DDWRT OPENVPN Server being crashed by Internet Hacker

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
FATBADCAT
DD-WRT Novice


Joined: 26 Apr 2023
Posts: 3

PostPosted: Fri Sep 27, 2024 18:15    Post subject: DDWRT OPENVPN Server being crashed by Internet Hacker Reply with quote
I have 3 internet sites with the identical WRT3200-ACM DD-WRT v3.0-r50963 std (11/28/22) setup.

All 3 internet sites have been up and running the DD-WRT OPENVPN Server for years with only a couple of problems having to do with Internet hackers attacking the OVENVPEN Port or Denial Of Service and never at more than one site at a time. I have always been able to resolve the issue by rotating the OPENVPN port, powering off for a weekend, or obtaining a new WAN IP from the internet provider, but this new issue of the OPENVPN Server being crashed by an internet hacker I have not found a solution, although I do have a workaround. I believe it to be a serious security threat if a hacker can crash the DD-WRT OPENVPN Server and should be looked into by the DD-WRT developers.

A few months ago at one of the 3 Internet sites, the DD-WRT OPENVPN Server would crash for no reason. The firewall would allow the OPENVPN client access to the OPENVPN port but the server would no longer be running. The OPENVPN client would get the message "Connection reset by peer (WSAECONNRESET) (code=10054). To get the OPENVPN service back up I would just go to the Services->VPN page and Apply Changes and the server would come back up. This attack is continual and the OPENVPN Service would go down again after some time the same way.

I have rotated the OPENVPN Port (stays up much longer), replaced the router, but the same issue persists at this one location and it worked for years. When the router is moved with the same configuration to another location (different WAN IP) it works fine. I cannot get the Internet Provider to issue a new WAN IP for this site which would likely resolve the problem since I am locked into a contract so cannot switch Internet Providers easily. The workaround is to have the Administration->Keep Alvie->WDS/Connection Watchdog KEEP ALIVE ping the OPENVPN Server 10.8.0.1 and reboot the router when it goes down, which is not ideal since it affects the local network.

The question is how is the hacker crashing the OPENVPN server?
I can re-product the OPENVPN server crash by issuing a "killall openvpn" in the telnet session and it duplicates the behavior exactly. Again, it is restarted by Services->VPN page and Apply Changes and the server comes back up. It seems like the Internet hacker can run a script to kill the OPENVPN server. The OPENVPN startup log does have a warning: "W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts". I have changed the script-security setting in the openvpn.conf file from 2 to 1, but it keeps being set back to 2 when the OPENVPN Server is restarted. I am not sure this would resolve the issue if I could keep the setting at 1, but it makes sense that it would prevent a client from running a script during a client connection attempt.

I am 100% sure they are not successfully connecting as a VPN client since my client keys are protected by password authentication and I never see any client connected I do not recognize.

Any insite to help resolve this issue would be appreciated.

Below I have included my complete DD-WRT v3.0-r50963 std (11/28/22) OPENVPN Server configuration on the WRT3200-ACM. There are several warnings (in RED) in the OPENVPN startup log that I have researched but can find no resolution.

Server Log:
20240927 13:27:03 W WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
20240927 13:27:03 I OpenVPN 2.5.8 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 28 2022
20240927 13:27:03 I library versions: OpenSSL 1.1.1s 1 Nov 2022 LZO 2.10
20240927 13:27:03 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:14
20240927 13:27:03 W WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
20240927 13:27:03 net_route_v4_best_gw query: dst 0.0.0.0
20240927 13:27:03 net_route_v4_best_gw result: via XXX.XXX.XXX.1 dev eth0
20240927 13:27:03 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20240927 13:27:03 Diffie-Hellman initialized with 2048 bit key
20240927 13:27:03 I TUN/TAP device tun2 opened
20240927 13:27:03 I net_iface_mtu_set: mtu 1500 for tun2
20240927 13:27:03 I net_iface_up: set tun2 up
20240927 13:27:03 I net_addr_v4_add: 10.8.0.1/24 dev tun2
20240927 13:27:04 W WARNING: Failed running command (--route-up): external program exited with error status: 4
20240927 13:27:04 Socket Buffers: R=[180224->180224] S=[180224->180224]
20240927 13:27:04 I UDPv4 link local (bound): [AF_INET][undef]:1196
20240927 13:27:04 I UDPv4 link remote: [AF_UNSPEC]
20240927 13:27:04 MULTI: multi_init called r=256 v=256
20240927 13:27:04 IFCONFIG POOL IPv4: base=10.8.0.2 size=253
20240927 13:27:04 I Initialization Sequence Completed

