Why are Cloudflare probing OpenVPN?

Since last Monday, my OpenVPN server has seen probes go up from <1/day to >100/day which I’ve never seen before. Yesterday two of the probes came from 162.159.44.127 (thaddeus.ns.cloudflare.com) and 172.64.34.167 (margot.ns.cloudflare.com) which I find very hard to understand. Why would Cloudflare be probing, and if they are, why use the NS servers? Or have the servers been compromised like it looks like many of the other servers probing have been?.

Those IPs are in Cloudflare’s ranging. It means that someone is using Cloudflare to probe your server and not Cloudflare itself. As it is an OpenVPN server, you can firewall off Cloudflare from connecting to that port.

But specifically, those IPs are two of Cloudflare’s NS servers?

I would normally associate those IP addresses with inbound traffic to Cloudflare’s servers, and not outbound.

What exactly are your logs showing?

These are likely forged UDP packets.

1 Like

From /var/log/openvpn:

[[email protected] ~]# egrep '(162.159.44.127|172.64.34.167)' /var/log/openvpn
Sun Oct  9 15:02:07 2022 162.159.44.127:53 TLS: Initial packet from [AF_INET]162.159.44.127:53 (via [AF_INET]m.y.i.p%enp1s0f0), sid=6a22eb44 5adb63fe
Sun Oct  9 15:02:29 2022 172.64.34.167:53 TLS: Initial packet from [AF_INET]172.64.34.167:53 (via [AF_INET]6m.y.i.p%enp1s0f0), sid=6a22eb44 5adb63fe
Sun Oct  9 15:03:07 2022 162.159.44.127:53 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Oct  9 15:03:07 2022 162.159.44.127:53 TLS Error: TLS handshake failed
Sun Oct  9 15:03:07 2022 162.159.44.127:53 SIGUSR1[soft,tls-error] received, client-instance restarting
Sun Oct  9 15:03:10 2022 162.159.44.127:53 TLS: Initial packet from [AF_INET]162.159.44.127:53 (via [AF_INET]m.y.i.p%enp1s0f0), sid=6a22eb44 5adb63fe
Sun Oct  9 15:03:29 2022 172.64.34.167:53 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Oct  9 15:03:29 2022 172.64.34.167:53 TLS Error: TLS handshake failed
Sun Oct  9 15:03:29 2022 172.64.34.167:53 SIGUSR1[soft,tls-error] received, client-instance restarting
Sun Oct  9 15:03:32 2022 172.64.34.167:53 TLS: Initial packet from [AF_INET]172.64.34.167:53 (via [AF_INET]m.y.i.p%enp1s0f0), sid=6a22eb44 5adb63fe
Sun Oct  9 15:04:10 2022 162.159.44.127:53 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Oct  9 15:04:10 2022 162.159.44.127:53 TLS Error: TLS handshake failed
Sun Oct  9 15:04:10 2022 162.159.44.127:53 SIGUSR1[soft,tls-error] received, client-instance restarting
Sun Oct  9 15:04:13 2022 162.159.44.127:53 TLS: Initial packet from [AF_INET]162.159.44.127:53 (via [AF_INET]m.y.i.p%enp1s0f0), sid=6a22eb44 5adb63fe
Sun Oct  9 15:04:32 2022 172.64.34.167:53 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Oct  9 15:04:32 2022 172.64.34.167:53 TLS Error: TLS handshake failed
Sun Oct  9 15:04:32 2022 172.64.34.167:53 SIGUSR1[soft,tls-error] received, client-instance restarting
Sun Oct  9 15:04:35 2022 172.64.34.167:53 TLS: Initial packet from [AF_INET]172.64.34.167:53 (via [AF_INET]m.y.i.p%enp1s0f0), sid=6a22eb44 5adb63fe
Sun Oct  9 15:05:13 2022 162.159.44.127:53 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Oct  9 15:05:13 2022 162.159.44.127:53 TLS Error: TLS handshake failed
Sun Oct  9 15:05:13 2022 162.159.44.127:53 SIGUSR1[soft,tls-error] received, client-instance restarting
Sun Oct  9 15:05:35 2022 172.64.34.167:53 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Oct  9 15:05:35 2022 172.64.34.167:53 TLS Error: TLS handshake failed
Sun Oct  9 15:05:35 2022 172.64.34.167:53 SIGUSR1[soft,tls-error] received, client-instance restarting

That sure looks like spoofed requests. None of them complete.

1 Like

That is what they all look like. Sometimes single requests, sometimes multiple requests in a very short time. I (or really fail2ban) ban them all immediately. They will all fail anyway unless my credentials have seriously leaked. These are all failing because they don’t have valid certificates.

But again, why these two from Cloudlfare NS servers?

Because they’re not. Someone just picked two convenient IP addresses to spoof.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.