Re: [Astlinux-users] OpenVPN TLS Resource Exhaustion Event

[Michael K. <mic...@ip...>]

PS TLS Auth is easy to do but I would need to reissue all the certificates to the OpenVPN peers (mainly Yealink phones).
We are testing it now but it would only be for new systems. If it works and we don’t have another option, we may need to suck it up and change them all.


Regards

Michael Knill



From: Michael Knill <mic...@ip...>
Date: Friday, 8 August 2025 at 1:41 pm
To: AstLinux List <ast...@li...>
Subject: [Astlinux-users] OpenVPN TLS Resource Exhaustion Event

Hi All

We run pretty low memory on our hosted Astlinux systems with about 100M available and today we experienced an OpenVPN attack on a number of our systems.
The attack consisted of around 1000 attempted logins between the period of 9:26:43 to 9:29:31. This number of failed TLS attempts caused many of our systems to run out of memory which became quite messy.

After doing some research, it appears the issue is:

  *
OpenVPN 2.4.12 has inherent memory management limitations with failed TLS connections.
  *
While CVE-2017-7521 was patched, the 2.4.x architecture still leaks memory during TLS exhaustion attacks.
  *
Each failed handshake leaves behind unfreed memory (~4-8KB), accumulating over thousands of attempts.

To fix this problem we need to upgrade to OpenVPN 2.5.x or 2.6.x and add the tls-auth directive however as this is not easy to do, what are my other options.
Can I enable adaptive ban for OpenVPN? Implement rate limiting in iptables?

Thanks all.


Regards



Michael Knill

Managing Director



D: +61 2 6189 1360<tel:+61261891360>

P: +61 2 6140 4656<tel:+61261404656>

E: mic...@ip...<mailto:mic...@ip...>

W: ipcsolutions.com.au<https://ipcsolutions.com.au/>



 [Icon  Description automatically generated]

Smarter Business Communications