Menu
What's new
By:
Filters Better Search

Large number of UNDEF connections to OpenVPN server

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

R

ragnaroknroll

Regular Contributor
I'm running an OpenVPN server on my Asus RT-AC86U router running Merlin v386.4. Just a short while ago, I observed a large number of connections with UNDEF common name in the VPN Status page of my GUI. Screenshot is attached. I think I just happened to open this status page in the middle of some kind of attack. The log files I pulled up from /jffs/syslog and /jffs/syslog-1 appear to be full of (hopefully) failed attempts. These log files only cover the last hour though, and I can't seem to be able to find the log files from earlier. I'm freaking out a bit at the moment. Could anyone please help me understand if I've been hacked? Anything I can do to protect myself?
 

Attachments

  • screenshot_mod.jpg
    screenshot_mod.jpg
    102.6 KB · Views: 396
Nope, that's not my IP address. My router is connected to a VPN provider as well, but that's not even an IP address related to this VPN provider. I can provide a portion of the syslog file I saved, but unsure if it has any personal information I should first remove before posting publicly. As you can tell, I'm pretty paranoid at the moment.
 
Most of the time this is due to using the well-known ports, something you should always avoid.

Franky, I'm even more paranoid. I don't keep my OpenVPN server running 24/7 anymore, only on-demand, by running it off a separate router that's plugged into a smart wifi AC adapter, controllable via my smartphone. 99% of the time that router is OFF and the OpenVPN server isn't even available except on the few occasions I actually need it. And that smart wifi AC adapter itself is on my IOT network, kept isolated from the private network.
 
Well it comes back to a residential account.

Had to ask.

I wouldn't be too freaked out as the purpose of the VPN is to keep your data private. If that IP is hitting your WAN OVPN public IP then it's just a scanner hitting the OVPN Port trying to break in. Just change the port # to something a bit random or shut off the remote WAN access completely.

1644114149065.png

1644114176996.png

I get hundreds of hits per day from scanners and VPN everything. If I saw 2-way traffic from those though I would be investigating things a bit more.

I locked down my connection to only originate traffic and respond to traffic that was originated internally and drop everything else.
 
eibgrad said:
Most of the time this is due to using the well-known ports, something you should always avoid.

Franky, I'm even more paranoid. I don't keep my OpenVPN server running 24/7 anymore, only on-demand, by running it off a separate router that's plugged into a smart wifi AC adapter, controllable via my smartphone. 99% of the time that router is OFF and the OpenVPN server isn't even available except on the few occasions I actually need it. And that smart wifi AC adapter itself is on my IOT network, kept isolated from the private network.
Click to expand...
Gulp... I keep my work PC permanently connected to my home OpenVPN server, so that it can keep my files synchronised with my home PC all the time using Resilio Sync. Guess I'll have to live with this risk. But yes, have changed my port number away from the default. Hopefully that should help.
 
Tech Junky said:
Well it comes back to a residential account.

Had to ask.

I wouldn't be too freaked out as the purpose of the VPN is to keep your data private. If that IP is hitting your WAN OVPN public IP then it's just a scanner hitting the OVPN Port trying to break in. Just change the port # to something a bit random or shut off the remote WAN access completely.

View attachment 39290
View attachment 39291
I get hundreds of hits per day from scanners and VPN everything. If I saw 2-way traffic from those though I would be investigating things a bit more.

I locked down my connection to only originate traffic and respond to traffic that was originated internally and drop everything else.
Click to expand...
Thanks for that. Helps me breathe easy a bit. Going from the syslog though, it's not just that IP. It seems to be some kind of synchronised scan/attack from a number of IPs. Pretty freaky...

Just out of curiosity, how would you be able to tell from the logs if the traffic was 1-way or 2-way?
 
ragnaroknroll said:
Just out of curiosity, how would you be able to tell from the logs if the traffic was 1-way or 2-way?
Click to expand...
I don't know how Asus logs compare to syslog or the other tools I use but, if you PM them I can take a look and see if there's a way to parse them.
 
Just wanted to ask if there's any best practices out there on securing my OpenVPN server, which really needs to be open 24/7 for my own convenience. Is there anything more I can do apart from just changing my port number? I've currently followed the instructions from https://github.com/RMerl/asuswrt-merlin.ng/wiki/Static-ip-for-OpenVPN-clients to set up static IP addresses for 4 of my devices when they connect to my OpenVPN server. Each device has its own associated common name, username, password, and certificate. I will not really be connecting any other devices to my OpenVPN server; just these four, although these connections can come from different IP addresses when I travel. I can see a number of authentication related options under OpenVPN server that I don't quite understand. Anything I can change there to improve my security?
 
Thanks! Will take a look. I will have my work PC connected via OpenVPN 24/7 though. So the OpenVPN server port will be open all the time.
 
You must log in or register to reply here.

Similar threads

mattyboolin
AT-RX58U Large amount of blocked incoming connections
Replies
6
Views
583
DJones
D
L
Openvpn internal error add route
Replies
0
Views
257
lucian
L
P
VPN Server Problem (wireguard and openvpn)
Replies
7
Views
848
pavlfz
P
P
dnsmasq: Maximum number of concurrent DNS queries reached (max: 150)
Replies
5
Views
1K
ColinTaylor
C
Blankedy
AC86U OpenVPN server whilst in AP mode
Replies
3
Views
372
Blankedy
Blankedy
Similar threads
Thread starter Title Forum Replies Date
mattyboolin AT-RX58U Large amount of blocked incoming connections Asuswrt-Merlin 6
davidski Retrieving serial number via CLI or WebUI Asuswrt-Merlin 15
H Need help interpreting system log (NFP failed, maximum number of concurrent DNS queries) Asuswrt-Merlin 1
P dnsmasq: Maximum number of concurrent DNS queries reached (max: 150) Asuswrt-Merlin 5

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 669 (members: 22, guests: 647)
Top