Posted: Thu Jan 20, 2022 10:25 Post subject: [SOLVED]OVPN server attempted logins beef up security
Following attempted logins from an outside source that keeps trying different IP's from different countries i am looking to tighten security up a bit on a friends R7000.
trying to generate tls-auth / tls-crypt
from windows command line as per egc tutorial but getting an error any help appreciated.
Output:-
C:\Program Files\OpenVPN\bin>openvpn --genkey --secret ta.key
2022-01-20 10:11:33 WARNING: Using --genkey --secret filename is DEPRECATED. Use --genkey secret filename instead.
i tried openvpn --genkey secret ta.key this failed any ideas?
I updated to latest version of openvpn for windows with all the extras installed.
also may i ask is there any easy script/firewall to ban x amount of attempts over x amount of time would be a great addition that is not to resourceful on router.
setup: main (sky) router with 1194 forwarded to dd-wrt r44715 running ovpn server.
No other ports are open an either router to outside world.
Thanks for any input _________________ Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.
No one can build you the bridge on which you, and only you, must cross the river of life!
Hmm, seems to me the value of rate limiting OpenVPN when you're already using tls-auth/tls-crypt is highly questionable. Other protocols (ssh, ftp, etc.) don't have the luxury of this feature, so it makes sense to offer it on the firewall page. In the case of OpenVPN, if the packet can't be decrypted due to not having the correct static key, it's going to be dropped anyway. Perhaps rate limiting might have a slight advantage in not requiring OpenVPN itself to respond AT ALL, but only the firewall (before OpenVPN is reached). But even that seems like a minor benefit.
Personally, I keep my OpenVPN server established on an old FT (FreshTomato) router, which itself is powered by a smart wifi-enabled AC adapter, which itself is running on a separate IOT network. Now I can use my smartphone to power-up the OpenVPN server on-demand rather than running it 24/7! Nothing's more secure than having the service unavailable until and unless YOU need it.
Anyway, there are plenty of websites that show you how to "rate limit" anything you want w/ firewall rules. Just search for those terms.
generated key from router with command provided thanks egc.
i will moved the port as eibgrad has suggested and have a look at rate limit / firewalls.
i am not so good with firewall rules still trying to get my head around them.
i found this posted back in 2009 on here
if i change the port & protocol would this work? _________________ Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.
No one can build you the bridge on which you, and only you, must cross the river of life!
Wow thank you eibgrad,
to confirm, i save the top 3 lines in start up and the 2 x firewall rules as firewall?
much appreciated eibgrad
Foz _________________ Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.
No one can build you the bridge on which you, and only you, must cross the river of life!
thanks i wasn't sure glad i asked.
thanks again for your time and effort in helping _________________ Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.
No one can build you the bridge on which you, and only you, must cross the river of life!
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Sun Jan 23, 2022 12:50 Post subject:
i used this for ssh in the past
iptables -N IN_SSH
iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j IN_SSH
iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 4 --seconds 1800 -j DROP
iptables -A IN_SSH -m recent --name sshbf --set -j ACCEPT
as well eibgrad option seems more legit...as it chooses the default WAN interface and its more specific on correct values... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Just in case anyone finds this thread when using ta.key with crapple ios, i was unable to get the ios to read the ta.key file so i added it into the ovpn client using <tls-crypt> xxxx </tls-crypt> tags (also worked with Android) and hashed out/removed #tls-crypt ta.key in config. _________________ Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.
No one can build you the bridge on which you, and only you, must cross the river of life!