VPN attacks? Blocking?

RouterOS General
8

I’ve created a little facility for my home dial-in VPN system that addresses the issue you stated.

  1. When a client successfuly connects to VPN server (meaning it’s a valid user), a script is triggered that adds source address to whitelist.

PPP/Profiles/name of L2TP profile you are using/Scripts (“On Up” field):

/system script run vpn-on_connect

This is the source of vpn-on_connect script (variables are global so you can easily debug them in System/Script/Environment):

:delay delay-time=3

:global l2tpCount [interface l2tp-server print count-only]

:if ($l2tpCount != 0) do {
	:foreach i in=[/interface l2tp-server find] do={
		:global clientNameL2TP [/interface l2tp-server get $i name]       
		:global clientAddrL2TP [/interface l2tp-server get $i client-address]
		/ip firewall address-list add list=vpn_whitelist address=$clientAddrL2TP comment=$clientNameL2TP
	}
}
  1. Firewall rules handle the rest of the logistics.
  • Create “WAN” interface list
  • Make sure you have known IP addresses in the “allowed_access” list. Apart from manually adding entries, the above script will automatically add known IPs to vpn whitelist
  • Adjust timers to your liking and paste this to your router (with my rules clients have a chance to try to connect 3x in 10 minutes):
/ip firewall filter
add action=accept chain=forward comment="optimize: forward" connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=input comment="optimize: input" connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=jump chain=input comment="access control: wan" in-interface-list=WAN jump-target=input-access
add action=drop chain=input-access src-address-list=vpn_blacklist
add action=accept chain=input-access src-address-list=allowed_access
add action=accept chain=input-access protocol=icmp
add action=jump chain=input-access dst-port=500,1701,4500 jump-target=input-vpn protocol=udp
add action=jump chain=input-access dst-port=1723 jump-target=input-vpn protocol=tcp
add action=accept chain=input-vpn src-address-list=vpn_whitelist
add action=add-src-to-address-list address-list=vpn_blacklist address-list-timeout=none-dynamic chain=input-vpn log-prefix=added_to_blacklist src-address-list=vpn_stage3
add action=add-src-to-address-list address-list=vpn_stage3 address-list-timeout=10m chain=input-vpn src-address-list=vpn_stage2
add action=add-src-to-address-list address-list=vpn_stage2 address-list-timeout=10m chain=input-vpn src-address-list=vpn_stage1
add action=add-src-to-address-list address-list=vpn_stage1 address-list-timeout=none-dynamic chain=input-vpn
add action=accept chain=input-vpn
add action=drop chain=input-access