OVPN-Server issue. Can someone look at my log and tell me what is going on? I don't want to post it in public though.

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

DAVID LONG

Regular Contributor
OVPN-Server issue. Can someone look at my log and tell me what is going on? I don't want to post it in public though. Anyway to share it not publicly?

Thanks.
 

DAVID LONG

Regular Contributor
How do i share it with you without posting it?
 

eibgrad

Very Senior Member
PM (private message). Click on my profile and Start Conversation.
 
Last edited:

DAVID LONG

Regular Contributor
Email sent
 

eibgrad

Very Senior Member
Got it.

What specifically is the issue? From what I see, it's all normal. The OpenVPN server seems to be configured properly and is waiting for the OpenVPN client to connect.
 

DAVID LONG

Regular Contributor
I didn't try to connect to it. I haven't used ovpn in months.
 

DAVID LONG

Regular Contributor
Someone outside tried to connect?

Were they successful?

Do i need to look for any changes they made? If so, what could they change?
 

eibgrad

Very Senior Member
Oh, I see. Yeah, I just noticed the following.

Code:
Feb 10 10:46:35 ovpn-server1[31076]: PLUGIN_CLOSE: /usr/lib/openvpn-plugin-auth-pam.so
Feb 10 10:46:35 ovpn-server1[31076]: PLUGIN AUTH-PAM: Error signaling background process to exit: Connection refused (errno=111)

It's an invalid username and/or password attempt and was blocked.

It's best to NOT use the well-known port of 1194, but it seems you already did that. Maybe they just guessed and got lucky, but there's no indication they got in. Try changing the port, just to see if it happens again.
 

DAVID LONG

Regular Contributor
Since I am stuck at home, I disabled ovpn. If I ever get back out of the house I'll look into changing the port.

Thanks.
 

eibgrad

Very Senior Member
FYI. Although a bit of a hassle to setup, consider placing the OpenVPN server on its own device, like an old router, and port forwarding to it. Then use a smart AC plug for managing it. That way you can leave the server OFF until you actually need it. Once on the road, whip out your smartphone, turn the smartplug ON, do what you need to do, then turn it OFF.

IOW, minimize your exposure as much as possible by only having it running on-demand.

That's what I've done w/ my own network. I just don't trust having *anything* accessible these days over the WAN unless absolutely necessary.
 

DAVID LONG

Regular Contributor
Sounds like a good plan, thanks.
 

elorimer

Very Senior Member
Then use a smart AC plug for managing it. That way you can leave the server OFF until you actually need it.
That's clever.

one of my servers, port forwarded to a non-standard port, gets between 2 and 3 thousand invalid attempts a day.
 

eibgrad

Very Senior Member
Here's something else to consider as well for better security.

Wouldn't be a bad idea to use the tls-auth option when configuring your OpenVPN server. The OpenVPN server GUI has this disabled by default, but it can help mitigate this problem of hackers randomly banging away at your server.

tls-auth adds an additional layer of authentication (using a static key) to the TLS control channel packets. When an OpenVPN client attempts to make initial contact w/ the server and does NOT have the correct static key, it can't decrypt those packets, and the server IMMEDIATELY drops the packet. IOW, the connection can't even get started. The primary purpose is to mitigate (D)DOS attacks. However, a secondary benefit is you should never see a failed username/password attempt unless YOU made the error (assuming your static key has not been stolen or otherwise compromised). The fact your syslog shows the failed login attempt strongly suggests you're not using this option.

 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top