Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    UNDEF connections - should I be concerned?

    Scheduled Pinned Locked Moved OpenVPN
    9 Posts 4 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Dennis100
      last edited by Dennis100

      In Pfsense (2.4.4) OpenVPN status I see
      UNDEF 199.33.123.19:80 Wed Sep 26 14:34:31 2018 48 B / 28 B
      UNDEF 199.33.123.18:80 Wed Sep 26 14:34:29 2018 84 B / 42 B
      UNDEF 196.196.9.89:80 Wed Sep 26 14:34:28 2018 106 B / 56 B
      UNDEF 62.104.20.175:10075 Wed Sep 26 14:34:32 2018 48 B / 28 B

      What are these? I checked geo ip on 196.196.9.89 and they say NYC; Atlanta, GA; and Sweden. Whois shows the IP is in Sweden. Regardless, I definitely have no users/clients in either location (or even close).

      B 1 Reply Last reply Reply Quote 0
      • B
        blabs @Dennis100
        last edited by blabs

        @dennis100 I am seeing this as well on one of my boxes that still has BF-CBC as the encryption cipher. This cipher is susceptible to the SWEET32 attack and my guess is these UNDEF IPs are BOTs scanning and trying to run the attack. I am in the process of migrating all remote devices to AES128-CBC but in the mean time I have a "block all traffic from alias" firewall rule setup to block any traffic from the alias. Whenever I see a new UNDEF IP, I check GeoIP and just add it to the alias. Not perfect but better than nothing and it keeps our customers online until I can have a tech visit every remote location we have.

        If you are using a 64-bit block cipher or not using TLS auth, I would recommend switching to at minimum AES128-CBC and re-configuring the server and clients to using TLS auth, preferably with the the tls-crypt option.

        1 Reply Last reply Reply Quote 0
        • D
          Dennis100
          last edited by

          I've gone through the 2.4.4 upgrade and I'm not seeing them any more. I'm using Crypto: AES-256-CBC/SHA1
          D-H Params: 2048 bits. Use a TLS key under Cryptographic settings/TLS Configuration is unchecked.

          B 1 Reply Last reply Reply Quote 0
          • B
            blabs @Dennis100
            last edited by blabs

            @dennis100 I would suggest moving to SHA256 for the digest algorithm (SHA1 is susceptible to a collision attack) and setting up a static TLS key as well when you are able. Since you currently aren't using a key for TLS auth, it is likely that rogue clients are performing a TLS handshake with your server then stalling when it comes to exchanging the actual encryption keys. Having a static TLS key and enabling TLS auth/encryption should solve that and eliminate pfSense from showing those UNDEF's which are rogue clients trying to connect. I also run my OpenVPN servers on non-standard ports other than 1194 to help ward off the casual attacker. Enabling these setting will help harden your setup from attack.

            1 Reply Last reply Reply Quote 0
            • PippinP
              Pippin
              last edited by

              Good advice....., but SHA1 is perfectly fine in the context of OpenVPN.

              I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
              Halton Arp

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                And even more moot when using a GCM cipher, since it would only be used for the control channel vs data..

                Use a TLS key under Cryptographic settings/TLS Configuration is unchecked.

                Why exactly would you uncheck that?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • D
                  Dennis100
                  last edited by

                  The reason the settings are as they are is we use Viscosity as a client and the server was set up per their instructions.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by johnpoz

                    So no reason then other than following some bouncing ball ;)

                    Are these instructions titled - how to make your openvpn less secure? ;)

                    So these instructions?
                    https://www.sparklabs.com/support/kb/article/setting-up-an-openvpn-server-with-pfsense-and-viscosity

                    Where does it say that? Here
                    In the Cryptographic Settings section deselect the TLS Authentication.

                    With ZERO details on why... Based on 2.3 version of pfsense.. This is why these other sites instructions are always just nonsense... If you have a question about how to setup openvpn on pfsense - you should come here.. Read the BOOK!

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • D
                      Dennis100
                      last edited by

                      That wasn't very helpful.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.