OpenVPN Security question - Is this likely an attack? Can it be firewalled?



  • I was looking through my openvpn.log file and found a log of messages like the one below. Is this an attack? If so , how serious, can I firewall it? Suggestions/comments/hits most appreciated. Thanks.

    Mar  5 02:06:36 guardian openvpn[53698]: 83.97.20.33:8553 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
    Mar  5 02:06:44 guardian openvpn[53698]: 83.97.20.33:62304 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
    Mar  5 02:06:53 guardian openvpn[53698]: 83.97.20.33:39047 WARNING: Bad encapsulated packet length from peer (27648), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
    Mar  5 03:48:20 guardian openvpn[53698]: 164.52.24.162:58353 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
    Mar  5 03:48:20 guardian openvpn[53698]: 164.52.24.162:34334 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
    Mar  5 03:48:21 guardian openvpn[53698]: 164.52.24.162:44893 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
    Mar  5 03:48:21 guardian openvpn[53698]: 164.52.24.162:33844 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
    Mar  5 03:48:25 guardian openvpn[53698]: 164.52.24.162:60803 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
    Mar  5 03:48:25 guardian openvpn[53698]: 164.52.24.162:48203 WARNING: Bad encapsulated packet length from peer (49153), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
    Mar  5 03:48:26 guardian openvpn[53698]: 164.52.24.162:56052 WARNING: Bad encapsulated packet length from peer (6949), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
    Mar  5 03:48:26 guardian openvpn[53698]: 164.52.24.162:34693 WARNING: Bad encapsulated packet length from peer (20304), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
    Mar  5 03:48:27 guardian openvpn[53698]: 164.52.24.162:40267 WARNING: Bad encapsulated packet length from peer (41984), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
    Mar  5 03:48:27 guardian openvpn[53698]: 164.52.24.162:54843 WARNING: Bad encapsulated packet length from peer (0), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
    Mar  5 03:48:27 guardian openvpn[53698]: 164.52.24.162:34565 WARNING: Bad encapsulated packet length from peer (4108), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
    
    


  • @guardian said in OpenVPN Security question - Is this likely an attack? Can it be firewalled?:

    164.52.24.162

    Looking up 164.52.24.162, it's appearing constantly in an abuse database, so likely to be an automated attack. Might want to contact the registrar and request a disconnect.....



  • @Paulk201270 said in OpenVPN Security question - Is this likely an attack? Can it be firewalled?:

    @guardian said in OpenVPN Security question - Is this likely an attack? Can it be firewalled?:

    164.52.24.162

    Looking up 164.52.24.162, it's appearing constantly in an abuse database, so likely to be an automated attack. Might want to contact the registrar and request a disconnect.....

    Thanks for the heads up.... Where did you find it?



  • @guardian Just did a google search on the ip and abuse and got 100% certainty, with lots of people reporting it. Sorry for the lengthy delay, extremely busy month.

    Best regards
    Paul.





  • You could use pfBlocker GeoIP to block regions that you dont want people to hit your ovpn server.

    Screenshot 2020-03-20 at 07.27.32.png



  • @NogBadTheBad Yep, or just add a blacklist to an IP range individually.


Log in to reply