How to block random VPN attempts

SteveITS

@MarioG if the remote PCs have dynamic DNS clients on them you can allow only those dyndns hostnames. Otherwise maybe by country as suggested, or maybe ASN (IP blocks).

johnpoz

@SteveITS yeah ddns is also an option.. To limit to specific known clients - that is a good option as well. If your users are smart enough to do that. But it doesn't really work with say phones - that love to change their IP as they move towers etc.

JKnott

@NollipfSense said in How to block random VPN attempts:

OP reminds me of myself back in 2013 when I first setup a l2tp over IPsec then, discovered lots of folks banging on my firewall door...

After reading that, I left Packet Capture running overnight, watching for attempts to connect to my OpenVPN. I saw only 5 attempts, all from different addresses and none had more than a single packet.

23:44:36.016993 IP 64.20.37.190.36695 > 99.246.121.125.1194: UDP, length 14
03:30:16.965371 IP6 2607:ff10:594:c8::e.56666 > 2607:fea8:4c82:5900:202:55ff:fe47:e07b.1194: UDP, length 18
04:25:20.254762 IP 205.210.31.53.52898 > 99.246.121.125.1194: UDP, length 18
04:44:40.743888 IP 38.132.109.107.48280 > 99.246.121.125.1194: UDP, length 14
06:11:27.663894 IP 144.126.201.49.51303 > 99.246.121.125.1194: UDP, length 19

My addresses have been changed to protect the guilty.

OpenVPN Protocol
Type: 0x38 [opcode/key_id]
0011 1... = Opcode: P_CONTROL_HARD_RESET_CLIENT_V2 (0x07)
.... .000 = Key ID: 0
Session ID: 7647933796043154430
Message Packet-ID Array Length: 0
Message Packet-ID: 0

As you can see, there's no response from pfSense.

JKnott

@johnpoz said in How to block random VPN attempts:

that love to change their IP as they move towers etc.

Do they?

I have done a bit of work on cell networks, for two different carriers. A few months ago, I was also doing some work in the local office of my ISP/cable company/cell carrier. All the servers were located in the office and not at the cell sites. Also, there's a fair bit of cell network underneath the IP layers, to connect the phones to the office. At the cell sites, there are Ethernet switches but not routers, so no local means of providing IP addresses.

johnpoz

@JKnott said in How to block random VPN attempts:

Do they?

Tmobile does for damn sure - I can not walk down the block with out bunch of different IPs being used. I have tautulli setup to email when new Ips are used by a client.. Normally its just now and then.. But from phones I can get a flood of them..

It could have to do with cells that only get IPv6 and have to go through the carriers translation to IPv4..

Not saying it happens ever single time - but it can for sure happen. I turned of email notifications on my phone for them - because when I was talking a walk and listening to music off my plex, I would keep getting popups on my phone when another email came in about a new IP, etc

serbus

@NollipfSense said in How to block random VPN attempts:

To me, schedule is the best solution as only I know the schedule...I cannot see any situation where schedule wouldn't work for a road warrior setup...the best thing about pfSense firewall to me.

Hello!

Not sure I understand the complete use case, but maybe some form of port-knocking would be an option...

fwknop
https://redmine.pfsense.org/issues/8547

John

JKnott

@johnpoz

I've never used T-Mobile. I've only roamed on AT&T when in the U.S.. The carriers I've worked on are Rogers and Wind/Freedom. I first worked on the Wind network when they were getting ready to start up and later, as Freedom, to upgrade the power supplies and batteries. I was working on Rogers for their LTE rollout and more recently when they were setting up a 2nd office in my city. I have never seen a router at a cell site, but several in their office.

One of the reasons the cell networks are IPv6 now is they need a contiguous network for all the devices & VoIP, etc.. RFC1918 is not adequate. My phone is IPv6 only and uses 464XLAT to access IPv4 addresses. It has a single IPv4 address, 192.0.0.4, which is reserved for 464XLAT. I don't ever recall seeing anything different. I haven't checked the IPv6 address at different locations. I guess that's something I should do sometime.

BTW, I'm on Rogers.

NollipfSense

@JKnott said in How to block random VPN attempts:

All the servers were located in the office and not at the cell sites. Also, there's a fair bit of cell network underneath the IP layers, to connect the phones to the office. At the cell sites, there are Ethernet switches but not routers, so no local means of providing IP addresses.

Good to know...my T-Mobile (fast 8856w) sure do go through some IP's.

JKnott

@NollipfSense said in How to block random VPN attempts:

Good to know...my T-Mobile (fast 8856w) sure do go through some IP's.

IPv4 or IPv6? As I mentioned, with 464XLAT, you shouldn't see any address change.

NollipfSense

@serbus The use case is a road warrior, user traveling and connects to home via VPN that has a firewall schedule (pfSense does), to open the VPN ports at a certain time...since I, the network admin, known the time, I can safely connect. That way the VPN ports doesn't stay open 24/7 to invite door knockers and unnecessary logs.

NollipfSense

@JKnott said in How to block random VPN attempts:

IPv4 or IPv6? As I mentioned, with 464XLAT, you shouldn't see any address change.

Well, one doesn't know the change occurred since the change is upstream unless one has an app checking what's my IP....so far just IP4...too closed minded (chicken) to know whether IP6 had changed...but, that will change soon.

JKnott

@NollipfSense said in How to block random VPN attempts:

Well, one doesn't know the change occurred since the change is upstream unless one has an app checking what's my IP....so far just IP4...too closed minded (chicken) to know whether IP6 had changed...but, that will change soon.

My phone is IPv6 only, so IPv4 shouldn't even enter into it. However, as I mentioned, should I have to access an IPv4 only site, 464XLAT is used. I can connect OpenVPN over either IPv4 or IPv6.

I was doing some testing recently, with my notebook computer tethered to my cell phone. I was running Wireshark on my computer and Packet Capture on pfSense. I was initially a bit confused when I saw IPv6 on my computer, but IPv4 on pfSense. I then realized 464XLAT caused the difference. I had changed the DNS name for IPv6, to force IPv4.

MarioG

I want to thank everyone who responded. I did not give up on this, just don't know when I can get back to it. Unexpected things happen that take priority. Stay healthy!

johnpoz

@MarioG said in How to block random VPN attempts:

I did not give up on this, just don't know when I can get back to it.

why should there be anything to get back too - the answer you are looking for has been given. It should take you all of 2 minutes to set it up to limit who can log hit your IP on your vpn port.

If you open up a port to the internet - it will get hit. This is just a given. If you want to lower the amount of traffic you see in your logs, you need to limit who can talk to it. Or just not log anything I guess would be the other solution ;)

Another option to lower the amount of log spam is to run on some odd ball port.. This doesn't really make it any more secure, but would for sure lower the amount of traffic you see to common ports.. Vs using 1194, use maybe 11940 or 41194 or something like that.

MarioG

Sorry for not being clear, not only do I not have 2 minutes these days but don't want to change anything on the router while dealing with urgent medical phone calls that go through the pfsense router. When it blows over I plan to test turning the auto rules off, and possible test an inverse rule I mentioned above. Just now is not a good time to do anything. Thanks again to all who posted options, just wanted let you know I read and appreciate the posts.