Posted: Fri Sep 27, 2024 18:15 Post subject: DDWRT OPENVPN Server being crashed by Internet Hacker
I have 3 internet sites with the identical WRT3200-ACM DD-WRT v3.0-r50963 std (11/28/22) setup.
All 3 internet sites have been up and running the DD-WRT OPENVPN Server for years with only a couple of problems having to do with Internet hackers attacking the OVENVPEN Port or Denial Of Service and never at more than one site at a time. I have always been able to resolve the issue by rotating the OPENVPN port, powering off for a weekend, or obtaining a new WAN IP from the internet provider, but this new issue of the OPENVPN Server being crashed by an internet hacker I have not found a solution, although I do have a workaround. I believe it to be a serious security threat if a hacker can crash the DD-WRT OPENVPN Server and should be looked into by the DD-WRT developers.
A few months ago at one of the 3 Internet sites, the DD-WRT OPENVPN Server would crash for no reason. The firewall would allow the OPENVPN client access to the OPENVPN port but the server would no longer be running. The OPENVPN client would get the message "Connection reset by peer (WSAECONNRESET) (code=10054). To get the OPENVPN service back up I would just go to the Services->VPN page and Apply Changes and the server would come back up. This attack is continual and the OPENVPN Service would go down again after some time the same way.
I have rotated the OPENVPN Port (stays up much longer), replaced the router, but the same issue persists at this one location and it worked for years. When the router is moved with the same configuration to another location (different WAN IP) it works fine. I cannot get the Internet Provider to issue a new WAN IP for this site which would likely resolve the problem since I am locked into a contract so cannot switch Internet Providers easily. The workaround is to have the Administration->Keep Alvie->WDS/Connection Watchdog KEEP ALIVE ping the OPENVPN Server 10.8.0.1 and reboot the router when it goes down, which is not ideal since it affects the local network.
The question is how is the hacker crashing the OPENVPN server?
I can re-product the OPENVPN server crash by issuing a "killall openvpn" in the telnet session and it duplicates the behavior exactly. Again, it is restarted by Services->VPN page and Apply Changes and the server comes back up. It seems like the Internet hacker can run a script to kill the OPENVPN server. The OPENVPN startup log does have a warning: "W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts". I have changed the script-security setting in the openvpn.conf file from 2 to 1, but it keeps being set back to 2 when the OPENVPN Server is restarted. I am not sure this would resolve the issue if I could keep the setting at 1, but it makes sense that it would prevent a client from running a script during a client connection attempt.
I am 100% sure they are not successfully connecting as a VPN client since my client keys are protected by password authentication and I never see any client connected I do not recognize.
Any insite to help resolve this issue would be appreciated.
Below I have included my complete DD-WRT v3.0-r50963 std (11/28/22) OPENVPN Server configuration on the WRT3200-ACM. There are several warnings (in RED) in the OPENVPN startup log that I have researched but can find no resolution.
Server Log:
20240927 13:27:03 W WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
20240927 13:27:03 I OpenVPN 2.5.8 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 28 2022
20240927 13:27:03 I library versions: OpenSSL 1.1.1s 1 Nov 2022 LZO 2.10
20240927 13:27:03 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:14
20240927 13:27:03 W WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
20240927 13:27:03 net_route_v4_best_gw query: dst 0.0.0.0
20240927 13:27:03 net_route_v4_best_gw result: via XXX.XXX.XXX.1 dev eth0
20240927 13:27:03 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20240927 13:27:03 Diffie-Hellman initialized with 2048 bit key
20240927 13:27:03 I TUN/TAP device tun2 opened
20240927 13:27:03 I net_iface_mtu_set: mtu 1500 for tun2
20240927 13:27:03 I net_iface_up: set tun2 up
20240927 13:27:03 I net_addr_v4_add: 10.8.0.1/24 dev tun2
20240927 13:27:04 W WARNING: Failed running command (--route-up): external program exited with error status: 4
20240927 13:27:04 Socket Buffers: R=[180224->180224] S=[180224->180224]
20240927 13:27:04 I UDPv4 link local (bound): [AF_INET][undef]:1196
20240927 13:27:04 I UDPv4 link remote: [AF_UNSPEC]
20240927 13:27:04 MULTI: multi_init called r=256 v=256
20240927 13:27:04 IFCONFIG POOL IPv4: base=10.8.0.2 size=253
20240927 13:27:04 I Initialization Sequence Completed
Updated Firmware to Last Linux 4.9 kernel release (OpenVPN 2.6.6): New Build - 10/14/2023 - r53633
NO CHANGE, the hacker crashes VPN Server! The OPENVPN Server in DD-WRT appear to be seriously compromised.
I really don't have the time to explore the world of new DD-WRT beta's without evidence there is a significant change to OPENVPN version. OPENVPN is the only VPN server integrated into DD-WRT I am aware of and the WRT3200ACM probably does not have the extra resources to install a different VPN server. I will never use VPN passthrough to a local VPN Server.
Hopefully some one takes a serious look at this and can head me in a direction to a solution. Why must DD-WRT OPENVPN Server script-security be set to 2, this is likely how they are killing the OPENVPN Server by running a script during a failed client login attempt.