0;root@XXXXXXX: ~root@XXXXXX:~# ifconfig
br0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:122657 errors:0 dropped:2400 overruns:0 frame:0
TX packets:152083 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:29568706 (28.1 MiB) TX bytes:346933629 (330.8 MiB)

eth0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
inet addr:XXX.XXX.XXX.XXX Bcast:XXX.XXX.XXX.255 Mask:255.255.254.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1264492 errors:0 dropped:0 overruns:0 frame:0
TX packets:102646 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:532
RX bytes:409895764 (390.9 MiB) TX bytes:28541621 (27.2 MiB)
Interrupt:36

eth1 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:112364 errors:0 dropped:4 overruns:0 frame:0
TX packets:130885 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:532
RX bytes:26660672 (25.4 MiB) TX bytes:323204582 (308.2 MiB)
Interrupt:37

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MULTICAST MTU:65536 Metric:1
RX packets:727 errors:0 dropped:0 overruns:0 frame:0
TX packets:727 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:92151 (89.9 KiB) TX bytes:92151 (89.9 KiB)

tun2 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:47 errors:0 dropped:0 overruns:0 frame:0
TX packets:45 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:5271 (5.1 KiB) TX bytes:18174 (17.7 KiB)

wlan0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3895 errors:0 dropped:0 overruns:0 frame:0
TX packets:12992 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2301374 (2.1 MiB) TX bytes:2758718 (2.6 MiB)

wlan1 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:13623 errors:0 dropped:0 overruns:0 frame:0
TX packets:34352 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3143474 (2.9 MiB) TX bytes:26380795 (25.1 MiB)

0;root@XXXXXXX: ~root@XXXXXXX:~# nvram show | grep size
size: 41363 bytes (89709 left)
dnsmasq_cachesize=1500
olsrd_pollsize=0.1

0;root@XXXXXXX: ~root@XXXXXXX:~# ps | grep openvpn
9935 root 3608 S /tmp/openvpnserver --config /tmp/openvpn/openvpn.conf --daemon
11766 root 1400 S grep openvpn

0;root@XXXXXXX: ~root@XXXXXXX:~# cat /tmp/openvpn/openvpn.conf
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 3
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port XXXX
proto udp4
auth sha256
cipher AES-256-CBC
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
client-connect /tmp/openvpn/clcon.sh
client-disconnect /tmp/openvpn/cldiscon.sh
client-config-dir /tmp/openvpn/ccd
tls-server
duplicate-cn
client-to-client
push "redirect-gateway def1"
fast-io
tun-mtu 1500
mtu-disc yes
server 10.8.0.0 255.255.255.0
dev tun2
route-up /tmp/openvpn/route-up.sh
route-pre-down /tmp/openvpn/route-down.sh

0;root@XXXXXXX: ~root@XXXXXXX:~# cat /tmp/openvpn/cldiscon.sh
#!/bin/sh

0;root@XXXXXXX: ~root@XXXXXXX:~# cat /tmp/openvpn/clcon.sh
#!/bin/sh

0;root@XXXXXXX: ~root@XXXXXXX:~# cat /tmp/openvpn/route-up.sh
#!/bin/sh
cat << EOF > /tmp/openvpnsrv_fw.sh
#!/bin/sh
iptables -t nat -D POSTROUTING -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -o $(get_wanface) -j MASQUERADE
iptables -t nat -A POSTROUTING -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -o $(get_wanface) -j MASQUERADE
EOF
chmod +x /tmp/openvpnsrv_fw.sh
/tmp/openvpnsrv_fw.sh

0;root@XXXXXXX: ~root@XXXXXXX:~# cat /tmp/openvpn/route-down.sh
#!/bin/sh
iptables -t nat -D POSTROUTING -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -o $(get_wanface) -j MASQUERADE
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14968
Location: Texas, USA

PostPosted: Fri Sep 27, 2024 18:55    Post subject: Reply with quote
It's advisable to upgrade to one of the following releases and adjust configuration accordingly:
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 13328
Location: Netherlands

PostPosted: Fri Sep 27, 2024 19:52    Post subject: Reply with quote
To prevent ddos attacks use tls-crypt keys.

