OpenVPN Brute Force Protection

[guest40211]

Hi,

I got an OpenVPN Server with authentication to the local database running. Everything works fine, except there seems to be no protection against brute force attacks to the local user database.

I found some brute force protection for the WebGUI + SSH Login, but nothing for OpenVPN. Did I miss a config option? Did anyone solve this by additional config/software (IDS config maybe)?

[bartjsmit]

You can add a static key to the OpenVPN config which prevents dictionary attacks.

VPN: OpenVPN: Servers, add a static key under TLS Shared Key

Bart...

[guest40211]

Thx, yeah sure this will help. But if an attacker somehow gets this key (e.g. a complete client config got leaked), I have the same problem again.

I'm looking for a config option to temporarily/permanently lock a local account, after X failed login attempts within Y minutes. E.g. sth like pam_tally, but pam_tally doesn't seem to be available at OPNsense.

[meschmesch]

Use 2FA?

[guest40211]

Yeah ofc adding 2FA will make it even harder, but still doesn't prevent brute force attacks.

2FA is usually 6 digits (+ potentially additional grace period codes when using TOTP). If an attacker has enough time, brute force attacks are still possible.