OVPN-Server issue. Can someone look at my log and tell me what is going on? I don't want to post it in public though.

[DAVID LONG]

OVPN-Server issue. Can someone look at my log and tell me what is going on? I don't want to post it in public though. Anyway to share it not publicly?

Thanks.

 

[eibgrad]

Have at it.

 

[DAVID LONG]

How do i share it with you without posting it?

 

[eibgrad]

PM (private message). Click on my profile and Start Conversation.

 

[octopus]

How do i share it with you without posting it?

you know how it sounds ?

 

[DAVID LONG]

Email sent

 

[eibgrad]

Got it.

What specifically is the issue? From what I see, it's all normal. The OpenVPN server seems to be configured properly and is waiting for the OpenVPN client to connect.

 

[DAVID LONG]

I didn't try to connect to it. I haven't used ovpn in months.

 

[DAVID LONG]

Someone outside tried to connect?

Were they successful?

Do i need to look for any changes they made? If so, what could they change?

 

[eibgrad]

Oh, I see. Yeah, I just noticed the following.

Feb 10 10:46:35 ovpn-server1[31076]: PLUGIN_CLOSE: /usr/lib/openvpn-plugin-auth-pam.so
Feb 10 10:46:35 ovpn-server1[31076]: PLUGIN AUTH-PAM: Error signaling background process to exit: Connection refused (errno=111)

It's an invalid username and/or password attempt and was blocked.

It's best to NOT use the well-known port of 1194, but it seems you already did that. Maybe they just guessed and got lucky, but there's no indication they got in. Try changing the port, just to see if it happens again.

 

[DAVID LONG]

Since I am stuck at home, I disabled ovpn. If I ever get back out of the house I'll look into changing the port.

Thanks.

 

[eibgrad]

FYI. Although a bit of a hassle to setup, consider placing the OpenVPN server on its own device, like an old router, and port forwarding to it. Then use a smart AC plug for managing it. That way you can leave the server OFF until you actually need it. Once on the road, whip out your smartphone, turn the smartplug ON, do what you need to do, then turn it OFF.

IOW, minimize your exposure as much as possible by only having it running on-demand.

That's what I've done w/ my own network. I just don't trust having *anything* accessible these days over the WAN unless absolutely necessary.

 

[DAVID LONG]

Sounds like a good plan, thanks.

 

[elorimer]

Then use a smart AC plug for managing it. That way you can leave the server OFF until you actually need it.

That's clever.

one of my servers, port forwarded to a non-standard port, gets between 2 and 3 thousand invalid attempts a day.

 

[eibgrad]

Here's something else to consider as well for better security.

Wouldn't be a bad idea to use the tls-auth option when configuring your OpenVPN server. The OpenVPN server GUI has this disabled by default, but it can help mitigate this problem of hackers randomly banging away at your server.

tls-auth adds an additional layer of authentication (using a static key) to the TLS control channel packets. When an OpenVPN client attempts to make initial contact w/ the server and does NOT have the correct static key, it can't decrypt those packets, and the server IMMEDIATELY drops the packet. IOW, the connection can't even get started. The primary purpose is to mitigate (D)DOS attacks. However, a secondary benefit is you should never see a failed username/password attempt unless YOU made the error (assuming your static key has not been stolen or otherwise compromised). The fact your syslog shows the failed login attempt strongly suggests you're not using this option.

Hardening OpenVPN Security | OpenVPN

OpenVPN provides several mechanisms to add additional security layers to hedge against security breaches. Discover them here.

openvpn.net