---------------------------------------- > Date: Tue, 24 Sep 2013 23:45:13 +0200 > From: openvpn.l...@topphemmelig.net > To: bird_...@hotmail.com > CC: openvpn-users@lists.sourceforge.net > Subject: Re: [Openvpn-users] Possible to drop port scan packets? > > > ----- Original Message ----- >> From: "jack seth" <bird_...@hotmail.com> >> To: openvpn-users@lists.sourceforge.net >> Sent: Tuesday, 24 September, 2013 5:16:27 PM >> Subject: [Openvpn-users] Possible to drop port scan packets? >> >> Is it possible to have a Openvpn server drop port scanning packets instead of >> sending a reply. For example, when running 'shields up' on grc.com the port >> that I have openvpn running on is reported as 'closed' instead of 'stealth'. >> Is there a way to get openvpn to just not respond? > > No and yes. It's really the firewall in co-operation with an IDS which can > truly do that job best, generally. > > Having that said, if you run OpenVPN in UDP mode and use --tls-auth, OpenVPN > will not respond to packets which have a mismatching HMAC "signature" on the > UDP packets. The result is that the OpenVPN port seems to be blocked, unless > your OpenVPN clients use the proper pre-exchanged static tls-auth key. > > This works only with UDP as it is stateless and doesn't have the connection > handshake TCP needs. So if you use TCP, the port will be listed as open, but > OpenVPN would disconnect instantly if the tls-auth HMAC "signature" is wrong. > > To implement --tls-auth, you need to use --genkey and --secret to generate > a static key. This key file comes in addition to the other key/certificate > files you already use. Then distribute this key to all your clients > together with an update client config. The config changes are needed both > on all the clients and your server. Use f.ex. --tls-auth static.key 1 on > the server and --tls-auth static.key 0 on the clients, or wise versa. > > It is also possible to inline this static key file inside the configuration > file. To do that, you need to add these lines to the configs > > tls-auth [inline] 0 > <tls-auth> > -----BEGIN OpenVPN Static key V1----- > ... > ... complete contents of your static key > ... > -----END OpenVPN Static key V1----- > </tls-auth> > > Remember to replace the '0' with an '1', so that server and clients have > different values. Only 0 and 1 are valid values and the server needs one > of the values, all of your clients need the other value. Which one you > use where is up to you. > > > -- > kind regards, > > David Sommerseth
Thanks for the response. Yes I have that implemented. I am running both a TCP and UDP server. Of course it is the TCP that is replying. Actually the port is listed as 'closed' but I want it to appear as 'stealth' (i.e. no response). In a TCP setup, does the very first packet have the HMAC signature? If so, I guess I am wondering if there was some setting where if Openvpn received the first packet and it didn't have a HMAC signature (or the correct one) it just wouldn't respond and drop the packet? ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
