Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Posible security breach

    2.3-RC Snapshot Feedback and Issues - ARCHIVED
    7
    9
    2474
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      brianc69 last edited by

      Firewall log shows VPN traffic. Only two people have access to the VPN. Myself and stepson who's in school. This is what I found for matching traffic at the same time. How can the firewall show passing traffic when then VPN log shows a failure?

      
      Time	Process	PID	Message
      Mar 21 12:10:47	openvpn	60118	TLS Error: incoming packet authentication failed from [AF_INET]104.130.19.164:35988
      Mar 21 12:10:47	openvpn	60118	Authenticate/Decrypt packet error: packet HMAC authentication failed
      
      1 Reply Last reply Reply Quote 0
      • H
        heper last edited by

        cuss its connecting to the vpn server ? that means its passed the firewall….

        1 Reply Last reply Reply Quote 0
        • C
          cmb last edited by

          @heper:

          cuss its connecting to the vpn server ? that means its passed the firewall….

          Yeah, the outer part of the VPN is allowed from any source there, which means anyone can try to connect. It failed. No apparent security breach.

          1 Reply Last reply Reply Quote 0
          • B
            brianc69 last edited by

            I'm confused. Why isn't the firewall showing denied instead of pass? Do I have something set wrong?

            1 Reply Last reply Reply Quote 0
            • Derelict
              Derelict LAYER 8 Netgate last edited by

              Because you have to pass traffic to the OpenVPN server to be able to connect to the OpenVPN server.

              Chattanooga, Tennessee, USA
              The pfSense Book is free of charge!
              DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • N
                NOYB last edited by

                @brianc69:

                I'm confused. Why isn't the firewall showing denied instead of pass?

                Because you have not made a firewall rule to deny the traffic that the firewall is passing.

                @brianc69:

                Do I have something set wrong?

                Not necessarily.

                Firewall has to pass traffic in order for you to connect to the VPN.
                You could create a firewall rule that restricts the sources that will be passed if you know in advance where the VPN will legitimately be used from.

                Highly recommend using user specific certificate auth.  No shared user stuff.

                1 Reply Last reply Reply Quote 0
                • J
                  JasonJoel last edited by

                  @brianc69:

                  I'm confused. Why isn't the firewall showing denied instead of pass? Do I have something set wrong?

                  As others said… But to put another way:

                  1. The firewall has to pass VPN Client traffic through it to the VPN Server in order for ANYONE to connect via VPN (including you and your stepson), that is normal.
                  2. Whomever tried to connect to the VPN failed to authenticate, which means they never entered your network. That is good.

                  You could make a firewall rule limiting WHICH external IP addresses can try to connect to your VPN if you know which external IPs/IP ranges you and your stepson will be using remotely. If you don't, or if it could be a wide range of IPs you would be connecting from, then there isn't much else you can do with manual firewall rules.

                  You could, however, use pfBlocker to automatically block entire countries, etc, from connecting (if for instance you never needed to connect from outside your country) - that is up to you though, and still doesn't prevent other people from the same country to try and connect to your VPN.

                  Jason

                  1 Reply Last reply Reply Quote 0
                  • H
                    Harvy66 last edited by

                    There are two different layers of security going on

                    1. Firewall
                    2. VPN

                    In order to connect to the VPN, you had to disable the firewall for the VPN port. This means the firewall will not block connections to the VPN. But the VPN has its own authentication and security and will reject invalid authentication attempts.

                    1 Reply Last reply Reply Quote 0
                    • B
                      brianc69 last edited by

                      Thank you all for the clarification. Got worried when I saw VPN traffic without authentic action.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post