Block unauthorized requests to OpenVPN using fail2ban. #openvpn #fail2ban

README-fail2ban-openvpn.md

Block unauthorized requests to OpenVPN using fail2ban.

The following is based on https://stefan.angrick.me/block-unauthorized-openvpn-logins-using-fail2ban.

1. Create filter confifuration

Add a filter configuration under /etc/fail2ban/filter.d/openvpn.conf. The contents would be something like (regular expressions may need adjustments):

[INCLUDES]
before = common.conf

[Definition] 
failregex =%(__hostname)s ovpn-server.*:.<HOST>:[0-9]{4,5} TLS Auth Error:.*
           %(__hostname)s ovpn-server.*:.<HOST>:[0-9]{4,5} VERIFY ERROR:.*
           %(__hostname)s ovpn-server.*:.<HOST>:[0-9]{4,5} TLS Error: TLS handshake failed.*
           %(__hostname)s ovpn-server.*: TLS Error: cannot locate HMAC in incoming packet from \[AF_INET\]<HOST>:[0-9]{4,5}

Test regular expressions against your logfiles using fail2ban-regex:

fail2ban-regex -v /var/log/syslog /etc/fail2ban/filter.d/openvpn.conf

2. Create jail configuration

Add a jail configuration under /etc/fail2ban/jail.d/openvpn.conf:

[openvpn] 
enabled = true
port = 11194
protocol = udp
filter = openvpn
logpath = /var/log/syslog
maxretry = 5 

3. Restart fail2ban

Restart service:

systemctl restart fail2ban.service

Watch your iptables for jailed hosts under f2b-openvpn chain (-v will also list number of packets involved in each rule):

iptables -L -n -v

For CentOS, change _daemon to openvpn and logpath to /var/log/messages. Port should be 1194. enabled is false and overridden to true in jail.local. (For most services, RHEL/CentOS disables the service by default and the admin is expected to enable them only once they're properly configured.)