Block unauthorized requests to OpenVPN using fail2ban. #openvpn #fail2ban

README-fail2ban-openvpn.md

Block unauthorized requests to OpenVPN using fail2ban.

The following is based on https://stefan.angrick.me/block-unauthorized-openvpn-logins-using-fail2ban.

1. Create filter confifuration

Add a filter configuration under /etc/fail2ban/filter.d/openvpn.conf. The contents would be something like (regular expressions may need adjustments):

[INCLUDES]
before = common.conf

[Definition] 
failregex =%(__hostname)s ovpn-server.*:.<HOST>:[0-9]{4,5} TLS Auth Error:.*
           %(__hostname)s ovpn-server.*:.<HOST>:[0-9]{4,5} VERIFY ERROR:.*
           %(__hostname)s ovpn-server.*:.<HOST>:[0-9]{4,5} TLS Error: TLS handshake failed.*
           %(__hostname)s ovpn-server.*: TLS Error: cannot locate HMAC in incoming packet from \[AF_INET\]<HOST>:[0-9]{4,5}

Test regular expressions against your logfiles using fail2ban-regex:

fail2ban-regex -v /var/log/syslog /etc/fail2ban/filter.d/openvpn.conf

2. Create jail configuration

Add a jail configuration under /etc/fail2ban/jail.d/openvpn.conf:

[openvpn] 
enabled = true
port = 11194
protocol = udp
filter = openvpn
logpath = /var/log/syslog
maxretry = 5 

3. Restart fail2ban

Restart service:

systemctl restart fail2ban.service

Watch your iptables for jailed hosts under f2b-openvpn chain (-v will also list number of packets involved in each rule):

iptables -L -n -v

based on recommendations in https://fail2ban.readthedocs.io/en/latest/filters.html#syslog and what's found here...

[INCLUDES]
before = common.conf

[Definition] 
_daemon = ovpn-server
failregex =%(__prefix_line)s<HOST>:[0-9]{4,5} TLS Auth Error:.*
           %(__prefix_line)s<HOST>:[0-9]{4,5} VERIFY ERROR:.*
           %(__prefix_line)s<HOST>:[0-9]{4,5} TLS Error: TLS handshake failed.*
           %(__prefix_line)sTLS Error: cannot locate HMAC in incoming packet from \[AF_INET\]<HOST>:[0-9]{4,5}
maxlines = 1

It didn't seem to actually ban anyone until we added maxlines = 1