messages in syslog wrt OpenVPN Server

[GSpock]

Hi Folks,
I am running 2 OpenVPN Server and getting those messages in syslog with regards to Server 2 although I have not been using it (I mean I did not connect to it) : any ideas ?
(RT-AC87U with 384.13_1)

Nov 19 14:02:38 ovpn-server2[6368]: 37.49.230.9:49188 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Nov 19 14:02:38 ovpn-server2[6368]: 37.49.230.9:49188 Connection reset, restarting [0]
Nov 19 14:02:38 ovpn-server2[6368]: 37.49.230.9:49188 SIGUSR1[soft,connection-reset] received, client-instance restarting
Nov 19 14:02:38 ovpn-server2[6368]: TCP connection established with [AF_INET6]::ffff:37.49.230.9:49223
Nov 19 14:02:38 ovpn-server2[6368]: 37.49.230.9:49223 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Nov 19 14:02:38 ovpn-server2[6368]: 37.49.230.9:49223 Connection reset, restarting [0]
Nov 19 14:02:38 ovpn-server2[6368]: 37.49.230.9:49223 SIGUSR1[soft,connection-reset] received, client-instance restarting
Nov 19 19:08:18 ovpn-server2[6368]: TCP connection established with [AF_INET6]::ffff:92.118.160.57:64983
Nov 19 19:08:20 ovpn-server2[6368]: 92.118.160.57:64983 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]

Thanks,
GS

 

[ColinTaylor]

Looks like normal port scanning. Both those source addresses are in the abuse database.

 

[GSpock]

Looks like normal port scanning. Both those source addresses are in the abuse database.

Thanks a lot !

 

[martinr]

Hi Folks,
I am running 2 OpenVPN Server and getting those messages in syslog with regards to Server 2 although I have not been using it (I mean I did not connect to it) : any ideas ?
(RT-AC87U with 384.13_1)

Nov 19 14:02:38 ovpn-server2[6368]: 37.49.230.9:49188 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Nov 19 14:02:38 ovpn-server2[6368]: 37.49.230.9:49188 Connection reset, restarting [0]
Nov 19 14:02:38 ovpn-server2[6368]: 37.49.230.9:49188 SIGUSR1[soft,connection-reset] received, client-instance restarting
Nov 19 14:02:38 ovpn-server2[6368]: TCP connection established with [AF_INET6]::ffff:37.49.230.9:49223
Nov 19 14:02:38 ovpn-server2[6368]: 37.49.230.9:49223 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Nov 19 14:02:38 ovpn-server2[6368]: 37.49.230.9:49223 Connection reset, restarting [0]
Nov 19 14:02:38 ovpn-server2[6368]: 37.49.230.9:49223 SIGUSR1[soft,connection-reset] received, client-instance restarting
Nov 19 19:08:18 ovpn-server2[6368]: TCP connection established with [AF_INET6]::ffff:92.118.160.57:64983
Nov 19 19:08:20 ovpn-server2[6368]: 92.118.160.57:64983 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]

Thanks,
GS

Are you using the default port numbers for the servers? If so, you might wish to consider using an obscure port number, even if only temporarily to see the drop in such log entries. But have a read here first:

https://www.snbforums.com/threads/changing-openvpn-server-port-number-backfires.57116/#post-498181

 

[Volfi]

I usually run OpenVPN server on 443 port, due to less blocking, but scanning is immense.

 

[netware5]

I usually run OpenVPN server on 443 port, due to less blocking, but scanning is immense.

Me too. There are countries where internet access is heavily filtered, so using of TCP port 443 on your server is the only solution allowing the client to connect. But the price paid is these portscanning entries flooding the log.

 

[GSpock]

Are you using the default port numbers for the servers? If so, you might wish to consider using an obscure port number, even if only temporarily to see the drop in such log entries. But have a read here first:

https://www.snbforums.com/threads/changing-openvpn-server-port-number-backfires.57116/#post-498181

for server1 I use a custom port, but for server2 I have to use 443 (some remote place only allows me to go thru 443). So, I understand there is nothing to do then .... thanks all for your answers.

GS