atomicamp DD-WRT User
Joined: 16 Apr 2018 Posts: 107 Location: Milwaukee, WI
|
Posted: Mon Jan 16, 2023 7:06 Post subject: fail2ban for OpenVPN server, or anything similar? |
|
I'm running an Openvpn server on my DD-WRT router, and I am a bit frazzled about having port 1194 constantly wide open to the public. I was wondering if there is any Openvpn server side solution such as fail2ban to ban/block (by ip address) any vpn clients who attempt to access my openvpn server (or port 1194 in general) more than "X" amount of times. Any help or advice is appreciated! _________________ DanRanRocks - Tech Tutorials by Dan Ran
https://github.com/danrancan
dan@danran.rockst
My Blog https://danran.rocks
Join me on key base! and Add me on Keybase
Current Linksys WRT3200acm Firmware "DD-WRT v3.0-r51140 std (12/31/22) |
|
Alozaros DD-WRT Guru
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
|
Posted: Mon Jan 16, 2023 8:30 Post subject: |
|
You didn't mentioned your router model and current build running...
and this is important... if we have to believe you are using router and firmware from your signature..than this is your first step to do ....update to a more recent build as build 41xxx is
very old and has lots of security updates missing..so about security this should be your primary concern...
Than you can harden this port with few iptables lines, but in general OpenVPN server should be secure enough even without..if its configured as it should, it has all what is needed, https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398...
You can also run/use fail2ban via Entware installation (no idea how to via DDWRT), as well its seams Entware package for it is updated to the 0.11xx:
fail2ban 0.11.2-3 net - Fail2Ban scans log files like /var/log/auth.log and bans IP addresses conducting too many failed login attempts.
https://github.com/fail2ban/fail2ban
For other IPS solutions you can use snort or suricata via entware on router level, but this is too (CPU) overwhelming for a consumer router..so you'd need a x86/x64 DDWRT PC installation...and some decent guides how to use it...
_________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913 |
|
egc DD-WRT Guru
Joined: 18 Mar 2014 Posts: 12884 Location: Netherlands
|
Posted: Mon Jan 16, 2023 10:46 Post subject: |
|
In addition to what @Alozoros mentions, use a non default port e.g. 33349.
Furthermore you can use tls-crypt to stop login earlier in the process.
But if you are using keys to login you should be secure enough.
OpenVPN documentation is a sticky in this forum.
You can use ipset to collect IP addresses of failed attempts and ban them "permanently:
Reference: https://upcloud.com/resources/tutorials/iptables-firewall-recent-triggering-ipset _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087 |
|