4. Unknown OpenVPN connection and log-messages

Unknown OpenVPN connection and log-messages

  • M

    Hello guys,

    I am not sure what's going on. Is someone trying to connect to my OpenVPN, someone without auth?

    I'm running pfSense 2.1-RELEASE (i386) and use 1x DSL-WAN (default + OpenVPN), 1x LTE-WAN (specific usergroup only), 1x LAN and have set up my OpenVPN several months ago.
    Firewall rules are these:
    WAN (DSL)

     	IPv4 UDP 	* 	* 	WAN_ADSL address 	1194 (OpenVPN) 	* 	none

    OpenVPN

     	IPv4 * 	* 	* 	LAN net 	* 	* 	none

    Today I had to check the logs and noticed some (not ending) entries, which I have no idea what's going on.

    Mar 5 11:47:17 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:47:01 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:46:53 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:46:49 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:46:47 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:46:14 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:45:58 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:45:51 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:45:46 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:45:44 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:45:08 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:44:48 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:44:40 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:44:36 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:44:34 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:44:01 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 11:43:45 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
.
.
.
Mar 5 10:01:44 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 10:01:36 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 10:01:31 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194
Mar 5 10:01:29 	openvpn[24410]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.45.151.3:1194

    (I don't care 'bout the IP shown here, comes from a location in germany I don't even know where the hell that place is)

    I tried setting up rules for WAN and OpenVPN like these:

    IPv4 TCP 	109.45.151.3 	* 	* 	1194 (OpenVPN) 	* 	none

    or even

    IPv4 TCP 	109.45.151.3 	* 	* 	* 	* 	none

    But the OpenVPN log still shows incoming packets from that IP.

    So, what is actually going on? Anyone got a clue about this?

    regards, André

    0
  • P

    The special rule for 109.45.151.3 needs to be a block rule, and has to come before the pass rule for letting other traffic in to WAN address port 1194.

    0
  • M

    @phil.davis:

    The special rule for 109.45.151.3 needs to be a block rule, and has to come before the pass rule for letting other traffic in to WAN address port 1194.

    This firewall has no logic to me.
    The rules were blocking rules and set before all passing rules but after some trying around it only worked when I set 1194 for source AND destination port … using pfBlocker instead of custom rules does work with everything set to any (*) ... which did not work for custom rules.

    Feckin' bollocks if you ask me.

    0
  • P

    I just noticed that some of the rules you were trying had protocol TCP selected. So they were not effective, because your OpenVPN (as is normal and best practice) is using UDP.
    That is a bit of a trick when making new rules - the protocol field defaults to TCP, rather than "any".

    0
  • M

    @phil.davis:

    I just noticed that some of the rules you were trying had protocol TCP selected. So they were not effective, because your OpenVPN (as is normal and best practice) is using UDP.
    That is a bit of a trick when making new rules - the protocol field defaults to TCP, rather than "any".

    Jesus. How couldn't I notice. You're right and it's so obvious but somehow I managed to ignore that field when checking the rules. Should've taken a closer look at pfBlocker's rule aswell:  **IPv4 ***

    Nevertheless I posted this issue at OpenVPN forum also because I'd like to know what exactly this IP was doing? Does the log entry mean, the IP connected to my OpenVPN but without correct auth. data? Or is it just about the ta.key as I've read somewhere when searching for this message.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy