seems to have greatly reduced the amount of erroneous tls handshake failure messages I'm sending.

Thanks,

Bobby

im using iptables rules to block countries ....