Menu
What's new
By:
Filters Better Search

Protect OpenVPN server

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

M

Mikiya

Occasional Visitor
Hi
I've searched here but i can't find a way to do what i want to protect my openvpn server so ...
I know fail2ban (use it on other computers), i know merlin do not want to use it because of python, and i've read posts about ipset scripts to protect from some IPs (by country or malicious lists).
BUT i can't find out how can i protect my openvpn from brute force. With fail2ban, it's quite simple to set a regex from the log file, but without it, i don't know.
Have you find a solution for that ?
Thank you !
 
If you use 1024 or 2048 bit certificates, brute-forcing through OpenVPN would take years. I wouldn't worry about it.

You could also move OpenVPN to a different port than 1194, so malicious users won't be able to find it.
 
I use the default generated certificates (directly generated by router when server is activated) for server, and couple User/Password, with HMAC protection over tls-auth. I don't know if it's robust enough (with a strong password obviously), that's why i wanted to protect from bruteforce. But as you said, maybe use user certificates could solve this if they are stronger.
 
i prevent other countries from even trying to connect by setting the INPUT chain policy to DROP,
and after that adding the addresses that are allowed to connect to my router.
there is a ipset rule allowing any ip from my country, localhost, internal networks, etc..

Code: 
ramon@ac66u:/tmp/home/root# iptables -nvL

Chain INPUT (policy DROP 3162 packets, 201K bytes)
 pkts bytes target     prot opt in     out     source               destination       
 2021  110K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           set CountryWhitelist_br src
 107K   22M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0         
 121K   24M ACCEPT     all  --  *      *       192.168.0.0/16       0.0.0.0/0         
40845   58M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 255
 
You must log in or register to reply here.

Similar threads

M
OpenVPN / site to site with special security/routing constraints
Replies
7
Views
336
elorimer
E
M
OpenVPN clients cannot connect to LAN computers.
Replies
0
Views
132
MNBob
M
TanyaC
cannot add domain to router URL filter
Replies
15
Views
533
TanyaC
TanyaC
C
Openvpn server intermittently down
Replies
6
Views
561
Col8eral
C
P
Connect OpenVPN server with Client networks
Replies
3
Views
620
L&LD
L&LD
Similar threads
Thread starter Title Forum Replies Date
E OpenVPN TAP internet access problem Asuswrt-Merlin 0
M OpenVPN clients cannot connect to LAN computers. Asuswrt-Merlin 0
M OpenVPN / site to site with special security/routing constraints Asuswrt-Merlin 7
R OpenVPN keeps on turning itself off Asuswrt-Merlin 40
M Best router for wireguard or openVPN Asuswrt-Merlin 1
W OpenVPN Server set to LAN only allows browsing Asuswrt-Merlin 14
A Upgraded my ASUS, issues with NordVPN via OpenVPN Asuswrt-Merlin 4
G openvpn server: can not change/select data cipher Asuswrt-Merlin 1
Blankedy AC86U OpenVPN server whilst in AP mode Asuswrt-Merlin 3
M For AX68U and AX86S Merlin users: openvpn server - max user qty? Asuswrt-Merlin 1

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,066 (members: 22, guests: 1,044)
Top