Menu
What's new
By:
Filters Better Search

Router rebooted when someone tried VPN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

P

Pergola Fabio

Senior Member
running 384.9 , this night my router rebooted
seems someone tried to make ovpn, yes, thats possible, it failed, thank god, but why did a reboot start?

these are latest logs :
Apr 12 22:55:24 ovpn-server1[1721]: 185.200.118.69:55935 TLS: Initial packet from [AF_INET]185.200.118.69:55935, sid=12121212 12121212
Apr 12 22:56:24 ovpn-server1[1721]: 185.200.118.69:55935 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Apr 12 22:56:24 ovpn-server1[1721]: 185.200.118.69:55935 TLS Error: TLS handshake failed
Apr 12 22:56:24 ovpn-server1[1721]: 185.200.118.69:55935 SIGUSR1[soft,tls-error] received, client-instance restarting
May 5 07:05:05 syslogd started: BusyBox v1.25.1
 
Pergola Fabio said:
running 384.9 , this night my router rebooted
seems someone tried to make ovpn, yes, thats possible, it failed, thank god, but why did a reboot start?

these are latest logs :
Apr 12 22:55:24 ovpn-server1[1721]: 185.200.118.69:55935 TLS: Initial packet from [AF_INET]185.200.118.69:55935, sid=12121212 12121212
Apr 12 22:56:24 ovpn-server1[1721]: 185.200.118.69:55935 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Apr 12 22:56:24 ovpn-server1[1721]: 185.200.118.69:55935 TLS Error: TLS handshake failed
Apr 12 22:56:24 ovpn-server1[1721]: 185.200.118.69:55935 SIGUSR1[soft,tls-error] received, client-instance restarting
May 5 07:05:05 syslogd started: BusyBox v1.25.1
Click to expand...

Is that maybe the method that was used to try to 'break' your router into letting them in? ;)
 
Pergola Fabio said:
Apr 12 22:56:24 ovpn-server1[1721]: 185.200.118.69:55935 SIGUSR1[soft,tls-error] received, client-instance restarting
Click to expand...
Not sure, but the SIGUSR1 is a signal to restart the service. This may have been invoked by ovpn-server1 itself, not through a maligned attack signal by the IP.
I hope it's not possible to do the latter.
 
My routers were continually getting connection attempts via openvpn until I changed the default port.

Sent from my SM-T380 using Tapatalk
 
Could be the early stages of an exploit by fuzzing. It probably crashed the router, not rebooted it.
 
Pergola Fabio said:
but then still, how can he reboot my router by initiating a connection ?
Click to expand...
It may just be a coincidence, those are standard messages when a client can't connect. So expect to see them all the time unless you change the port number.

He can't reboot your router, although it's quite possible there's a bug in the OpenVPN code that is crashing your router. You need to check the time after the router came back up to determine exactly when it happened. If there's more than a couple of minutes difference then it's probably caused by something else.
 
Pergola Fabio said:
@octopus how do you know that? and even worse? how was he able to reboot my roouter by initiating an vpn session?
Click to expand...
Code: 
https://otx.alienvault.com/indicator/ip/185.200.118.69
@Pergola Fabio Any chance you have Skynet installed? If not I'd recommend adding that script. It would help show you possible attacks to your router and block them if you choose.
 
Yeah, I agree, don't use the well-known port for OpenVPN (1194), or the well-known port for *any* services if you can help it. Heck, I've gotten so paranoid over the past couple years, I keep *every* public facing service disabled until I know for sure I will need it remotely. And even then, I only start the SSH server (w/ PKI only), then start other services (e.g., OpenVPN server) from there. And when I'm done, I shut it down. I just don't trust keeping services exposed anymore unless absolutely necessary.
 
Pergola Fabio said:
No , no skynet... Indeed didnt check the time it came up, could be indeed time between...

Anyway, gonna change the port also
Click to expand...
What was the time in syslog after NTP synced? I would just run this to find it:
Code: 
grep disparity /tmp/syslog.log
 
You must log in or register to reply here.

Similar threads

J
ovpn-server log errors meaning?
Replies
11
Views
1K
RMerlin
RMerlin
P
OVPN Problem. Asus rt ax56u (latest merlin firmware
Replies
9
Views
1K
pattox
P
J
Was I being Hacked?
Replies
8
Views
2K
JT Strickland
J
P
openvpn connection problems
Replies
1
Views
797
ColinTaylor
C
automaton
How to try and stop OpenVPN connection attempts?
Replies
8
Views
4K
eibgrad
eibgrad
Similar threads
Thread starter Title Forum Replies Date
A Question about Asus Merlin Router behind a firewalla? Asuswrt-Merlin 7
S Prevent client from connecting to router but allow connection to internet via access point Asuswrt-Merlin 4
PaulA Port isolation on RT-AX88U-Pro (router) w/ Merlin w/ Tagged internet ISP Asuswrt-Merlin 1
H Solved xbox one not able to sign in when connected through router running asuswrt-merlin on an rt-ac5300. Asuswrt-Merlin 5
pdc Router DNS returning Refused Asuswrt-Merlin 2
alan6854321 Router threw a wobbla - "Top" info in syslog? Asuswrt-Merlin 0
randomName Possibly in the market for a new router Asuswrt-Merlin 27
muffintastic Cannot Stream from Router - Samba Problem Asuswrt-Merlin 2
J RT-AX88U Dual WAN Ports 5-8 Almost Bricks Router Asuswrt-Merlin 6
url004 NXDOMAIN on server but the router can resolve queries Asuswrt-Merlin 1

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Members online

Total: 1,010 (members: 38, guests: 972)
Top