Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Security question - Is this likely an attack? Can it be firewalled?

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 3 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      guardian Rebel Alliance
      last edited by

      I was looking through my openvpn.log file and found a log of messages like the one below. Is this an attack? If so , how serious, can I firewall it? Suggestions/comments/hits most appreciated. Thanks.

      Mar  5 02:06:36 guardian openvpn[53698]: 83.97.20.33:8553 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Mar  5 02:06:44 guardian openvpn[53698]: 83.97.20.33:62304 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Mar  5 02:06:53 guardian openvpn[53698]: 83.97.20.33:39047 WARNING: Bad encapsulated packet length from peer (27648), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Mar  5 03:48:20 guardian openvpn[53698]: 164.52.24.162:58353 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Mar  5 03:48:20 guardian openvpn[53698]: 164.52.24.162:34334 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Mar  5 03:48:21 guardian openvpn[53698]: 164.52.24.162:44893 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Mar  5 03:48:21 guardian openvpn[53698]: 164.52.24.162:33844 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Mar  5 03:48:25 guardian openvpn[53698]: 164.52.24.162:60803 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Mar  5 03:48:25 guardian openvpn[53698]: 164.52.24.162:48203 WARNING: Bad encapsulated packet length from peer (49153), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Mar  5 03:48:26 guardian openvpn[53698]: 164.52.24.162:56052 WARNING: Bad encapsulated packet length from peer (6949), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Mar  5 03:48:26 guardian openvpn[53698]: 164.52.24.162:34693 WARNING: Bad encapsulated packet length from peer (20304), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Mar  5 03:48:27 guardian openvpn[53698]: 164.52.24.162:40267 WARNING: Bad encapsulated packet length from peer (41984), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Mar  5 03:48:27 guardian openvpn[53698]: 164.52.24.162:54843 WARNING: Bad encapsulated packet length from peer (0), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Mar  5 03:48:27 guardian openvpn[53698]: 164.52.24.162:34565 WARNING: Bad encapsulated packet length from peer (4108), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]

      If you find my post useful, please give it a thumbs up!
      pfSense 2.7.2-RELEASE

      1 Reply Last reply Reply Quote 0
      • P
        Paulk201270
        last edited by

        @guardian said in OpenVPN Security question - Is this likely an attack? Can it be firewalled?:

        164.52.24.162

        Looking up 164.52.24.162, it's appearing constantly in an abuse database, so likely to be an automated attack. Might want to contact the registrar and request a disconnect.....

        G 1 Reply Last reply Reply Quote 1
        • G
          guardian Rebel Alliance @Paulk201270
          last edited by

          @Paulk201270 said in OpenVPN Security question - Is this likely an attack? Can it be firewalled?:

          @guardian said in OpenVPN Security question - Is this likely an attack? Can it be firewalled?:

          164.52.24.162

          Looking up 164.52.24.162, it's appearing constantly in an abuse database, so likely to be an automated attack. Might want to contact the registrar and request a disconnect.....

          Thanks for the heads up.... Where did you find it?

          If you find my post useful, please give it a thumbs up!
          pfSense 2.7.2-RELEASE

          P 1 Reply Last reply Reply Quote 0
          • P
            Paulk201270 @guardian
            last edited by Paulk201270

            @guardian Just did a google search on the ip and abuse and got 100% certainty, with lots of people reporting it. Sorry for the lengthy delay, extremely busy month.

            Best regards
            Paul.

            P 1 Reply Last reply Reply Quote 0
            • P
              Paulk201270 @Paulk201270
              last edited by

              @Paulk201270 Abuse_IP_1.PNG Abuse_IP_2.PNG

              1 Reply Last reply Reply Quote 0
              • NogBadTheBadN
                NogBadTheBad
                last edited by NogBadTheBad

                You could use pfBlocker GeoIP to block regions that you dont want people to hit your ovpn server.

                Screenshot 2020-03-20 at 07.27.32.png

                Andy

                1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                P 1 Reply Last reply Reply Quote 0
                • P
                  Paulk201270 @NogBadTheBad
                  last edited by

                  @NogBadTheBad Yep, or just add a blacklist to an IP range individually.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.