360
edits
Changes
Template:Networking rutos manual vpn (view source)
Revision as of 11:09, 13 March 2023
, 11:09, 13 March 2023Added OpenVPN brute-force prevention information section.
</tr>
</tr>
</table>
</table>
====OpenVPN Server Brute-force Prevention====
----
OpenVPN Servers with <b>Authentication</b> set to <b>TLS/Password</b> or <b>Password</b>, <b>Protocol</b> set to <b>UDP</b> and running on <b>Port 1194</b> have a feature where after a client attempts to connect to the server 10 times with incorrect credentials (password and/or username) they are then blocked from the server.
To check which addresses are blocked one first needs to connect to their device's [[Command_Line_Interfaces_RutOS|CLI]].
After connecting to your device's CLI use the command <b>ipset list</b> and find the section named <b>ipb_port</b>. There under <b>Members</b> you should see all IP addresses that are blocked.
<pre>
Name: ipb_port
Type: hash:ip,port
Revision: 5
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 164
References: 2
Number of entries: 1
Members:
188.XXX.XXX.XXX,udp:1194
</pre>
Another way to check blocked IP addresses is to use the command <b>ubus call ip_block show</b>. This will show all ip addresses that failed to connect to your device. If the <b>counter</b> atribute of the IP address entry is larger or equal then <b>max_attempt_count</b> then that IP address is blocked.
<pre>
{
"globals": {
"max_attempt_count": 10
},
"ip_blockd 188.XXX.XXX.XXX": {
"ip": "188.XXX.XXX.XXX",
"port": "udp:1194",
"counter": "1"
},
"ip_blockd 188.XXX.XXX.XXX": {
"ip": "188.XXX.XXX.XXX",
"port": "udp:1194",
"counter": "10"
}
}
</pre>
To unblock a blocked client's IP address use the command <b>ubus call ip_block unblock '{"ip":"<blocked_ip_address>","port":"udp:1194"}</b> (replace <blocked_ip_address> inside the quotes with your blocked IP address). If the IP address was unblocked succesfully you should see a similar response:
<pre>
{
"unblocked": {
"ip": "188.XXX.XXX.XXX",
"port": "udp:1194"
}
}
</pre>
==GRE==
==GRE==