Wireguard VPN is under Tunnels, and not Services/VPN. It should be already included by default. _________________ - Linksys EA8500: I-Gateway, AP/VAP 5ghz only r57753: Features: WDS-AP, VLANs, Samba, WG, Entware
- Linksys EA8500: WDS Station x2 - r57753
- Netgear R6400v2: WAP/VAP 2.4ghz only w/VLANs over single trunk port. r57753
- Linksys MX4300 (WAP/VAP (7)) - r58244: Features in use: multiple VLANs over single trunk port
- Linksys MR7350: Testing r58244
- Linksys Velop WHW03v1 x2: OpenWRT w/GRETAP tunnel for VLANs on VAPs
- OSes: Fedora 39, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '95, never having owned a Windows PC.
Joined: 18 Mar 2014 Posts: 13328 Location: Netherlands
Posted: Sun Sep 29, 2024 16:04 Post subject:
FATBADCAT wrote:
Updated Firmware to Last Linux 4.9 kernel release (OpenVPN 2.6.6): New Build - 10/14/2023 - r53633
NO CHANGE, the hacker crashes VPN Server! The OPENVPN Server in DD-WRT appear to be seriously compromised.
I really don't have the time to explore the world of new DD-WRT beta's without evidence there is a significant change to OPENVPN version. OPENVPN is the only VPN server integrated into DD-WRT I am aware of and the WRT3200ACM probably does not have the extra resources to install a different VPN server. I will never use VPN passthrough to a local VPN Server.
Hopefully some one takes a serious look at this and can head me in a direction to a solution. Why must DD-WRT OPENVPN Server script-security be set to 2, this is likely how they are killing the OPENVPN Server by running a script during a failed client login attempt.
Moved to the appropriate forum.
I already gave you the answer to mitigate DDOS attacks and yes DDOS attack can overwhelm OpenVPN.
An attacker cannot execute scripts on the router if the attacker is not connected and if the attacker does not have the right keys they cannot connect.
For script execution script security 2 is necessary.
DDWRT uses regular OpenVPN and OpenSSL both are patched.
K4.9 is EOL but at present there are no security problems known.
Of course your router can be compromised by one thing or an other, if that happens it is usually from the inside by insufficient vigilance of users who have their PC's compromised and passwords stolen but not from OpenVPN.
As noted by other users your router also has WireGuard.
Both OpenVPN and WireGuard guides are stickies in this Advanced Networking forum.
I had this issue, egc has already given you the answer "use tls-crypt keys" it's in the OVPN manual. Also you can add a firewall rule
Code:
# extra security for openvpn server
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
OVPN_PROTO="$(nvram get openvpn_proto | awk '{print substr ($1,1,3)}')"
OVPN_PORT="$(nvram get openvpn_port)"
iptables -I INPUT -p $OVPN_PROTO --dport $OVPN_PORT -i $WAN_IF -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
iptables -I INPUT -p $OVPN_PROTO --dport $OVPN_PORT -i $WAN_IF -m state --state NEW -m recent --set
FATBADCAT wrote:
Updated Firmware to Last Linux 4.9 kernel release (OpenVPN 2.6.6): New Build - 10/14/2023 - r53633
NO CHANGE, the hacker crashes VPN Server! The OPENVPN Server in DD-WRT appear to be seriously compromised.
I really don't have the time to explore the world of new DD-WRT beta's without evidence there is a significant change to OPENVPN version. OPENVPN is the only VPN server integrated into DD-WRT I am aware of and the WRT3200ACM probably does not have the extra resources to install a different VPN server. I will never use VPN passthrough to a local VPN Server.
Hopefully some one takes a serious look at this and can head me in a direction to a solution. Why must DD-WRT OPENVPN Server script-security be set to 2, this is likely how they are killing the OPENVPN Server by running a script during a failed client login attempt.
_________________ Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.
No one can build you the bridge on which you, and only you, must cross the river of life!
OK working hard on this, didn't like the implication I am just sitting around.
Things are getting worse. r53633 10/14/23 seems unstable and reboots reqularly, has a bunch of messages about IRQs 17, 18,19, 37 and then later 36 can't change affinity and now unmanaged.
Added OpenVpn TLS-Crypt to server and clients, not sure if the openvpn server is still shutting down due to hacker or the router is restarting due to r53633. Now have in addition to thewarning message during boot about management on TCP port without password is unsecured, I also get the new message that the ta.key is accessible by group or others.
Looking for a new stable wrt3200acm load? my old load stayed up for months with no issues, but as indicated above does not use Openvpn 2.6. I think I may go back to that with TLS-Crypt and change one thing at a time this time,unless someone can suggest a newer stable load, russian roulette with beta loads is not my thing.
I will exhaust OpenVPN before starting from scratch with another vpn. Again any insight to my situation is appreciated.
Just a note I always used easyrsa 3.1.1 for my key opwnvpn key generation but 3.1.2 has TLS key support without easytla. 3.1.2 won't generate the tla key unless it can see the openVPN.bin on the dd-wrt server to see what version it is. What a waste of time. Used 3.1.1 with easytla and it worked fine to generate the tla.
Joined: 18 Mar 2014 Posts: 13328 Location: Netherlands
Posted: Tue Oct 01, 2024 20:22 Post subject:
FATBADCAT wrote:
Now have in addition to thewarning message during boot about management on TCP port without password is unsecured, I also get the new message that the ta.key is accessible by group or others
Only one user can gain access and that is you (root)
So unless you use a simple password nobody can gain access.
The pros use ssh with a key to access the router.
Bottom line use ssh with a strong password or even better a key and ignore those warnings.
A tls-crypt v1 key is a simple static key which can be generated very easily even on the router itself, all described in the OpenVPN server setup guide.