Foreign IP's on VPN logs-Prevention using "allow only specified clients" through jjfs?

T.S.Fellow · Mar 12, 2018

I have been monitoring my vpn server through Asus RTAC88U and noticed some activity that appears foreign. I wanted to confirm. I originally tried to do "allow only specified clients" and would get a ccd error. So I attempted to allow JJFS and add a config to the ccd for each unique user, but hit a snag understanding how to make that happen.
Instead I reverted to tls- crypt, thinking I would be safe. I run VPN at all times through my phone and wondering if this is activity from my phone while out and about, or if this is in fact foreign, and someone has been able to succeed at user name and password authorization. The IP changes, but does always remain 166.177.XXX.XXX, only the x's change. Did reverse lookup as well, and the IP has been from Kansas, and Georgia. The locations were a lawyers office from Kansas, and the state capitol in Georgia. Leads me to believe the IP is foreign and other servers have been compromised in those places.

How can I prevent foreign users on my asus vpn server the best way moving forward? Thanks.

Mar 11 18:36:12 ovpn-server1[809]: TCP connection established with [AF_INET6]::ffff:166.177.187.103:29275
Mar 11 18:36:12 ovpn-server1[809]: 166.177.187.103 TLS: Initial packet from [AF_INET6]::ffff:166.177.187.103:29275, sid=d2f7a63a eea174ff
Mar 11 18:36:12 ovpn-server1[809]: 166.177.187.103 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC88U, emailAddress=me@myhost.mydomain
Mar 11 18:36:12 ovpn-server1[809]: 166.177.187.103 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=client, emailAddress=me@myhost.mydomain
Mar 11 18:36:12 ovpn-server1[809]: 166.177.187.103 peer info: IV_GUI_VER=OC30Android
Mar 11 18:36:12 ovpn-server1[809]: 166.177.187.103 peer info: IV_VER=3.2
Mar 11 18:36:12 ovpn-server1[809]: 166.177.187.103 peer info: IV_PLAT=android
Mar 11 18:36:12 ovpn-server1[809]: 166.177.187.103 peer info: IV_NCP=2
Mar 11 18:36:12 ovpn-server1[809]: 166.177.187.103 peer info: IV_TCPNL=1
Mar 11 18:36:12 ovpn-server1[809]: 166.177.187.103 peer info: IV_PROTO=2
Mar 11 18:36:12 ovpn-server1[809]: 166.177.187.103 peer info: IV_LZO=1
Mar 11 18:36:12 ovpn-server1[809]: 166.177.187.103 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Mar 11 18:36:12 ovpn-server1[809]: 166.177.187.103 TLS: Username/Password authentication succeeded for username 'XXXXX'
Mar 11 18:36:12 ovpn-server1[809]: 166.177.187.103 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mar 11 18:36:12 ovpn-server1[809]: 166.177.187.103 [client] Peer Connection Initiated with [AF_INET6]::ffff:166.177.187.103:29275
Mar 11 18:36:12 ovpn-server1[809]: client/166.177.187.103 MULTI_sva: pool returned IPv4=XXX.XXX.XXX.XXX, IPv6=(Not enabled)
Mar 11 18:36:12 ovpn-server1[809]: client/166.177.187.103 MULTI: Learn: XXX.XXX.XXX.XXX -> client/166.177.187.103
Mar 11 18:36:12 ovpn-server1[809]: client/166.177.187.103 MULTI: primary virtual IP for client/166.177.187.103: XXX.XXX.XXX.XXX
Mar 11 18:36:12 ovpn-server1[809]: client/166.177.187.103 PUSH: Received control message: 'PUSH_REQUEST'
Mar 11 18:36:12 ovpn-server1[809]: client/166.177.187.103 SENT CONTROL [client]: 'PUSH_REPLY,route XXX.XXX.XXX.X 255.255.255.0 vpn_gateway 500,dhcp-option DNS XXX.XXX.XXX.X,redirect-gateway def1,route-gateway XXX.XXX.XXX.X,topology subnet,ping 15,ping-restart 60,ifconfig XXX.XXX.XXX.X 255.255.255.0,peer-id 0,cipher AES-128-GCM' (status=1)
Mar 11 18:36:12 ovpn-server1[809]: client/166.177.187.103 Data Channel: using negotiated cipher 'AES-128-GCM'
Mar 11 18:36:12 ovpn-server1[809]: client/166.177.187.103 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Mar 11 18:36:12 ovpn-server1[809]: client/166.177.187.103 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Mar 11 18:39:06 ovpn-server1[809]: client/166.177.187.103 write TCPv6_SERVER: Connection reset by peer (code=104)
Mar 11 18:39:06 ovpn-server1[809]: client/166.177.187.103 Connection reset, restarting [0]
Mar 11 18:39:06 ovpn-server1[809]: client/166.177.187.103 SIGUSR1[soft,connection-reset] received, client-instance restarting

ColinTaylor · Mar 12, 2018

T.S.Fellow said:
The IP changes, but does always remain 166.177.XXX.XXX, only the x's change. Did reverse lookup as well, and the IP has been from Kansas, and Georgia. The locations were a lawyers office from Kansas, and the state capitol in Georgia. Leads me to believe the IP is foreign and other servers have been compromised in those places.

Those IP addresses (166.128.0.0-166.255.255.255) belong to "Service Provider Corporation" which provides IP addresses to mobile phone companies. So it looks like it's you using your phone.

T.S.Fellow · Apr 6, 2018

ColinTaylor said:
Those IP addresses (166.128.0.0-166.255.255.255) belong to "Service Provider Corporation" which provides IP addresses to mobile phone companies. So it looks like it's you using your phone.

Thanks, appreciate it.

Thread starter	Title	Forum	Replies	Date
	Setting up VPN server (router?) for offsite access	VPN	13	Mar 27, 2024
C	Instant Guard IPsec VPN Log Showing Regular Access Attempts	VPN	3	Mar 3, 2024
A	Best way to set up vpn on router for gaming?	VPN	13	Jan 31, 2024
M	VPN for a Cruise Ship	VPN	11	Jan 23, 2024
F	Router for VPN with AES-NI	VPN	8	Jan 9, 2024
S	How to start client VPN from the CLI on tomato firmware	VPN	0	Dec 19, 2023
	How to build a safe VPN	VPN	3	Dec 17, 2023
F	Site To Site VPN between Debian VM and AsusWRT-Merlin router, no routes exists	VPN	2	Dec 15, 2023
P	OPNsense / Adguard / DNS & VPN questions	VPN	3	Dec 14, 2023
6	VPN problem on remote connection.	VPN	0	Nov 6, 2023

Search

Search

Foreign IP's on VPN logs-Prevention using "allow only specified clients" through jjfs?

T.S.Fellow

Occasional Visitor

ColinTaylor

Part of the Furniture

T.S.Fellow

Occasional Visitor

Similar threads

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Members online