Skip to content

Instantly share code, notes, and snippets.

@drmalex07

drmalex07/README-fail2ban-openvpn.md

Created March 3, 2019 13:34
Show Gist options
  • Save drmalex07/463e4c7356bcfb2b3d21ff9fdc5aa6b3 to your computer and use it in GitHub Desktop.
Save drmalex07/463e4c7356bcfb2b3d21ff9fdc5aa6b3 to your computer and use it in GitHub Desktop.
Download ZIP
Block unauthorized requests to OpenVPN using fail2ban. #openvpn #fail2ban
Raw
README-fail2ban-openvpn.md

Block unauthorized requests to OpenVPN using fail2ban.

The following is based on https://stefan.angrick.me/block-unauthorized-openvpn-logins-using-fail2ban.

1. Create filter confifuration

Add a filter configuration under /etc/fail2ban/filter.d/openvpn.conf. The contents would be something like (regular expressions may need adjustments):

[INCLUDES]
before = common.conf

[Definition] 
failregex =%(__hostname)s ovpn-server.*:.<HOST>:[0-9]{4,5} TLS Auth Error:.*
           %(__hostname)s ovpn-server.*:.<HOST>:[0-9]{4,5} VERIFY ERROR:.*
           %(__hostname)s ovpn-server.*:.<HOST>:[0-9]{4,5} TLS Error: TLS handshake failed.*
           %(__hostname)s ovpn-server.*: TLS Error: cannot locate HMAC in incoming packet from \[AF_INET\]<HOST>:[0-9]{4,5}

Test regular expressions against your logfiles using fail2ban-regex:

fail2ban-regex -v /var/log/syslog /etc/fail2ban/filter.d/openvpn.conf

2. Create jail configuration

Add a jail configuration under /etc/fail2ban/jail.d/openvpn.conf:

[openvpn] 
enabled = true
port = 11194
protocol = udp
filter = openvpn
logpath = /var/log/syslog
maxretry = 5

3. Restart fail2ban

Restart service:

systemctl restart fail2ban.service

Watch your iptables for jailed hosts under f2b-openvpn chain (-v will also list number of packets involved in each rule):

iptables -L -n -v
@tisdall
Copy link

tisdall commented Feb 23, 2024
edited
Loading

based on recommendations in https://fail2ban.readthedocs.io/en/latest/filters.html#syslog and what's found here...

[INCLUDES]
before = common.conf

[Definition] 
_daemon = ovpn-server
failregex =%(__prefix_line)s<HOST>:[0-9]{4,5} TLS Auth Error:.*
           %(__prefix_line)s<HOST>:[0-9]{4,5} VERIFY ERROR:.*
           %(__prefix_line)s<HOST>:[0-9]{4,5} TLS Error: TLS handshake failed.*
           %(__prefix_line)sTLS Error: cannot locate HMAC in incoming packet from \[AF_INET\]<HOST>:[0-9]{4,5}
maxlines = 1

It didn't seem to actually ban anyone until we added maxlines = 1

@SpareSimian
Copy link

SpareSimian commented Nov 14, 2024
edited
Loading

For CentOS, change _daemon to openvpn and logpath to /var/log/messages. Port should be 1194. enabled is false and overridden to true in jail.local. (For most services, RHEL/CentOS disables the service by default and the admin is expected to enable them only once they're properly configured.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment