ASUS RT-AC68U system log shows potential hazards

xlarge

Regular Contributor
I experience several mysterius events looking into my system.log:
Several failure regarding ovpn-server and suspisious websites errors with TLS. Checking with whois most of them seems bad like this: ovpn-server1[xxxxx]: 167.248.133.140:19808 TLS Error: TLS key negotiation failed to occur within 60 seconds
More ovpn-server - error code 111.
Ovpn-server: WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional may accept clients which do not present a certificate
syslog: PLUGIN AUTH-PAM: BACKGROUND: initialization succeeded. What is this?
kernel: HTB: quantum of class 10001 is big. Consider r2q change. What is this - action?
kernel: SKIPPED false Type 2 Radar Detection. 2, 3, 5 and others. What is this?

All this happen in the night when nobody have been active on my net. Nobody else have been using the openvpn either.
Need help!
 

ColinTaylor

Part of the Furniture
167.248.133.140 belongs to Censys Inc., a port scanning company. See here. You're probably seeing this (and other IP addresses) because you're running your OpenVPN server on a common port. Don't, use a random uncommon port instead.

The kernel messages are normal so just ignore them.
 

xlarge

Regular Contributor
Thanks, Colin.
Do you mean vpn server port default 1194? What is the possible range?
Could my setup here be wrong, se pic.
 

Attachments

  • tls.jpg
    tls.jpg
    12.8 KB · Views: 31

ColinTaylor

Part of the Furniture
I found this: https://unix.stackexchange.com/questions/422652/what-is-the-openvpn-port-range
and like to try something other than 1194 - in the mentioned range. Any problems with that? I wonder why there is no warning with the default use of 1194 or 1197.
There is no restriction (that I'm aware of) in OpenVPN as to what ports you can use. Obviously it can't be a port that's currently used by something else (this is the main thing).

The stackexchange reply is misleading when talking about Asus routers. It's a boilerplate reply that's more relevant to full blown multi-user Unix servers. In that situation there are good reasons not to use any of the system ports (1-1023).

Ports above 1023 can be either ephemeral or user ports. Avoiding using the ephemeral ports is usually regarded as good practice. So is avoiding using any of the registered ports in the user range. To add more complication different operating systems have historically used different ranges for the ephemeral range. So that's why I suggested using something in the range 5001 to 32767 as it's pretty "safe" whether you're talking about an Asus router or some other O/S.

EDIT: Check this list to make sure you're not choosing a user port that's currently registered for a service, otherwise you might end up with the same port-scanning issue.
 
Last edited:

xlarge

Regular Contributor
Thanks Colin for the lesson. I follow your advice.
While we talking, what about
Ovpn-server: WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional may accept clients which do not present a certificate
 

ColinTaylor

Part of the Furniture
While we talking, what about
Ovpn-server: WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional may accept clients which do not present a certificate
I'm not sure. I'd hazard a guess it's because you're using "Username / Password Auth. Only" on the server.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top