Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OpenVPN Logs

    OpenVPN
    1
    1
    63
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • provels
      provels last edited by

      Hello! I have a couple of instances of remote access servers, one on 1194 and the other on 443. I use a script that was posted here notifying me of user connects and disconnects. Early today, I got a text as below:

      1:34:37  user_name:  vpn_client_ip:  on February 20, 2021, 1:34 am, during : 0 seconds, received : 0 bytes, send : 0 bytes. DISCONNECTED.
      

      Normally the username, IP, etc. are included as well as the other stats. I did not see a previous CONNECTED message. So I looked at the logs and found the below. The 162.142.125.56 (at 1:34:36) address belongs to Censys, a service that apparently scans the Internet for, well, not sure really. Anyway, is this type of chatter (TLS errors, bad packets) in the OpenVPN logs to be expected from scanners or hackers? Thanks for reading and any replies.

      Feb 20 00:05:47 fw openvpn[45934]: TCP connection established with [AF_INET]205.185.122.102:36894
      Feb 20 00:05:47 fw openvpn[45934]: 205.185.122.102:36894 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
      Feb 20 00:05:47 fw openvpn[45934]: 205.185.122.102:36894 Connection reset, restarting [0]
      Feb 20 00:08:17 fw openvpn[45934]: TCP connection established with [AF_INET]185.56.81.52:52648
      Feb 20 00:08:17 fw openvpn[45934]: 185.56.81.52:52648 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
      Feb 20 00:08:17 fw openvpn[45934]: 185.56.81.52:52648 Connection reset, restarting [0]
      Feb 20 01:16:57 fw openvpn[45934]: TCP connection established with [AF_INET]18.203.162.84:41520
      Feb 20 01:16:57 fw openvpn[45934]: 18.203.162.84:41520 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
      Feb 20 01:16:57 fw openvpn[45934]: 18.203.162.84:41520 Connection reset, restarting [0]
      Feb 20 01:34:35 fw openvpn[45934]: TCP connection established with [AF_INET]162.142.125.56:47010
      Feb 20 01:34:36 fw openvpn[45934]: 162.142.125.56:47010 Connection reset, restarting [-1]
      Feb 20 01:34:36 fw openvpn[45934]: TCP connection established with [AF_INET]162.142.125.56:48688
      Feb 20 01:34:36 fw openvpn[45934]: 162.142.125.56:48688 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
      Feb 20 01:34:36 fw openvpn[45934]: 162.142.125.56:48688 Connection reset, restarting [0]
      Feb 20 01:34:36 fw openvpn[45934]: TCP connection established with [AF_INET]162.142.125.56:49324
      Feb 20 01:34:37 fw openvpn[45934]: 162.142.125.56:49324 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
      Feb 20 01:34:37 fw openvpn[45934]: 162.142.125.56:49324 Connection reset, restarting [0]
      Feb 20 01:34:37 fw openvpn[45934]: TCP: accept(6) failed: Software caused connection abort (errno=53)
      Feb 20 01:34:37 fw openvpn[45934]: TCP connection established with [AF_INET]162.142.125.56:51056
      Feb 20 01:34:37 fw openvpn[45934]: 162.142.125.56:51056 Peer tried unsupported key-method 1
      Feb 20 01:34:37 fw openvpn[45934]: 162.142.125.56:51056 TLS Error: unknown opcode received from [AF_INET]162.142.125.56:51056 op=1
      Feb 20 01:34:37 fw openvpn[45934]: 162.142.125.56:51056 Fatal TLS error (check_tls_errors_co), restarting
      Feb 20 01:34:37 fw openvpn[45934]: TCP connection established with [AF_INET]162.142.125.56:60618
      Feb 20 01:34:37 fw openvpn[45934]: 162.142.125.56:60618 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]162.142.125.56:60618
      Feb 20 01:34:37 fw openvpn[45934]: 162.142.125.56:60618 Fatal TLS error (check_tls_errors_co), restarting
      
      
      1 Reply Last reply Reply Quote 0
      • First post
        Last post

      Products

      • Platform Overview
      • TNSR
      • pfSense Plus
      • Appliances

      Services

      • Training
      • Professional Services

      Support

      • Subscription Plans
      • Contact Support
      • Product Lifecycle
      • Documentation

      News

      • Media Coverage
      • Press
      • Events

      Resources

      • Blog
      • FAQ
      • Find a Partner
      • Resource Library
      • Security Information

      Company

      • About Us
      • Careers
      • Partners
      • Contact Us
      • Legal
      Our Mission

      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

      Subscribe to our Newsletter

      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

      © 2021 Rubicon Communications, LLC | Privacy Policy