Unknown OpenVPN connection and log-messages

Melphiz

Hello guys,

I am not sure what's going on. Is someone trying to connect to my OpenVPN, someone without auth?

I'm running pfSense 2.1-RELEASE (i386) and use 1x DSL-WAN (default + OpenVPN), 1x LTE-WAN (specific usergroup only), 1x LAN and have set up my OpenVPN several months ago.
Firewall rules are these:
WAN (DSL)

 	IPv4 UDP 	* 	* 	WAN_ADSL address 	1194 (OpenVPN) 	* 	none 

OpenVPN

 	IPv4 * 	* 	* 	LAN net 	* 	* 	none 

Today I had to check the logs and noticed some (not ending) entries, which I have no idea what's going on.

Mar 5 11:47:17 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:47:01 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:46:53 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:46:49 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:46:47 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:46:14 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:45:58 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:45:51 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:45:46 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:45:44 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:45:08 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:44:48 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:44:40 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:44:36 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:44:34 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:44:01 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:43:45 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
.
.
.
Mar 5 10:01:44 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 10:01:36 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 10:01:31 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 10:01:29 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194

(I don't care 'bout the IP shown here, comes from a location in germany I don't even know where the hell that place is)

I tried setting up rules for WAN and OpenVPN like these:

IPv4 TCP 	109.45.151.3 	* 	* 	1194 (OpenVPN) 	* 	none 

or even

IPv4 TCP 	109.45.151.3 	* 	* 	* 	* 	none 

But the OpenVPN log still shows incoming packets from that IP.

So, what is actually going on? Anyone got a clue about this?

regards, André

phil.davis

The special rule for 109.45.151.3 needs to be a block rule, and has to come before the pass rule for letting other traffic in to WAN address port 1194.

Melphiz

@phil.davis:

The special rule for 109.45.151.3 needs to be a block rule, and has to come before the pass rule for letting other traffic in to WAN address port 1194.

This firewall has no logic to me.
The rules were blocking rules and set before all passing rules but after some trying around it only worked when I set 1194 for source AND destination port … using pfBlocker instead of custom rules does work with everything set to any (*) ... which did not work for custom rules.

Feckin' bollocks if you ask me.

phil.davis

I just noticed that some of the rules you were trying had protocol TCP selected. So they were not effective, because your OpenVPN (as is normal and best practice) is using UDP.
That is a bit of a trick when making new rules - the protocol field defaults to TCP, rather than "any".

Melphiz

@phil.davis:

I just noticed that some of the rules you were trying had protocol TCP selected. So they were not effective, because your OpenVPN (as is normal and best practice) is using UDP.
That is a bit of a trick when making new rules - the protocol field defaults to TCP, rather than "any".

Jesus. How couldn't I notice. You're right and it's so obvious but somehow I managed to ignore that field when checking the rules. Should've taken a closer look at pfBlocker's rule aswell:  **IPv4 ***

Nevertheless I posted this issue at OpenVPN forum also because I'd like to know what exactly this IP was doing? Does the log entry mean, the IP connected to my OpenVPN but without correct auth. data? Or is it just about the ta.key as I've read somewhere when searching for this message.