UNDEF connections - should I be concerned?



  • In Pfsense (2.4.4) OpenVPN status I see
    UNDEF 199.33.123.19:80 Wed Sep 26 14:34:31 2018 48 B / 28 B
    UNDEF 199.33.123.18:80 Wed Sep 26 14:34:29 2018 84 B / 42 B
    UNDEF 196.196.9.89:80 Wed Sep 26 14:34:28 2018 106 B / 56 B
    UNDEF 62.104.20.175:10075 Wed Sep 26 14:34:32 2018 48 B / 28 B

    What are these? I checked geo ip on 196.196.9.89 and they say NYC; Atlanta, GA; and Sweden. Whois shows the IP is in Sweden. Regardless, I definitely have no users/clients in either location (or even close).



  • @dennis100 I am seeing this as well on one of my boxes that still has BF-CBC as the encryption cipher. This cipher is susceptible to the SWEET32 attack and my guess is these UNDEF IPs are BOTs scanning and trying to run the attack. I am in the process of migrating all remote devices to AES128-CBC but in the mean time I have a "block all traffic from alias" firewall rule setup to block any traffic from the alias. Whenever I see a new UNDEF IP, I check GeoIP and just add it to the alias. Not perfect but better than nothing and it keeps our customers online until I can have a tech visit every remote location we have.

    If you are using a 64-bit block cipher or not using TLS auth, I would recommend switching to at minimum AES128-CBC and re-configuring the server and clients to using TLS auth, preferably with the the tls-crypt option.



  • I've gone through the 2.4.4 upgrade and I'm not seeing them any more. I'm using Crypto: AES-256-CBC/SHA1
    D-H Params: 2048 bits. Use a TLS key under Cryptographic settings/TLS Configuration is unchecked.



  • @dennis100 I would suggest moving to SHA256 for the digest algorithm (SHA1 is susceptible to a collision attack) and setting up a static TLS key as well when you are able. Since you currently aren't using a key for TLS auth, it is likely that rogue clients are performing a TLS handshake with your server then stalling when it comes to exchanging the actual encryption keys. Having a static TLS key and enabling TLS auth/encryption should solve that and eliminate pfSense from showing those UNDEF's which are rogue clients trying to connect. I also run my OpenVPN servers on non-standard ports other than 1194 to help ward off the casual attacker. Enabling these setting will help harden your setup from attack.



  • Good advice....., but SHA1 is perfectly fine in the context of OpenVPN.


  • Rebel Alliance Global Moderator

    And even more moot when using a GCM cipher, since it would only be used for the control channel vs data..

    Use a TLS key under Cryptographic settings/TLS Configuration is unchecked.

    Why exactly would you uncheck that?



  • The reason the settings are as they are is we use Viscosity as a client and the server was set up per their instructions.


  • Rebel Alliance Global Moderator

    So no reason then other than following some bouncing ball ;)

    Are these instructions titled - how to make your openvpn less secure? ;)

    So these instructions?
    https://www.sparklabs.com/support/kb/article/setting-up-an-openvpn-server-with-pfsense-and-viscosity

    Where does it say that? Here
    In the Cryptographic Settings section deselect the TLS Authentication.

    With ZERO details on why... Based on 2.3 version of pfsense.. This is why these other sites instructions are always just nonsense... If you have a question about how to setup openvpn on pfsense - you should come here.. Read the BOOK!



  • That wasn't very helpful.