What's new

Seems like my OpenVPN server has been hacked

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

You can choose a random port, preferably not used by any popular service. Using a non-default port reduces the chance of being targeted.
So pick a number, any number......5000, 4200? Not being sarcastic but if you don't know you don't know!

This setting affects your VPN Server. Besides the need to authenticate with a username and password a client now additionally needs to provide a certificate. This certificate is included in the .ovpn config which you can export on the VPN Server page and is needed for a client to be able to connect. Adding a certificate to the authentication requirements is what increases security compared to user/pass only.
That explains why I lost internet. I will look into how to do the certificate. Thank you.
 
So pick a number, any number......5000, 4200? Not being sarcastic but if you don't know you don't know!

You have a free choice, my dear @Brenneke (not being sarcastic either). You can pick a random number between, let's say 1025 and 65535. Ports 1-1024 are most commonly used, so best to avoid them. You could check https://www.speedguide.net/ports.php (for example) to see whether the 4 or 5-digit port number you come up with is commonly used for other services.
 
I had problems connecting to my router(openvpn) since 3 days. Just looked into it and I saw a whole list of "connected" clients from the same ip with username UNDEF. The router's webgui is not open for WAN. I will atleast change the port now. darn hackers :mad:
 
Same issue as above. Everything closed except the OVPN server and can't get it to work last couple days. Never changed anything but keeps giving TLS handshake error.
Tried creating OVPN server 2 with default settings and same result. Restarted router multiple times, tried from 2 different clients that were previously working.
Let me know if you get your server working again.
 
I got an udp error. For me it was fixed by just rebooting the router. The list of “connected” clients is now cleaned of those malicious entrys.
 
OK back up now. I had to remove the VPN user account and add it again. Somehow it must have been corrupted/deleted even though it still showed up on the webui.

The list of "UNDEF" clients were showing for me too but I determined the IP address was mine and was simply the unsuccessful connection attempts.
 
Good to hear you got it up again. For me the listed ip was from Poland and I am from the Netherlands.
 
If you use your VPN from a network that tries to restrict your activity, you might experience trouble with some ports. My office uses QoS to make all ports other than a few well-known service ports (80, 443, 53, etc.) crawl at super-slow speed. They also block outgoing UDP. To get my VPN so that my phone could stay connected while connected to the WiFi at work I had to put my VPN server on one of the un-throttled ports and make it use TCP/IP instead of UDP.
 
You can choose a random port, preferably not used by any popular service. Using a non-default port reduces the chance of being targeted.

This setting affects your VPN Server. Besides the need to authenticate with a username and password a client now additionally needs to provide a certificate. This certificate is included in the .ovpn config which you can export on the VPN Server page and is needed for a client to be able to connect. Adding a certificate to the authentication requirements is what increases security compared to user/pass only.

I contacted my VPN provider Nord, they told me they allow password authorization only - does this sound like straight goods or maybe just an agent that doesn't really know what he is talking about?
They also said I must use 1194 for UDP and 443 for TCP only. Did I misunderstand where this port setting is?
 
Last edited:
I contacted my VPN provider Nord, they told me they allow password authorization only - does this sound like straight goods or maybe just an agent that doesn't really know what he is talking about?
They also said I must use 1194 for UDP and 443 for TCP only. Did I misunderstand where this port setting is?

What we've been talking about here is having your own OpenVPN server running on your Merlin router. Connecting to a commercial OpenVPN provider's server as a client has a different (much smaller) set of issues.

As an OpenVPN client you want to be sure that the server you're connecting to is in fact Nord . How they authenticate your connection (user/password, CA/cert/key or both) doesn't have a bearing on the security of your tunnel, that's done using encryption. There is an issue with compression that's surfaced recently, and since most everything is well compressed these days anyway, it's best to not use compression unless Nord mandates it.

Some providers have different ports you can use that have different levels of encryption, so choose the one that makes the most sense to you based on a balance of speed vs. security. Which port you connect to is determined by which protocols you want, and whether or not your ISP is blocking traffic on some of them. I personally connect using port 443 (standard HTTPS port), and SSL (stunnel) as the protocol -- there's more overhead but it gives an extra degree of obfuscation.

To sum it up: there's authentication (not really your concern other than it being a valid server -- it's on them to be sure you're their paying customer), encryption (very important to you, so your tunnel is secure) and compression (not as relevant as it used to be, as most traffic is pretty well compressed already).
 
What we've been talking about here is having your own OpenVPN server running on your Merlin router. Connecting to a commercial OpenVPN provider's server as a client has a different (much smaller) set of issues.

As an OpenVPN client you want to be sure that the server you're connecting to is in fact Nord . How they authenticate your connection (user/password, CA/cert/key or both) doesn't have a bearing on the security of your tunnel, that's done using encryption. There is an issue with compression that's surfaced recently, and since most everything is well compressed these days anyway, it's best to not use compression unless Nord mandates it.

Some providers have different ports you can use that have different levels of encryption, so choose the one that makes the most sense to you based on a balance of speed vs. security. Which port you connect to is determined by which protocols you want, and whether or not your ISP is blocking traffic on some of them. I personally connect using port 443 (standard HTTPS port), and SSL (stunnel) as the protocol -- there's more overhead but it gives an extra degree of obfuscation.

To sum it up: there's authentication (not really your concern other than it being a valid server -- it's on them to be sure you're their paying customer), encryption (very important to you, so your tunnel is secure) and compression (not as relevant as it used to be, as most traffic is pretty well compressed already).

OK, appreciate you setting me straight, thanks.
 
Thankful I found this thread. Thanks for your help here as I now have this issue of Undef connections from random international IP addresses on my OpenVPN Server (no data transferred).
Q: Can I just ignore them then or is this a 'must do' in terms of a port number change? Asking as it will take some time for me to update a port number change at the server end into all the clients I use (on multiple fire sticks).
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top