Is it possible to identify proper incoming VPN connection(s)?

a.devecerski · June 12, 2017, 10:47am

Hello everyone
Is it possible to identify incoming VPN connection(s)?

What I mean by that is, I have AD integrated VPN server (Win 2003 RRAS Server) behind the router. Router just forwards everything VPN related (PPTP & L2TP ie TCP:1723, gre, UDPs 1701, 500 and 4500, ipsec-esp and ipsec-ah) to RRAS server which handles things from there. Setup works just fine, what I’ve noticed lately is quite an increased number of incoming connections on mentioned ports. Checking RRAS server logs there is nothing out of the ordinary. Number of successful connections is pretty much the same, even authentication failures (my users mistyping their usernames/passwords) are within the normal.

So, I’m guessing, incoming connections are not being recognized by the RRAS server because they are not (properly formatted) VPN traffic. Someone is “knocking“ on my VPN ports.
These connections (with very few exceptions) come from wide variety of IP addresses and with only couple of attempts from the same address, before hopping to the next address. So I cannot block them with address list. Drop rule with something like “drop incoming connections with 5 attempts in 3 seconds“ does not do the job and lowering attempt number just ends up blocking genuine users.

I was wondering, is it possible to somehow identify proper incoming VPN connections in order to block everything else? Something like L7 filter for VPN. Searching the Forum I’ve stumbled upon “can mikrotik in L7 filter work on VPN services (PPTP, L2TP)” topic which says L7 mechanism is of no use in this situation.

Is there something else I could use? Anyone has any suggestion maybe?

Thanks in advance

idlemind · June 16, 2017, 2:51am

You could employ some of the firewall techniques to limit would be brute-forcers, similar to what is used with SSH on the wiki. This of course would impact your own mistyping users. Another approach would be IP based country blocking. This isn’t totally reliable and may very well block legit users but it isn’t the worst place to start. I haven’t tinkered with country based blocking on MIkroTik but other platforms like have it fairly well integrated. A common example is, do you ever suspect you’ll have a user in North Korea that needs to VPN in?

Now on to the important stuff, Win2k3 RRAS with ports directly exposed to the Internet? 2017 called, they want you to upgrade! You can do plenty of other VPN solutions that still tie back to AD without making yourself a target on the Interwebs.

a.devecerski · June 19, 2017, 7:41am

No, not in North Korea, but as I sip through these IP addresses every once in a while, none of the attempts come from there. Literally none. Most of them are from US/China locations and i have people there all the time

I know, but I can’t do anything about that.

And that is exactly the reason why I’m trying to implement some kind of “recognize genuine VPN user” system. I can always go with some port knocking scheme, but I know my road warriors will not welcome something like that

Anyway, thanks for the suggestion idlemind