Dealing with changing IPs<\/h2>\n\n\n\n
One major problem you may encounter is that your ISP might randomly (and will probably at some point) change the public IP of your home router. As a result, when a devices tries to connect to your VPN server, it is unable to do so as it cannot find the server.<\/p>\n\n\n\n
A simple fix is to register a domain name that you can use to point to your current IP address. Any change in IP address will then be reflected in the DNS record to make sure it always points to the correct and latest valid IP address. If you do not want to pay for such a service, I recommend using DuckDNS<\/a> to register a subdomain of You can automate the check and IP updates by using the script provided on the duckdns website (just follow the instructions on the duckdns website in the “install” tab when you’re logged in).<\/p>\n\n\n\n If you’re using Pi-Hole<\/a> as your home DNS server, follow the instructions from pi-hole’s website<\/a> to make it your OpenVPN DNS resolver. This will make all DNS requests pass through your Pi-Hole and clean-up your internet traffic, wherever you’re connected. Pretty neat!<\/p>\n\n\n\n The installation of OpenVPN gives you access to your home network but can potentially open a breach for attackers directly into your home. Be careful with what you do and make regular security checks.<\/p>\n\n\n\n Below are a few tools you can use to protect yourself against attacks and to monitor the successful and failed access to your VPN.<\/p>\n\n\n\n fail2ban is a python-based intrusion prevention software framework that protects computers from brute-force attacks. You can configure it to log and block every failed attempt to connect to OpenVPN. In order to do this, you need to create a new rule.<\/p>\n\n\n\n Create the new file and add the following lines inside it. This will allow fail2ban to scan your OpenVPN logs and recognize failed connection attempts:<\/p>\n\n\n\n then edit the fail2ban configuration file:<\/p>\n\n\n\n and edit it to contain these lines to filter for failed ssh connections and openvpn connections:<\/p>\n\n\n\n In the default section, you can choose how long you want to block potential attackers, how long fail2ban should keep track of failed attempts and how many retries a user gets. Beware that you might also unexpectedly block yourself out of your server.<\/p>\n\n\n\n Logwatch is a powerful and versatile log parser and analyzer designed to give a unified report of all activity on a server, which can be delivered through the command line or email. By default logwatch will read your openvpn log and report every failed and successful connection attempts.<\/p>\n\n\n\n You can install it directly from the command line using the package manager:<\/p>\n\n\n\n to run a logwatch job on a daily basis, create a file in your cron.daily repository:<\/p>\n\n\n\n and add the following content, customizing the level of details you wish and the location of the output file.<\/p>\n\n\n\n This will configure logwatch to generate an html file every morning containing a summary of your logs for the last 4 days and allow you to survey what is happening on your server.<\/p>\n\n\n\nduckdns.org<\/code>.<\/p>\n\n\n\nConfiguring Pi-Hole<\/h2>\n\n\n\n
Adding security<\/h2>\n\n\n\n
fail2ban<\/h2>\n\n\n\n
openvpn.local<\/code><\/p>\n\n\n\nvim \/etc\/fail2ban\/filter.d\/openvpn.local<\/code><\/pre>\n\n\n\n# Fail2Ban filter for selected OpenVPN rejections\n\n[Definition]\n\nfailregex = [a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} TLS Auth Error:.*\n [a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} VERIFY ERROR:.*\n [a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} TLS Error: TLS handshake failed.*\n [a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} WARNING: Bad encapsulated packet length from peer\n #[a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} Connection reset, restarting \\[[0-9]{1,2}\\]\n\nignoreregex =\n\n<\/code><\/pre>\n\n\n\nvim \/etc\/fail2ban\/jail.local<\/code><\/pre>\n\n\n\n[DEFAULT]\n# Ban hosts for 1 hour after they perform 3 failed login attempts within 20 minutes\nbantime = 3600\nfindtime = 1200\nmaxretry = 3\n\n[sshd]\n# Enables the sshd jail\nenabled = true\n\n[openvpn]\n# Fail2Ban configuration fragment for OpenVPN\nenabled = true\nport = 655\nprotocol = tcp\nfilter = openvpn\nlogpath = \/var\/log\/syslog\n<\/code><\/pre>\n\n\n\nlogwatch<\/h2>\n\n\n\n
sudo apt-get install logwatch<\/code><\/pre>\n\n\n\nvim \/etc\/cron.daily\/00logwatch<\/code><\/pre>\n\n\n\n#!\/bin\/bash\n\n#execute\n\/usr\/sbin\/logwatch --detail high --format html --range \"since 4 days ago\" --filename <PATH_TO_YOUR_FAVORITE_LOCATION>\/logwatch_output.html<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/steambot.ch\/blog\/wp-content\/uploads\/2022\/04\/logwatch_fail2ban.jpg\")
![\"\"](\"https:\/\/steambot.ch\/blog\/wp-content\/uploads\/2022\/03\/logwatch_openvpn.jpg\")
Optional: Connecting to a second VPN<\/h2>\n\n\n\n