OpenVPN issue when unautorized login attempt
-
Hi all.
I'm running pfsense 2.8.1 on APU2 device.
My WAN is fiber via Free operator (french operator).
I did a setting for VPN access from an external remote Synology NAS to my LAN, so pfsense is acting as an OpenVPN server. It is a TCP tunnel.
The purpose of this VPN is that my local Synology NAS can backup to the remote via this VPN.VPN is okay and runs perfectly - Both Synology can connect, till I got an unautorized login attempt.
Each time I got an attempt, the VPN link comes unavailable while the tunnel remains opened.I need too restart the VPN server or the VPN client to get a working VPN tunnel working, till one next unautororized login attempt occurs.
Any idea ?
-
@Autourdupc said in OpenVPN issue when unautorized login attempt:
I did a setting for VPN access from an external remote Synology NAS to my LAN, so pfsense is acting as an OpenVPN server. It is a TCP tunnel.
Create a 'dyndns' URL alias that contains the IP of the remote NAS. Your remote Syno can handle that one - as I'm doing just that :
The 'Home' alias always contains the IP of my home IP, where I have a syno NAS.
When this NAS connects, it will use this firewall rule.
From now on, your OpenVPN server won't be bothered by other connection attempts.Next step :
Consider this :
I would see that warning as a real issue, so make it go away ?Your VPN logs doesn't show a OpenVPN server start or restart ...
-
Actually it works, and server do not restart...
When foreign IP try to connect, it disturb the server and the data flow stops, while the server is still running.Concerning your rule, I do not understand...
You allow your Public home IP to access your pfsense on 1194 ?BUT, I forget a rule to filter unwanted IP to come to my OpenVPN server (due to multiple changes in settings). -> Thank you for that !
-
@Autourdupc said in OpenVPN issue when unautorized login attempt:
Concerning your rule, I do not understand...
You allow your Public home IP to access your pfsense on 1194 ?Exact.
This first WAN firewall rule is a 'pass' that allows OpenVPN (for me the classic "port 1194 UDP") coming from a known IP : my home IP.My 'home' NAS connects to my work NAS, which is behind a pfSense firewall.
My home network doesn't have a pfSense (no real need for it). -
@Gertjan said in OpenVPN issue when unautorized login attempt:
This first WAN firewall rule is a 'pass' that allows OpenVPN (for me the classic "port 1194 UDP") coming from a known IP : my home IP.
Sure it comes from your home IP... But the originate IP is "every" so it do not protect you.
From my side, i did this setting :
Enable only the IP defined in alias "Fbx_maman" coming to my pfsense on port 444 (redirected port to OpenvPN server (tunnel is 10.10.10.0).
-
@Autourdupc said in OpenVPN issue when unautorized login attempt:
But the originate IP is "every" so it do not protect you
Every ?
The source IP is (the blue) 'Home' which is the alias for a dyndns URL that is my home WAN IPv4.
Donc identique à ton Fbx_mamam ^^
No "help me" PM's please. Use the forum, the community will thank you.
-
@Gertjan said in OpenVPN issue when unautorized login attempt:
The source IP is (the blue) 'Home' which is the alias for a dyndns URL that is my home WAN IPv4.
Sure.... You allow your IP to come into VPN Server.
When a remote client tries to connect, it comes with its IP...
So if you need to allow only one client to connect, you must put the IP of the client, not the IP of your home where your VPN is hosted. -
@Gertjan said in OpenVPN issue when unautorized login attempt:
Donc identique à ton Fbx_mamam ^^
Non... Mon fbx_maman est l'IP distante qui se connecte -
@Autourdupc said in OpenVPN issue when unautorized login attempt:
So if you need to allow only one client to connect, you must put the IP of the client
The client connecting, a Synology NAS, uses 192.168.10.33, that's RFC1918. My home network uses 192.168.10.0/24.
My NAS is connected behind my ISP home router (the Livebox ^^)
When this NAS connects to my pfSense, pfSense sees my home ISP WAN IP, not the RFC1918 NAS IP.Also : RFC1918 can't be routed on the Internet.
-
Do you have a specific need for configuring this OpenVPN instance to use TCP?
You might consult what the official docs have to say on the matter here: https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/configure-server-endpoint.html. Or the official OpenVPN docs here: https://openvpn.net/as-docs/v3/vpn-server.html#--network-settings.
-
@tinfoilmatt said in OpenVPN issue when unautorized login attempt:
Do you have a specific need for configuring this OpenVPN instance to use TCP?
Yes... UDP is not stable.
I also have issues with my computer depending on where I connect from.
Some sites are perfect, others are instable and UDP disconnects too often.Using TCP, all my connexions are perfect when I'm mobile.
In fact, my situation is like this :
One side, external : LAN2 with NAS2 -> Freebox (router) -> WAN
Other side, office : LAN1 with NAS1 -> pfsense (router) -> Freebox (router) -> WANPurpose : NAS1 sends backup to NAS2
NAS1 connects to pfsense using OpenVPN, so it gets an IP from tunnel.
NAS2 can go to NAS1 using tunnel (NAS1 is assigned a static IP using client overide options)All this works... But VPN sometimes hang connexion and backup fail.
-
@Autourdupc said in OpenVPN issue when unautorized login attempt:
One side, external : LAN2 with NAS2 -> Freebox (router) -> WAN
Other side, office : LAN1 with NAS1 -> pfsense (router) -> Freebox (router) -> WANPurpose : NAS1 sends backup to NAS2
Replace 'Freebox' with 'Livebox' and you have exactly my same setup.
I backup my work Synology diskstation to my home Syno diskstation, using Hyper Backup on one side (work) and the counterpart 'The Vault' at the home side.
Since I have fiber at home and at work, this has became a usable option. Renting 10 Tera somewhere was way more expensive. Previous upload speeds (VDSL) made this nearly impossible anyway.I used OpenVPN in the beginning ... but then I started to think : the communication channel is 'ssh' and the distance isn't that far. SSH means : traffic is TLS encrypted.
The data copied are already encrypted Macrium Reflect backup files.
Do I really need an encrypted VPN channel over an encrypted channel with data already encrypted ?
Btw : the data is company related (a hotel) and we don't store private client info, maybe just their name, and their bills and so on.
Since I stopped using VPN, my backups always terminate every night, and it takes some 60 minute s or so to transfer something like 250 Gbytes.I do use OpenVPN for remote admin access. Just UDP. Never had any issues with that.
The only 'VPN' "errors" I see are these :
and these are, imho, just packets from scanners trying. The OpenVPN isn't restarted.