Furthermore consider using WireGuard instead of OpenVPN.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
FATBADCAT
DD-WRT Novice


Joined: 26 Apr 2023
Posts: 3

PostPosted: Sun Sep 29, 2024 5:31    Post subject: Reply with quote
Updated Firmware to Last Linux 4.9 kernel release (OpenVPN 2.6.6): New Build - 10/14/2023 - r53633

NO CHANGE, the hacker crashes VPN Server! The OPENVPN Server in DD-WRT appear to be seriously compromised.

I really don't have the time to explore the world of new DD-WRT beta's without evidence there is a significant change to OPENVPN version. OPENVPN is the only VPN server integrated into DD-WRT I am aware of and the WRT3200ACM probably does not have the extra resources to install a different VPN server. I will never use VPN passthrough to a local VPN Server.

Hopefully some one takes a serious look at this and can head me in a direction to a solution. Why must DD-WRT OPENVPN Server script-security be set to 2, this is likely how they are killing the OPENVPN Server by running a script during a failed client login attempt.
lexridge
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 1554
Location: WV, USA

PostPosted: Sun Sep 29, 2024 5:35    Post subject: Reply with quote
Wireguard VPN is under Tunnels, and not Services/VPN. It should be already included by default.
_________________
- Linksys EA8500: I-Gateway, AP/VAP 5ghz only r57753: Features: WDS-AP, VLANs, Samba, WG, Entware
- Linksys EA8500: WDS Station x2 - r57753
- Netgear R6400v2: WAP/VAP 2.4ghz only w/VLANs over single trunk port. r57753
- Linksys MX4300 (WAP/VAP (7)) - r58244: Features in use: multiple VLANs over single trunk port
- Linksys MR7350: Testing r58244
- Linksys Velop WHW03v1 x2: OpenWRT w/GRETAP tunnel for VLANs on VAPs
- OSes: Fedora 39, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '95, never having owned a Windows PC.

- Forum member #248
Monza
DD-WRT User


Joined: 01 Jul 2018
Posts: 489

PostPosted: Sun Sep 29, 2024 15:45    Post subject: Reply with quote
FATBADCAT wrote:
Hopefully some one takes a serious look at this and can head me in a direction to a solution.


Place to start ?? - https://www.youtube.com/watch?v=1k6jS9A6MVo

Setup guide - https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=322206
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 13328
Location: Netherlands

PostPosted: Sun Sep 29, 2024 16:04    Post subject: Reply with quote
FATBADCAT wrote:
Updated Firmware to Last Linux 4.9 kernel release (OpenVPN 2.6.6): New Build - 10/14/2023 - r53633

NO CHANGE, the hacker crashes VPN Server! The OPENVPN Server in DD-WRT appear to be seriously compromised.

I really don't have the time to explore the world of new DD-WRT beta's without evidence there is a significant change to OPENVPN version. OPENVPN is the only VPN server integrated into DD-WRT I am aware of and the WRT3200ACM probably does not have the extra resources to install a different VPN server. I will never use VPN passthrough to a local VPN Server.

Hopefully some one takes a serious look at this and can head me in a direction to a solution. Why must DD-WRT OPENVPN Server script-security be set to 2, this is likely how they are killing the OPENVPN Server by running a script during a failed client login attempt.


Moved to the appropriate forum.

I already gave you the answer to mitigate DDOS attacks and yes DDOS attack can overwhelm OpenVPN.

An attacker cannot execute scripts on the router if the attacker is not connected and if the attacker does not have the right keys they cannot connect.
For script execution script security 2 is necessary.

DDWRT uses regular OpenVPN and OpenSSL both are patched.
K4.9 is EOL but at present there are no security problems known.

