Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strange login from another country

    Scheduled Pinned Locked Moved WireGuard
    wireguard
    5 Posts 3 Posters 840 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pastic
      last edited by

      (I accidentally posted this originally in General pfsense questions.)

      Hi,
      I set up the Wireguard package on my pfsense plus guarding my home LAN last summer following Tom Lawrence's tutorial. Have used it every once in a while and it works fine. I am the only configured user, accessing from android phone and also more seldom from a laptop.

      Apart from the Wireguard port, the pfsense is entirely closed to the internet.

      Since I am paranoid I also set up logging of the rule that lets WG traffic in and collect the logs in Graylog log server. This so that I could track if anything but me accessed, not that I would expect it. I also had Graylog perform a reverse ip lookup so that I could easily see and identify my own traffic.

      Now I have detected a mysterious login from another country from last year that I do not understand how it happened. I live in Sweden but the login happened from Switzerland and apparently from a fishy crypto server privatealps.net.

      I will regenerate the keys, but I still wonder what this login was?

      Does anyone have an idea what might have happened?

      tre.se is my mobile carrier so that is me logging in. bredband2.com is a Swedish ISP, I think they share some networks with tre.se so that would be me as will. But I don't see how privatealps.net could be me.

      This is the message, igb1 is WAN interface:
      filterlog[36271]: 93,,,1659200197,igb1,match,pass,in,4,0x0,,247,54321,0,none,17,udp,442,179.43.163.58,[MY-IP-REDACTED],39924,51820,422

      af35805c-2196-4382-8082-75804eb6d6cd-image.png

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @pastic
        last edited by

        @pastic said in Strange login from another country:

        Now I have detected a mysterious login

        What make you think there was a 'login' ?

        Why isn't it 'some IP' that wants to connect to your (WAN) IP ?
        I'm not using wireguard, but the good old OpenVPN server. Same thing, right ?
        My WAN 1194 UDP port is open to the entire world and it sometime really looks like they all want to have a try on it. Well... let them have it.

        Btw : activate a VPN on your phone.
        Then activate Wireguard. (yep, VPN over VPN, as why not)
        Now you will see a new strange IP in your logs. But this guy - you - has the 'keys to the door' ;)

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        P 1 Reply Last reply Reply Quote 1
        • P
          pastic @Gertjan
          last edited by

          Hi!

          @gertjan said in Strange login from another country:

          @pastic said in Strange login from another country:

          Now I have detected a mysterious login

          What make you think there was a 'login' ?

          Why isn't it 'some IP' that wants to connect to your (WAN) IP ?
          I'm not using wireguard, but the good old OpenVPN server. Same thing, right ?
          My WAN 1194 UDP port is open to the entire world and it sometime really looks like they all want to have a try on it. Well... let them have it.

          I think it's a login because the pfsense message says 'pass'. The traffic matches my wireguard rule and it passes the traffic through the firewall.

          I realise something as I write this: are there 'two levels' involved here? The wireguard rule will let everyone through the firewall on the specified port, but having passed the firewall block then the wireguard service will still refuse everyone that does not have the configured keys?

          Is this what you mean above?

          Btw : activate a VPN on your phone.
          Then activate Wireguard. (yep, VPN over VPN, as why not)
          Now you will see a new strange IP in your logs. But this guy - you - has the 'keys to the door' ;)

          I actually thought of that and tried doing precisely as you said, but my phone did not want to do double vpn and disconnected from the first when I wanted to connect with the other...

          Bob.DigB 1 Reply Last reply Reply Quote 0
          • Bob.DigB
            Bob.Dig LAYER 8 @pastic
            last edited by

            @pastic said in Strange login from another country:

            I realise something as I write this: are there 'two levels' involved here? The wireguard rule will let everyone through the firewall on the specified port, but having passed the firewall block then the wireguard service will still refuse everyone that does not have the configured keys?

            Yes. Hard to believe that this is news to you, you are setting up a graylog server, which is advanced stuff in my book.

            P 1 Reply Last reply Reply Quote 1
            • P
              pastic @Bob.Dig
              last edited by

              @bob-dig said in Strange login from another country:

              @pastic said in Strange login from another country:

              I realise something as I write this: are there 'two levels' involved here? The wireguard rule will let everyone through the firewall on the specified port, but having passed the firewall block then the wireguard service will still refuse everyone that does not have the configured keys?

              Yes. Hard to believe that this is news to you, you are setting up a graylog server, which is advanced stuff in my book.

              Let's call it a blind spot. :-) I don't work with networks, it's just a hobby. And until this Wireguard 'project' I always had pfsense blocking everything from the outside.
              And yes, I did struggle a bit setting up graylog, but it was fun.
              Thanks!

              1 Reply Last reply Reply Quote 2
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.