Posible security breach



  • Firewall log shows VPN traffic. Only two people have access to the VPN. Myself and stepson who's in school. This is what I found for matching traffic at the same time. How can the firewall show passing traffic when then VPN log shows a failure?

    
    Time	Process	PID	Message
    Mar 21 12:10:47	openvpn	60118	TLS Error: incoming packet authentication failed from [AF_INET]104.130.19.164:35988
    Mar 21 12:10:47	openvpn	60118	Authenticate/Decrypt packet error: packet HMAC authentication failed
    


  • cuss its connecting to the vpn server ? that means its passed the firewall….



  • @heper:

    cuss its connecting to the vpn server ? that means its passed the firewall….

    Yeah, the outer part of the VPN is allowed from any source there, which means anyone can try to connect. It failed. No apparent security breach.



  • I'm confused. Why isn't the firewall showing denied instead of pass? Do I have something set wrong?


  • LAYER 8 Netgate

    Because you have to pass traffic to the OpenVPN server to be able to connect to the OpenVPN server.



  • @brianc69:

    I'm confused. Why isn't the firewall showing denied instead of pass?

    Because you have not made a firewall rule to deny the traffic that the firewall is passing.

    @brianc69:

    Do I have something set wrong?

    Not necessarily.

    Firewall has to pass traffic in order for you to connect to the VPN.
    You could create a firewall rule that restricts the sources that will be passed if you know in advance where the VPN will legitimately be used from.

    Highly recommend using user specific certificate auth.  No shared user stuff.



  • @brianc69:

    I'm confused. Why isn't the firewall showing denied instead of pass? Do I have something set wrong?

    As others said… But to put another way:

    1. The firewall has to pass VPN Client traffic through it to the VPN Server in order for ANYONE to connect via VPN (including you and your stepson), that is normal.
    2. Whomever tried to connect to the VPN failed to authenticate, which means they never entered your network. That is good.

    You could make a firewall rule limiting WHICH external IP addresses can try to connect to your VPN if you know which external IPs/IP ranges you and your stepson will be using remotely. If you don't, or if it could be a wide range of IPs you would be connecting from, then there isn't much else you can do with manual firewall rules.

    You could, however, use pfBlocker to automatically block entire countries, etc, from connecting (if for instance you never needed to connect from outside your country) - that is up to you though, and still doesn't prevent other people from the same country to try and connect to your VPN.

    Jason



  • There are two different layers of security going on

    1. Firewall
    2. VPN

    In order to connect to the VPN, you had to disable the firewall for the VPN port. This means the firewall will not block connections to the VPN. But the VPN has its own authentication and security and will reject invalid authentication attempts.



  • Thank you all for the clarification. Got worried when I saw VPN traffic without authentic action.


Log in to reply