Hi all.
I'm using Ubuntu 11.10 and OpenVPN 2.1.3-2ubuntu3 with SSL certificate.
Today, during initial vpn's phase (after login with username & password) I see a very strange message in my console:



ip 88.102.1.16 is about .cz domain, and I have nothing to do with it.
OpenVPN's conf is ok (I double checked)..
My computer was compromised? Or the openVPN server may be violated??
Thankyou very much

Doesn't look good. You got pwned I think. I'd check every log for traces of deeper compromise and be prepared to wipe and reinstall.

Shadowbox12, your eagerness to help is appreciated. However, at LQ Security, we strongly advocate an investigative approach to gain evidence and then proceed as the facts dictate. Under no circumstance do we jump to the conclusion that a machine has been pwned without supporting evidence. We take great exception to the concept of "wipe and re-install" without said investigation and would greatly appreciate it if you would please refrain from making such suggestions. If you have any questions regarding this policy, please direct them to unSpawn or Win32Sux who will be happy to explain our policy and procedures to you.

@circus78, Welcome to LQ-Security. Your log provides little information. My initial suspicion is that a scan revealed your openVPN port and someone attempted a connection to it. The log messages shown look like the initialization of a tap interface device. Open VPN uses client certificates to authenticate and a protocol similar to SSH, which as long as these have been kept reasonably secure it is highly unlikely that an unauthorized user will be able to connect to your system via OpenVPN. However, it is always wise to look into suspcious activity and make a reasoned determination. Do you your logs indicate whether or not the connection attempt was successful or was access denied? Does the output of netsat (e.g. netsate -pane) show any active connections. Have there been other signs of intrusion, such as other anomalies in your log files? Also realize that being able to connect to your VPN and obtain an IP address to your local network does not necessarily mean that your systems have been compromised; it means that they would potentially be able to access the devices behind your router.

If there is indication of intrusion, your should isolate the machine by either disconnecting the network cable or putting up a firewall to allow SSH connections from a trusted source. Once you have secured the machine, you may begin with an investigation. Here is a link to the Cert Intruder Detection Checklist which outlines the steps involved. I mention this information to make you aware of what the next steps are. At this point the information you have provided does not appear to indicate a compromise in my opinion.

3 members found this post helpful.

Did you mean.. openvpn oper port on "server" side, not my workstation, right?

There was and error, tap interface was unable to come up. And even in the case, the "malicious" ip is totally out-of-range of my server-side network subnet.



I hope there is a momentary "bug" in the openvpn server (Debian), because five minutes after I was able to connect to the same VPN with right ip.

Correct, I meant port on your server. This would be a low numbered port that remains constant so that remote connections can locate your server. A simple port scan would reveal it's presence and it is possible that someone tried to connect to it.

I admit the situation sounds odd, especially the part about the IP being outside your subnet and the interface not being ale to come up. Just a guess, but perhaps there are some known or trial exploits for OpenVPN. In the short run, my advice would be to keep watch on your log files for a while. Actually that is a good thing to do regularly. Check out the program logwatch, which will send you a daily summary of what is happening. A HIDS monitor might also be useful because it will send you an email alert if a problem occurs in your system that creates a warning or error log entry.

In terms of a vulnerability scanner, make sure that your running an up to date copy of OpenVPN.

1 members found this post helpful.

Very well said, Noway2. Thank you.

Also, consider this: OpenVPN is one of the most ruggedly-built and tested packages out there. What, seriously, are the chances that someone has actually dived through some obscure hole in it to terrorize y-o-u-r system?

When you encounter a message that you do not immediately understand ... "keep your head on, nevertheless."