On 24/10/14 08:54, Michael Deynet wrote: > Hello, > last week I had a trip to china and I used OpenVPN. OpenVPN worked > well but looking into the server logs I'm a little bit confused. > After the VPN connection was established from the hotel IP > (116.6.x.yy) another IP tried to connect to the VPN, too (every time a > used vpn, not only once). Can anyone tell me what exactly happend? Is > there a security problem with the VPN server?
Looks to me like something is trying to check out the servers that hotel's customers connect to. I can't tell if this is UDP or TCP or even the port, but if you were running openvpn on tcp port 443, this could be a SSL intercept proxy trying to get your HTTPS public key so it can do man-in-the-middle against your "HTTPS" connections Obviously that wouldn't work. As long as you've got tls-auth in use, I think you're good to go :-) SSL intercept I could understand as almost "normal" behaviour these days (ie ignorable). However, if your clients use UDP, this would smell like a pretty serious effort to gather information about what that hotel's customers connect to (or you in particular...). The complete non-relationship between the two IPs also means it could be the Great Firewall of China is doing this - it doesn't necessarily have anything to do with the hotel. Certainly interesting :-) PS: of course it could also be a coincidence. Our openvpn routers get hit by bots all the time - precisely because we have it running on HTTPS port. So a bit of luck in the timing could end with logs implying a correlation between a client connect and a bot that really doesn't exist -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
------------------------------------------------------------------------------
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
