Community discussions

MikroTik App
  4. RouterOS
  5. General

OpenVPN log spam

Post Reply
 
darklord
just joined
Topic Author
Posts: 22
Joined: Wed Mar 09, 2022 11:43 am

OpenVPN log spam

Mon Feb 20, 2023 2:53 pm

Hello,
is there any way to block "port scanners" or like, causing floods in my logs? I have openvpn server on 1194/udp, and few times a day I am facing logs like this:
Feb 20 13:19:22 mktk-hostname ovpn,info <50.116.31.18>: disconnected <TLS failed>
And by flood I mean ~10k same lines in second:
root@syslog:/var/log/mktk# grep 13:19:22 mktk-hostname.log | grep disconnected | wc -l
10100
Is there any way to block those in firewall by some "failed" rule after few packets? To prevent legal connection attempts being blocked.
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10513
Joined: Mon Jun 08, 2015 12:09 pm

Re: OpenVPN log spam

Mon Feb 20, 2023 3:27 pm

It is possible to limit such logs by limiting the amount of new connections to the server.
Are all those requests from the same external address or subnet?
Top
 
darklord
just joined
Topic Author
Posts: 22
Joined: Wed Mar 09, 2022 11:43 am

Re: OpenVPN log spam

Mon Feb 20, 2023 3:28 pm

It is ~10k lines from same IP in same second. This will not get caught by "connection ratio" as from firewalls point of view its one connection (or udp stream to be precise)
Top
 
darklord
just joined
Topic Author
Posts: 22
Joined: Wed Mar 09, 2022 11:43 am

Re: OpenVPN log spam

Tue Feb 21, 2023 11:37 am

I have captured this situation now, but it is really suspicious. Looks like RouterOS OpenVPN implementation BUG, because ONLY ONE packet has been received to udp/1194, and 31 packets has been sent back to "attacker" AND 80k LINES were written into log
Code: Select all
 # cat mktk-hostname.log | uniq -c
      1 Feb 21 10:09:14 mktk-hostname ovpn,info connection established from 38.132.109.163, port: 35370 to 1.2.3.4
    688 Feb 21 10:09:44 mktk-hostname ovpn,info <38.132.109.163>: disconnected <TLS failed>
      1 Feb 21 10:09:44 mktk-hostname ovpn,info <38.132.109.163>: disconnected <internal error>
  41628 Feb 21 10:09:44 mktk-hostname ovpn,info <38.132.109.163>: disconnected <TLS failed>
  39137 Feb 21 10:09:45 mktk-hostname ovpn,info <38.132.109.163>: disconnected <TLS failed>
I cannot add pcapng capture (forum refuses it), so it is here: https://easyupload.io/4ziiqs

How I can report a bug? Or is somebody responsible reading these forums?
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10513
Joined: Mon Jun 08, 2015 12:09 pm

Re: OpenVPN log spam

Tue Feb 21, 2023 11:44 am

You can report a bug here: https://help.mikrotik.com/servicedesk/
Top
 
darklord
just joined
Topic Author
Posts: 22
Joined: Wed Mar 09, 2022 11:43 am

Re: OpenVPN log spam

Tue Feb 21, 2023 11:46 am

I will try to make capture direct on line without TZSP streaming to be completely sure I have not missed anything, and if this is confirmed, I will contact support.
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10513
Joined: Mon Jun 08, 2015 12:09 pm

Re: OpenVPN log spam

Tue Feb 21, 2023 12:01 pm

Support will normally ask for a supout.rif file (which you can generate from the menu)...
Top
 
darklord
just joined
Topic Author
Posts: 22
Joined: Wed Mar 09, 2022 11:43 am

Re: OpenVPN log spam

Wed Feb 22, 2023 12:21 pm

I have opened support ticket for this, we will see if this is a bug or configuration issue
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot], D1Lazarus, Majestic-12 [Bot] and 41 guests
  4. RouterOS
  5. General