OpenVPN Honeypot?

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
diwenx
OpenVpn Newbie
Posts: 2
Joined: Tue Jan 12, 2021 6:08 am

OpenVPN Honeypot?

Post by diwenx » Tue Jan 12, 2021 6:22 am

I'm sorry this might be a stupid question and may be off-topic.
Recently, using cyberspace search engines such as Shodan, ZoomEye, or fofa.so with filter port="1194", I came across a set of endpoints that apparently are running OpenVPN service but behaved quite differently from 'mainstream' OpenVPN servers. Simply speaking, these servers always respond with a server_hard_reset packet for any data received, even for a one-byte probe. This seems strange to me because it is my understanding that current OpenVPN servers usually terminate the connection (with FIN or RST) after receiving an unrecognizable, unsolicited packets, rather than responding with a server_hard_reset packet.

Can someone help me understand what's running behind those endpoints? Is this behavior expected from some older version of OpenVPN server, or something more fishy is going on, such as an OpenVPN Honeypot?

Thank you

diwenx
OpenVpn Newbie
Posts: 2
Joined: Tue Jan 12, 2021 6:08 am

Re: OpenVPN Honeypot?

Post by diwenx » Tue Jan 12, 2021 11:25 am

It's just old OpenVPN servers. Tested with 1.6.0 and it behaved exactly the same. This thread can be closed. Thanks.

Post Reply