Of course your router can be compromised by one thing or an other, if that happens it is usually from the inside by insufficient vigilance of users who have their PC's compromised and passwords stolen but not from OpenVPN.

As noted by other users your router also has WireGuard.

Both OpenVPN and WireGuard guides are stickies in this Advanced Networking forum.

So I suggest you take things seriously and start reading Wink

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
foz111
DD-WRT Guru


Joined: 01 Oct 2017
Posts: 718
Location: Earth

PostPosted: Tue Oct 01, 2024 8:26    Post subject: Reply with quote
I had this issue, egc has already given you the answer "use tls-crypt keys" it's in the OVPN manual. Also you can add a firewall rule
Code:
# extra security for openvpn server
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
OVPN_PROTO="$(nvram get openvpn_proto | awk '{print substr ($1,1,3)}')"
OVPN_PORT="$(nvram get openvpn_port)"
iptables -I INPUT -p $OVPN_PROTO --dport $OVPN_PORT -i $WAN_IF -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
iptables -I INPUT -p $OVPN_PROTO --dport $OVPN_PORT -i $WAN_IF -m state --state NEW -m recent --set


FATBADCAT wrote:
Updated Firmware to Last Linux 4.9 kernel release (OpenVPN 2.6.6): New Build - 10/14/2023 - r53633

NO CHANGE, the hacker crashes VPN Server! The OPENVPN Server in DD-WRT appear to be seriously compromised.

I really don't have the time to explore the world of new DD-WRT beta's without evidence there is a significant change to OPENVPN version. OPENVPN is the only VPN server integrated into DD-WRT I am aware of and the WRT3200ACM probably does not have the extra resources to install a different VPN server. I will never use VPN passthrough to a local VPN Server.

Hopefully some one takes a serious look at this and can head me in a direction to a solution. Why must DD-WRT OPENVPN Server script-security be set to 2, this is likely how they are killing the OPENVPN Server by running a script during a failed client login attempt.

_________________
Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.

No one can build you the bridge on which you, and only you, must cross the river of life!
FATBADCAT
DD-WRT Novice


Joined: 26 Apr 2023
Posts: 3

PostPosted: Tue Oct 01, 2024 20:02    Post subject: Reply with quote
OK working hard on this, didn't like the implication I am just sitting around.

Things are getting worse. r53633 10/14/23 seems unstable and reboots reqularly, has a bunch of messages about IRQs 17, 18,19, 37 and then later 36 can't change affinity and now unmanaged.

Added OpenVpn TLS-Crypt to server and clients, not sure if the openvpn server is still shutting down due to hacker or the router is restarting due to r53633. Now have in addition to thewarning message during boot about management on TCP port without password is unsecured, I also get the new message that the ta.key is accessible by group or others.

Looking for a new stable wrt3200acm load? my old load stayed up for months with no issues, but as indicated above does not use Openvpn 2.6. I think I may go back to that with TLS-Crypt and change one thing at a time this time,unless someone can suggest a newer stable load, russian roulette with beta loads is not my thing.

I will exhaust OpenVPN before starting from scratch with another vpn. Again any insight to my situation is appreciated.

Just a note I always used easyrsa 3.1.1 for my key opwnvpn key generation but 3.1.2 has TLS key support without easytla. 3.1.2 won't generate the tla key unless it can see the openVPN.bin on the dd-wrt server to see what version it is. What a waste of time. Used 3.1.1 with easytla and it worked fine to generate the tla.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 13328
Location: Netherlands

PostPosted: Tue Oct 01, 2024 20:22    Post subject: Reply with quote
FATBADCAT wrote:
Now have in addition to thewarning message during boot about management on TCP port without password is unsecured, I also get the new message that the ta.key is accessible by group or others


Only one user can gain access and that is you (root)
So unless you use a simple password nobody can gain access.

The pros use ssh with a key to access the router.

Bottom line use ssh with a strong password or even better a key and ignore those warnings.

A tls-crypt v1 key is a simple static key which can be generated very easily even on the router itself, all described in the OpenVPN server setup guide.

Latest K4.9 is the one which is a known stable build.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum