Are these attempts to access my router-based VPN?

OldBobcat

Getting the hang of it
Joined
Apr 16, 2015
Messages
34
Reaction score
65
Location
Iowa
Yesterday I saw a bunch of activity from Australia-based IP addresses in my router system log. Today I’m seeing addresses from the Russian Federation. They seem to be failed attempts to access OpenVPN.

Is my assumption correct, and, if so, is this something to be concerned about? Are there any steps I should take to further secure my router?

D17AE895-BE86-4774-BE0C-3BDD583CCC5A.jpeg
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,007
Location
USA
Yes, they are attempts. That sort of thing happens all the time and is not really anything to be concerned about. You can usually reduce the frequency of these unsolicited connections by changing the service to listen on some non-standard, high-numbered port (10000 - 65535). That makes it a lot harder for potential attackers to even guess what service they are talking to, to know how to attack it.
 

OldBobcat

Getting the hang of it
Joined
Apr 16, 2015
Messages
34
Reaction score
65
Location
Iowa
Yes, they are attempts. That sort of thing happens all the time and is not really anything to be concerned about. You can usually reduce the frequency of these unsolicited connections by changing the service to listen on some non-standard, high-numbered port (10000 - 65535). That makes it a lot harder for potential attackers to even guess what service they are talking to, to know how to attack it.
Thank you! Appreciate you taking the time to answer & the additional advice.
 

looney2ns

IPCT Contributor
Joined
Sep 25, 2016
Messages
15,521
Reaction score
22,657
Location
Evansville, In. USA
I see the same attempts in my router log.
Changing my VPN port to 443, dropped the #'s down to almost none.
As I had found that several local WiFI spots were blocking 1194, and thus couldn't connect to back home.
 
Last edited:

mark_whocares

Getting comfortable
Joined
Apr 20, 2017
Messages
124
Reaction score
45
bots will be bots.
scanners will scan.


fail2ban could also monitor logs and then update firewalls to block ips for a given duration. but this is only really effective at combating bad actors that use a single IP for a while. Reading that log snippet it seems like that is a single attempt over a range (snowshoeing). so it might have limited value.

geoblocking some countries you know you won't be dealing with can help in some cases.

I've done setups that required port knocking, but it's probably not worth the effort.

you could buy a VPN service that runs over say 443, then whitelist only that VPN to your VPN, but...... how far do you want to take things ?
 
Top