Menu
▾
▴
Re: [Astlinux-users] OpenVPN TLS Resource Exhaustion Event
|
From: Michael K. <li...@mk...> - 2025-08-08 14:11:02
|
2 facts about Yealink firmware regarding OpenVPN a) SHA256 is supported from FW 80 and later b) FW 83 is using OpenVPN 2.4.2, FW 86 is using 2.4.9 Hope that helps. Sent from a mobile device. Michael Keuter > Am 08.08.2025 um 15:28 schrieb Lonnie Abelbeck <li...@lo...>: > > Hi Michael, > > Agreed, for public OpenVPN exposure, either TLS-Auth or strict firewall rules are best practice. > > We have stuck with OpenVPN 2.4 to be backward compatible to older IP Phone OpenVPN implementations. One of the few places OpenVPN is used over WireGuard. > > I am not sure if Yealink always supported the TLS-Auth feature, you might double-check your oldest Yealink firmware to make sure TLS-Auth is supported across the board. > > Possibly using a low-end (inexpensive) GL.iNet box with WireGuard would be an alternative to the OpenVPN solution via Yealink. > > Lonnie > > > >> On Aug 8, 2025, at 12:11 AM, Michael Knill <mic...@ip...> wrote: >> >> PS TLS Auth did solve the problem but having to redo all the OpenVPN certs is a daunting task. >> >> Regards >> Michael Knill >> From: Michael Knill <mic...@ip...> >> Date: Friday, 8 August 2025 at 2:41 pm >> To: AstLinux Users Mailing List <ast...@li...> >> Subject: Re: [Astlinux-users] OpenVPN TLS Resource Exhaustion Event >> >> PS TLS Auth is easy to do but I would need to reissue all the certificates to the OpenVPN peers (mainly Yealink phones). >> We are testing it now but it would only be for new systems. If it works and we don’t have another option, we may need to suck it up and change them all. >> >> Regards >> Michael Knill >> From: Michael Knill <mic...@ip...> >> Date: Friday, 8 August 2025 at 1:41 pm >> To: AstLinux List <ast...@li...> >> Subject: [Astlinux-users] OpenVPN TLS Resource Exhaustion Event >> >> Hi All >> >> We run pretty low memory on our hosted Astlinux systems with about 100M available and today we experienced an OpenVPN attack on a number of our systems. >> The attack consisted of around 1000 attempted logins between the period of 9:26:43 to 9:29:31. This number of failed TLS attempts caused many of our systems to run out of memory which became quite messy. >> >> After doing some research, it appears the issue is: >> • OpenVPN 2.4.12 has inherent memory management limitations with failed TLS connections. >> • While CVE-2017-7521 was patched, the 2.4.x architecture still leaks memory during TLS exhaustion attacks. >> • Each failed handshake leaves behind unfreed memory (~4-8KB), accumulating over thousands of attempts. >> >> To fix this problem we need to upgrade to OpenVPN 2.5.x or 2.6.x and add the tls-auth directive however as this is not easy to do, what are my other options. >> Can I enable adaptive ban for OpenVPN? Implement rate limiting in iptables? >> >> Thanks all. >> >> Regards >> Michael Knill >> Managing Director >> D: +61 2 6189 1360 >> P: +61 2 6140 4656 >> E: mic...@ip... >> W: ipcsolutions.com.au >> <image001.png>Smarter Business Communications >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
