Strange login from another country

pastic

(I accidentally posted this originally in General pfsense questions.)

Hi,
I set up the Wireguard package on my pfsense plus guarding my home LAN last summer following Tom Lawrence's tutorial. Have used it every once in a while and it works fine. I am the only configured user, accessing from android phone and also more seldom from a laptop.

Apart from the Wireguard port, the pfsense is entirely closed to the internet.

Since I am paranoid I also set up logging of the rule that lets WG traffic in and collect the logs in Graylog log server. This so that I could track if anything but me accessed, not that I would expect it. I also had Graylog perform a reverse ip lookup so that I could easily see and identify my own traffic.

Now I have detected a mysterious login from another country from last year that I do not understand how it happened. I live in Sweden but the login happened from Switzerland and apparently from a fishy crypto server privatealps.net.

I will regenerate the keys, but I still wonder what this login was?

Does anyone have an idea what might have happened?

tre.se is my mobile carrier so that is me logging in. bredband2.com is a Swedish ISP, I think they share some networks with tre.se so that would be me as will. But I don't see how privatealps.net could be me.

This is the message, igb1 is WAN interface:
filterlog[36271]: 93,,,1659200197,igb1,match,pass,in,4,0x0,,247,54321,0,none,17,udp,442,179.43.163.58,[MY-IP-REDACTED],39924,51820,422

Gertjan

@pastic said in Strange login from another country:

Now I have detected a mysterious login

What make you think there was a 'login' ?

Why isn't it 'some IP' that wants to connect to your (WAN) IP ?
I'm not using wireguard, but the good old OpenVPN server. Same thing, right ?
My WAN 1194 UDP port is open to the entire world and it sometime really looks like they all want to have a try on it. Well... let them have it.

Btw : activate a VPN on your phone.
Then activate Wireguard. (yep, VPN over VPN, as why not)
Now you will see a new strange IP in your logs. But this guy - you - has the 'keys to the door' ;)

pastic

Hi!

@gertjan said in Strange login from another country:

@pastic said in Strange login from another country:

Now I have detected a mysterious login

What make you think there was a 'login' ?

Why isn't it 'some IP' that wants to connect to your (WAN) IP ?
I'm not using wireguard, but the good old OpenVPN server. Same thing, right ?
My WAN 1194 UDP port is open to the entire world and it sometime really looks like they all want to have a try on it. Well... let them have it.

I think it's a login because the pfsense message says 'pass'. The traffic matches my wireguard rule and it passes the traffic through the firewall.

I realise something as I write this: are there 'two levels' involved here? The wireguard rule will let everyone through the firewall on the specified port, but having passed the firewall block then the wireguard service will still refuse everyone that does not have the configured keys?

Is this what you mean above?

Btw : activate a VPN on your phone.
Then activate Wireguard. (yep, VPN over VPN, as why not)
Now you will see a new strange IP in your logs. But this guy - you - has the 'keys to the door' ;)

I actually thought of that and tried doing precisely as you said, but my phone did not want to do double vpn and disconnected from the first when I wanted to connect with the other...

Bob.Dig

@pastic said in Strange login from another country:

I realise something as I write this: are there 'two levels' involved here? The wireguard rule will let everyone through the firewall on the specified port, but having passed the firewall block then the wireguard service will still refuse everyone that does not have the configured keys?

Yes. Hard to believe that this is news to you, you are setting up a graylog server, which is advanced stuff in my book.

pastic

@bob-dig said in Strange login from another country:

@pastic said in Strange login from another country:

I realise something as I write this: are there 'two levels' involved here? The wireguard rule will let everyone through the firewall on the specified port, but having passed the firewall block then the wireguard service will still refuse everyone that does not have the configured keys?

Yes. Hard to believe that this is news to you, you are setting up a graylog server, which is advanced stuff in my book.

Let's call it a blind spot. :-) I don't work with networks, it's just a hobby. And until this Wireguard 'project' I always had pfsense blocking everything from the outside.
And yes, I did struggle a bit setting up graylog, but it was fun.
Thanks!