Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
OpenVPN Brute Force Protection
« previous
next »
Print
Pages: [
1
]
Author
Topic: OpenVPN Brute Force Protection (Read 1121 times)
guest40211
Guest
OpenVPN Brute Force Protection
«
on:
September 20, 2023, 02:39:14 pm »
Hi,
I got an OpenVPN Server with authentication to the local database running. Everything works fine, except there seems to be no protection against brute force attacks to the local user database.
I found some brute force protection for the WebGUI + SSH Login, but nothing for OpenVPN. Did I miss a config option? Did anyone solve this by additional config/software (IDS config maybe)?
Logged
bartjsmit
Hero Member
Posts: 2017
Karma: 194
Re: OpenVPN Brute Force Protection
«
Reply #1 on:
September 20, 2023, 03:56:39 pm »
You can add a static key to the OpenVPN config which prevents dictionary attacks.
VPN: OpenVPN: Servers, add a static key under TLS Shared Key
Bart...
Logged
guest40211
Guest
Re: OpenVPN Brute Force Protection
«
Reply #2 on:
September 20, 2023, 04:08:58 pm »
Thx, yeah sure this will help. But if an attacker somehow gets this key (e.g. a complete client config got leaked), I have the same problem again.
I'm looking for a config option to temporarily/permanently lock a local account, after X failed login attempts within Y minutes. E.g. sth like pam_tally, but pam_tally doesn't seem to be available at OPNsense.
Logged
meschmesch
Full Member
Posts: 184
Karma: 5
Re: OpenVPN Brute Force Protection
«
Reply #3 on:
September 20, 2023, 04:11:28 pm »
Use 2FA?
Logged
guest40211
Guest
Re: OpenVPN Brute Force Protection
«
Reply #4 on:
September 20, 2023, 04:18:10 pm »
Yeah ofc adding 2FA will make it even harder, but still doesn't prevent brute force attacks.
2FA is usually 6 digits (+ potentially additional grace period codes when using TOTP). If an attacker has enough time, brute force attacks are still possible.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
OpenVPN Brute Force Protection