OpenVPN Brute Force Protection

guest40211 · September 20, 2023, 02:39:14 PM

Hi,

I got an OpenVPN Server with authentication to the local database running. Everything works fine, except there seems to be no protection against brute force attacks to the local user database.

I found some brute force protection for the WebGUI + SSH Login, but nothing for OpenVPN. Did I miss a config option? Did anyone solve this by additional config/software (IDS config maybe)?

bartjsmit · September 20, 2023, 03:56:39 PM

You can add a static key to the OpenVPN config which prevents dictionary attacks.

VPN: OpenVPN: Servers, add a static key under TLS Shared Key

Bart...

guest40211 · September 20, 2023, 04:08:58 PM

Thx, yeah sure this will help. But if an attacker somehow gets this key (e.g. a complete client config got leaked), I have the same problem again.

I'm looking for a config option to temporarily/permanently lock a local account, after X failed login attempts within Y minutes. E.g. sth like pam_tally, but pam_tally doesn't seem to be available at OPNsense.

meschmesch · September 20, 2023, 04:11:28 PM

Use 2FA?

guest40211 · September 20, 2023, 04:18:10 PM

Yeah ofc adding 2FA will make it even harder, but still doesn't prevent brute force attacks.

2FA is usually 6 digits (+ potentially additional grace period codes when using TOTP). If an attacker has enough time, brute force attacks are still possible.

OpenVPN Brute Force Protection

guest40211

September 20, 2023, 02:39:14 PM

bartjsmit

September 20, 2023, 03:56:39 PM #1

guest40211

September 20, 2023, 04:08:58 PM #2

meschmesch

September 20, 2023, 04:11:28 PM #3

guest40211

September 20, 2023, 04:18:10 PM #4