PS TLS Auth did solve the problem but having to redo all the OpenVPN certs is a daunting task.
Regards Michael Knill From: Michael Knill <michael.kn...@ipcsolutions.com.au> Date: Friday, 8 August 2025 at 2:41 pm To: AstLinux Users Mailing List <astlinux-users@lists.sourceforge.net> Subject: Re: [Astlinux-users] OpenVPN TLS Resource Exhaustion Event PS TLS Auth is easy to do but I would need to reissue all the certificates to the OpenVPN peers (mainly Yealink phones). We are testing it now but it would only be for new systems. If it works and we don’t have another option, we may need to suck it up and change them all. Regards Michael Knill From: Michael Knill <michael.kn...@ipcsolutions.com.au> Date: Friday, 8 August 2025 at 1:41 pm To: AstLinux List <astlinux-users@lists.sourceforge.net> Subject: [Astlinux-users] OpenVPN TLS Resource Exhaustion Event Hi All We run pretty low memory on our hosted Astlinux systems with about 100M available and today we experienced an OpenVPN attack on a number of our systems. The attack consisted of around 1000 attempted logins between the period of 9:26:43 to 9:29:31. This number of failed TLS attempts caused many of our systems to run out of memory which became quite messy. After doing some research, it appears the issue is: * OpenVPN 2.4.12 has inherent memory management limitations with failed TLS connections. * While CVE-2017-7521 was patched, the 2.4.x architecture still leaks memory during TLS exhaustion attacks. * Each failed handshake leaves behind unfreed memory (~4-8KB), accumulating over thousands of attempts. To fix this problem we need to upgrade to OpenVPN 2.5.x or 2.6.x and add the tls-auth directive however as this is not easy to do, what are my other options. Can I enable adaptive ban for OpenVPN? Implement rate limiting in iptables? Thanks all. Regards Michael Knill Managing Director D: +61 2 6189 1360<tel:+61261891360> P: +61 2 6140 4656<tel:+61261404656> E: michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [Icon Description automatically generated] Smarter Business Communications
_______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
