# Mitigating an OpenVPN Brute Force Attack with Fail2Ban on EdgeRouter

Tonight, I noticed numerous attempts from a variety of sources to log in to my OpenVPN server that I run on my EdgeRouter (ER-X-SFP) at home. Unfortunately EdgeRouter doesn't support any sort of blacklisting for OpenVPN natively, but it does allow the installation of Debian packages.

After playing a bit with Fail2Ban configuration, I've configured my router to block these repeated attempts automatically.

# Step 1: Install Fail2Ban

Configure Debian repositories on EdgeRouter:

```plaintext
set system package repository jessie components 'main contrib non-free'
set system package repository jessie distribution jessie
set system package repository jessie url 'http://archive.debian.org/debian'
```

Update the package information and install Fail2Ban:

```plaintext
sudo apt-get update
sudo apt-get install fail2ban
```

*Note: Do not ever use "apt-get upgrade" on an EdgeRouter.*

# Step 2: Configure Fail2Ban

Add the following files using `sudo vi`:

## `/etc/fail2ban/filter.d/openvpn.local`

```plaintext
# Fail2Ban filter for selected OpenVPN rejections
#
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
# Example messages (other matched messages not seen in the testing server's logs):
# Fri Sep 23 11:55:36 2016 TLS Error: incoming packet authentication failed from [AF_INET]59.90.146.160:51223
# Thu Aug 25 09:36:02 2016 117.207.115.143:58922 TLS Error: TLS handshake failed
failregex = ^%(__prefix_line)sTLS Error: incoming packet authentication failed from \[AF_INET\]<HOST>:\d+$
            ^%(__prefix_line)s<HOST>:\d+ Connection reset, restarting
            ^%(__prefix_line)s<HOST>:\d+ TLS Auth Error
            ^%(__prefix_line)s<HOST>:\d+ TLS Error: TLS handshake failed$
            ^%(__prefix_line)s<HOST>:\d+ VERIFY ERROR
ignoreregex =
```

## `/etc/fail2ban/jail.local`

```plaintext
# Fail2Ban configuration fragment for OpenVPN
[openvpn]
enabled  = true
port     = 1194
protocol = udp
filter   = openvpn
logpath  = /var/log/messages
maxretry = 3
```

# Step 3: Restart Fail2Ban and Observe Log

```plaintext
sudo service fail2ban restart
sudo cat /var/log/fail2ban.log
```

You should see that the openvpn jail was started. Since I’m under attack currently, I also see messages such as:

```plaintext
2018-09-09 23:18:13,481 fail2ban.actions[27638]: WARNING [openvpn] Ban 186.202.10.75
2018-09-09 23:18:15,749 fail2ban.actions[26453]: INFO    [openvpn] 186.202.10.75 already banned
```

# Update

I've posted a [follow-up article on how to make this persist through firmware upgrades](https://jason.rokea.ch/edgerouter-fail2ban-persistence-through-upgrades).

# Resources Used

I was able to pull this together with just some slight modification and compilation of materials that are already available:

* [https://help.ubnt.com/hc/en-us/articles/205202560-EdgeRouter-Add-Debian-Packages-to-EdgeOS](https://help.ubnt.com/hc/en-us/articles/205202560-EdgeRouter-Add-Debian-Packages-to-EdgeOS)
    
* [https://www.fail2ban.org/wiki/index.php/HOWTO\_fail2ban\_with\_OpenVPN](https://www.fail2ban.org/wiki/index.php/HOWTO_fail2ban_with_OpenVPN)
    
* [https://docs.python.org/2/library/re.html](https://docs.python.org/2/library/re.html)
