Issue:

On an install of FreePBX 14 with responsive firewall and OpenVPN server enabled there is no mitigation against brute force attacks against the OpenVPN server. /var/log/messages is getting spammed with failed handshakes:

Feb 3 16:17:19 voipserver234 openvpn: Sun Feb 3 16:17:19 2019 103.37.x.x:49060 TLS: Initial packet from [AF_INET]103.37.x.x:49060, sid=6a22eb44 5adb63fe
Feb 3 16:17:19 voipserver234 openvpn: Sun Feb 3 16:17:19 2019 103.37.x.x:25678 TLS: Initial packet from [AF_INET]103.37.x.x:25678, sid=6a22eb44 5adb63fe
Feb 3 16:17:20 voipserver234 openvpn: Sun Feb 3 16:17:20 2019 103.37.x.x:40132 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 3 16:17:20 voipserver234 openvpn: Sun Feb 3 16:17:20 2019 103.37.x.x:40132 TLS Error: TLS handshake failed
Feb 3 16:17:20 voipserver234 openvpn: Sun Feb 3 16:17:20 2019 103.37.x.x:40132 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb 3 16:17:20 voipserver234 openvpn: Sun Feb 3 16:17:20 2019 103.37.x.x:23377 TLS: Initial packet from [AF_INET]103.37.x.x:23377, sid=6a22eb44 5adb63fe
Feb 3 16:17:20 voipserver234 openvpn: Sun Feb 3 16:17:20 2019 103.37.x.x:28711 TLS: Initial packet from [AF_INET]103.37.x.x:28711, sid=6a22eb44 5adb63fe
Feb 3 16:17:20 voipserver234 openvpn: Sun Feb 3 16:17:20 2019 103.37.x.x:40014 TLS: Initial packet from [AF_INET]103.37.x.x:40014, sid=6a22eb44 5adb63fe
Feb 3 16:17:20 voipserver234 openvpn: Sun Feb 3 16:17:20 2019 103.37.x.x:11702 TLS: Initial packet from [AF_INET]103.37.x.x:11702, sid=6a22eb44 5adb63fe
Feb 3 16:17:21 voipserver234 openvpn: Sun Feb 3 16:17:21 2019 103.37.x.x:35570 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 3 16:17:21 voipserver234 openvpn: Sun Feb 3 16:17:21 2019 103.37.x.x:35570 TLS Error: TLS handshake failed
Feb 3 16:17:21 voipserver234 openvpn: Sun Feb 3 16:17:21 2019 103.37.x.x:35570 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb 3 16:17:21 voipserver234 openvpn: Sun Feb 3 16:17:21 2019 103.37.x.x:15027 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 3 16:17:21 voipserver234 openvpn: Sun Feb 3 16:17:21 2019 103.37.x.x:15027 TLS Error: TLS handshake failed

Solution:

1) Edit the OpenVPN server config to redirect logging away from /var/log/messages to keep things tidy.

Look for a log line in /etc/openvpn/sysadmin_server1.conf

There is none by default. Let’s add it

vi /etc/openvpn/sysadmin_server1.conf

append:

log /var/log/openvpn.log

2) Create a filter

vi /etc/fail2ban/filter.d/openvpn.conf

3) Paste the following:

[Definition]

failregex = <HOST>:\d+ (Connection reset, restarting|TLS Error: TLS handshake failed|Fatal TLS error|VERIFY ERROR|WARNING: Bad encapsulated packet length)

ignoreregex =

4) Modify /etc/fail2ban/jail.d/openvpn.local

vi /etc/fail2ban/jail.d/openvpn.local

Paste the following:

[openvpn] enabled = true
port = 1194
protocol = udp
filter = openvpn
action = iptables-multiport[name=openvpn, protocol=udp, port=1194] logpath = /var/log/openvpn.log
maxretry = 2

5) We do not write this into the existing /etc/fail2ban/jail.local because the FreePBX SysAdmin module will overwrite /etc/fail2ban/jail.local

fail2ban parses jail configs in this order:

/etc/fail2ban/jail.conf
/etc/fail2ban/jail.d/*.conf, alphabetically
/etc/fail2ban/jail.local
/etc/fail2ban/jail.d/*.local, alphabetically

Hence using /etc/fail2ban/jail.d/openvpn.local should work without being overwritten by GUI actions in the SysAdmin module.

6) Restart openvpn server to make the new log destination take effect and restart fail2ban

systemctl restart [email protected]_server1;systemctl restart fail2ban

7) Wait for some failed handshakes to occur and you will see fail2ban log and FreePBX SysAdmin GUI (Intrustion Detection) correctly detect and block the attacker’s IP address.

Notes:

The fail2ban wiki has an example for /etc/fail2ban/filter.d/openvpn.conf that suggests:

[Definition]

failregex = ^ TLS Error: incoming packet authentication failed from [AF_INET]:\d+$
^ :\d+ Connection reset, restarting
^ :\d+ TLS Auth Error
^ :\d+ TLS Error: TLS handshake failed$
^ :\d+ VERIFY ERROR

ignoreregex =

This Regex does not work with Fail2Ban v0.8.x and OpenVPN v2.4.x.

A feature request for FreePBX to do all of this natively exists.

The  failregex line in step 3 should be on one line

"failregex = <HOST>:\d+ (Connection reset,
restarting|TLS Error: TLS handshake failed|Fatal TLS error|VERIFY
ERROR|WARNING: Bad encapsulated packet length)"