Is there a way to find out if the client is connected to WG or IKE?

hagoyi · February 29, 2024, 12:31pm

I made several rules to protect VPN against bruteforce. Unfortunately, sometimes I myself catched by these rules, so I made a script that adds my addresses to the white list.
Is there a way to find out when new WG and IPSEC clients are connected? or just run the script on a schedule?

:local peerList

:foreach peerId in=[/interface wireguard peer find] do={
 :local peerAddress [/interface/wireguard/peers/get $peerId current-endpoint-address]
 :if ([:len $peerAddress] > 0) do={
  :if ([:len [/ip firewall address-list find address=$peerAddress list=my-addresses]] = 0) do={
   :local peerComment [/interface/wireguard/peers/get $peerId comment]
   /ip firewall address-list add address=$peerAddress list=whitelist-addresses comment=("WG " . $peerComment) dynamic=yes timeout=1d
  }
 }
}

:foreach peerId in=[/ip ipsec active-peers find] do={
 :local peerAddress [/ip ipsec active-peers get $peerId remote-address]
 :if ([:len [/ip firewall address-list find address=$peerAddress list=my-addresses]] = 0) do={
  :local peerComment [/ip ipsec active-peers get $peerId id]
  /ip firewall address-list add address=$peerAddress list=whitelist-addresses comment=("IKE2 " . $peerComment) dynamic=yes timeout=1d
 }
}

elico · March 15, 2024, 9:01pm

Depends on the Bruteforce mitigation technique you use.
For WG you just need to limit the burst of new connections to a reasonable amount and use keepalives.
For IPSEC, I don’t know who bruteforce IPSEC but it should be pretty hard to brute force…
And again just block a burst of new connections.

Also if you are in a specific geo location you can limit the access to the VPN from specific ip geo spaces.