OpenVPN Logs
-
Hello! I have a couple of instances of remote access servers, one on 1194 and the other on 443. I use a script that was posted here notifying me of user connects and disconnects. Early today, I got a text as below:
1:34:37 user_name: vpn_client_ip: on February 20, 2021, 1:34 am, during : 0 seconds, received : 0 bytes, send : 0 bytes. DISCONNECTED.
Normally the username, IP, etc. are included as well as the other stats. I did not see a previous CONNECTED message. So I looked at the logs and found the below. The 162.142.125.56 (at 1:34:36) address belongs to Censys, a service that apparently scans the Internet for, well, not sure really. Anyway, is this type of chatter (TLS errors, bad packets) in the OpenVPN logs to be expected from scanners or hackers? Thanks for reading and any replies.
Feb 20 00:05:47 fw openvpn[45934]: TCP connection established with [AF_INET]205.185.122.102:36894 Feb 20 00:05:47 fw openvpn[45934]: 205.185.122.102:36894 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] Feb 20 00:05:47 fw openvpn[45934]: 205.185.122.102:36894 Connection reset, restarting [0] Feb 20 00:08:17 fw openvpn[45934]: TCP connection established with [AF_INET]185.56.81.52:52648 Feb 20 00:08:17 fw openvpn[45934]: 185.56.81.52:52648 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] Feb 20 00:08:17 fw openvpn[45934]: 185.56.81.52:52648 Connection reset, restarting [0] Feb 20 01:16:57 fw openvpn[45934]: TCP connection established with [AF_INET]18.203.162.84:41520 Feb 20 01:16:57 fw openvpn[45934]: 18.203.162.84:41520 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] Feb 20 01:16:57 fw openvpn[45934]: 18.203.162.84:41520 Connection reset, restarting [0] Feb 20 01:34:35 fw openvpn[45934]: TCP connection established with [AF_INET]162.142.125.56:47010 Feb 20 01:34:36 fw openvpn[45934]: 162.142.125.56:47010 Connection reset, restarting [-1] Feb 20 01:34:36 fw openvpn[45934]: TCP connection established with [AF_INET]162.142.125.56:48688 Feb 20 01:34:36 fw openvpn[45934]: 162.142.125.56:48688 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] Feb 20 01:34:36 fw openvpn[45934]: 162.142.125.56:48688 Connection reset, restarting [0] Feb 20 01:34:36 fw openvpn[45934]: TCP connection established with [AF_INET]162.142.125.56:49324 Feb 20 01:34:37 fw openvpn[45934]: 162.142.125.56:49324 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] Feb 20 01:34:37 fw openvpn[45934]: 162.142.125.56:49324 Connection reset, restarting [0] Feb 20 01:34:37 fw openvpn[45934]: TCP: accept(6) failed: Software caused connection abort (errno=53) Feb 20 01:34:37 fw openvpn[45934]: TCP connection established with [AF_INET]162.142.125.56:51056 Feb 20 01:34:37 fw openvpn[45934]: 162.142.125.56:51056 Peer tried unsupported key-method 1 Feb 20 01:34:37 fw openvpn[45934]: 162.142.125.56:51056 TLS Error: unknown opcode received from [AF_INET]162.142.125.56:51056 op=1 Feb 20 01:34:37 fw openvpn[45934]: 162.142.125.56:51056 Fatal TLS error (check_tls_errors_co), restarting Feb 20 01:34:37 fw openvpn[45934]: TCP connection established with [AF_INET]162.142.125.56:60618 Feb 20 01:34:37 fw openvpn[45934]: 162.142.125.56:60618 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]162.142.125.56:60618 Feb 20 01:34:37 fw openvpn[45934]: 162.142.125.56:60618 Fatal TLS error (check_tls_errors_co), restarting