Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Logs

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 735 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • provelsP
      provels
      last edited by

      Hello! I have a couple of instances of remote access servers, one on 1194 and the other on 443. I use a script that was posted here notifying me of user connects and disconnects. Early today, I got a text as below:

      1:34:37  user_name:  vpn_client_ip:  on February 20, 2021, 1:34 am, during : 0 seconds, received : 0 bytes, send : 0 bytes. DISCONNECTED.

      Normally the username, IP, etc. are included as well as the other stats. I did not see a previous CONNECTED message. So I looked at the logs and found the below. The 162.142.125.56 (at 1:34:36) address belongs to Censys, a service that apparently scans the Internet for, well, not sure really. Anyway, is this type of chatter (TLS errors, bad packets) in the OpenVPN logs to be expected from scanners or hackers? Thanks for reading and any replies.

      Feb 20 00:05:47 fw openvpn[45934]: TCP connection established with [AF_INET]205.185.122.102:36894
Feb 20 00:05:47 fw openvpn[45934]: 205.185.122.102:36894 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Feb 20 00:05:47 fw openvpn[45934]: 205.185.122.102:36894 Connection reset, restarting [0]
Feb 20 00:08:17 fw openvpn[45934]: TCP connection established with [AF_INET]185.56.81.52:52648
Feb 20 00:08:17 fw openvpn[45934]: 185.56.81.52:52648 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Feb 20 00:08:17 fw openvpn[45934]: 185.56.81.52:52648 Connection reset, restarting [0]
Feb 20 01:16:57 fw openvpn[45934]: TCP connection established with [AF_INET]18.203.162.84:41520
Feb 20 01:16:57 fw openvpn[45934]: 18.203.162.84:41520 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Feb 20 01:16:57 fw openvpn[45934]: 18.203.162.84:41520 Connection reset, restarting [0]
Feb 20 01:34:35 fw openvpn[45934]: TCP connection established with [AF_INET]162.142.125.56:47010
Feb 20 01:34:36 fw openvpn[45934]: 162.142.125.56:47010 Connection reset, restarting [-1]
Feb 20 01:34:36 fw openvpn[45934]: TCP connection established with [AF_INET]162.142.125.56:48688
Feb 20 01:34:36 fw openvpn[45934]: 162.142.125.56:48688 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Feb 20 01:34:36 fw openvpn[45934]: 162.142.125.56:48688 Connection reset, restarting [0]
Feb 20 01:34:36 fw openvpn[45934]: TCP connection established with [AF_INET]162.142.125.56:49324
Feb 20 01:34:37 fw openvpn[45934]: 162.142.125.56:49324 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Feb 20 01:34:37 fw openvpn[45934]: 162.142.125.56:49324 Connection reset, restarting [0]
Feb 20 01:34:37 fw openvpn[45934]: TCP: accept(6) failed: Software caused connection abort (errno=53)
Feb 20 01:34:37 fw openvpn[45934]: TCP connection established with [AF_INET]162.142.125.56:51056
Feb 20 01:34:37 fw openvpn[45934]: 162.142.125.56:51056 Peer tried unsupported key-method 1
Feb 20 01:34:37 fw openvpn[45934]: 162.142.125.56:51056 TLS Error: unknown opcode received from [AF_INET]162.142.125.56:51056 op=1
Feb 20 01:34:37 fw openvpn[45934]: 162.142.125.56:51056 Fatal TLS error (check_tls_errors_co), restarting
Feb 20 01:34:37 fw openvpn[45934]: TCP connection established with [AF_INET]162.142.125.56:60618
Feb 20 01:34:37 fw openvpn[45934]: 162.142.125.56:60618 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]162.142.125.56:60618
Feb 20 01:34:37 fw openvpn[45934]: 162.142.125.56:60618 Fatal TLS error (check_tls_errors_co), restarting

      Peder

      MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
      BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.