fail2ban for OpenVPN server, or anything similar?

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
atomicamp
DD-WRT User


Joined: 16 Apr 2018
Posts: 107
Location: Milwaukee, WI

PostPosted: Mon Jan 16, 2023 7:06    Post subject: fail2ban for OpenVPN server, or anything similar? Reply with quote
I'm running an Openvpn server on my DD-WRT router, and I am a bit frazzled about having port 1194 constantly wide open to the public. I was wondering if there is any Openvpn server side solution such as fail2ban to ban/block (by ip address) any vpn clients who attempt to access my openvpn server (or port 1194 in general) more than "X" amount of times. Any help or advice is appreciated!
_________________
DanRanRocks - Tech Tutorials by Dan Ran

https://github.com/danrancan
dan@danran.rockst
My Blog https://danran.rocks
Join me on key base! and Add me on Keybase

Current Linksys WRT3200acm Firmware "DD-WRT v3.0-r51140 std (12/31/22)
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Mon Jan 16, 2023 8:30    Post subject: Reply with quote
You didn't mentioned your router model and current build running...
and this is important... if we have to believe you are using router and firmware from your signature..than this is your first step to do ....update to a more recent build as build 41xxx is
very old and has lots of security updates missing..so about security this should be your primary concern...

Than you can harden this port with few iptables lines, but in general OpenVPN server should be secure enough even without..if its configured as it should, it has all what is needed, https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398...

You can also run/use fail2ban via Entware installation (no idea how to via DDWRT), as well its seams Entware package for it is updated to the 0.11xx:

fail2ban 0.11.2-3 net - Fail2Ban scans log files like /var/log/auth.log and bans IP addresses conducting too many failed login attempts.

https://github.com/fail2ban/fail2ban

For other IPS solutions you can use snort or suricata via entware on router level, but this is too (CPU) overwhelming for a consumer router..so you'd need a x86/x64 DDWRT PC installation...and some decent guides how to use it...

Rolling Eyes

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Mon Jan 16, 2023 10:46    Post subject: Reply with quote
In addition to what @Alozoros mentions, use a non default port e.g. 33349.

Furthermore you can use tls-crypt to stop login earlier in the process.

But if you are using keys to login you should be secure enough.

OpenVPN documentation is a sticky in this forum.

You can use ipset to collect IP addresses of failed attempts and ban them "permanently:

Reference: https://upcloud.com/resources/tutorials/iptables-firewall-recent-triggering-ipset

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
atomicamp
DD-WRT User


Joined: 16 Apr 2018
Posts: 107
Location: Milwaukee, WI

PostPosted: Wed Jan 18, 2023 23:54    Post subject: Reply with quote
Alozaros wrote:
You didn't mentioned your router model and current build running...
and this is important...


Thanks for the help an input. My router is a Linksys WRT3200ACM, and my build number is v3.0-r51140 12/31/22). Let me know if this helps and if you have any more advice from this. Thanks.

_________________
DanRanRocks - Tech Tutorials by Dan Ran

https://github.com/danrancan
dan@danran.rockst
My Blog https://danran.rocks
Join me on key base! and Add me on Keybase

Current Linksys WRT3200acm Firmware "DD-WRT v3.0-r51140 std (12/31/22)
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum