I am quite aware of SSH brute-force attacks. I set up everything I can: fail2ban, no root login, only public authentification on WAN. However I am still spammed in my logs and fail2ban has a increasing number of IP which consumes my CPU, RAM and bandwidth. While this is still not a big issue, I have chosen to use the last power : Shutdown SSH on WAN and only allow it on LAN.For this, I have implemented OpenVPN that only serves to give access to LAN so we can still access the device anywhere.
Of course, as the firewall is dropping external packets, I have no more SSH bruteforce and I haven't found any attack on my VPN but I wanna wondering, how can I protect my VPN? Is it necessary ? And how to do it?I have tls-crypt enabled. OpenVPN manual said about tls-auth and tls-crypt:
Add an additional layer of HMAC authentication on top of the TLS control channel to mitigate DoS attacks and attacks on the TLS stack.In a nutshell, --tls-auth enables a kind of "HMAC firewall" on OpenVPN's TCP/UDP port, where TLS control channel packets bearing an incorrect HMAC signature can be dropped immediately without response.
Is this enough? or should I use something else? This is my configuration (use only of certificates I create from my own CA) :
port 3084proto udpdev tunuser nobodygroup nogrouppersist-keypersist-tunkeepalive 10 120topology subnetserver 10.8.0.0 255.255.0.0ifconfig-pool-persist ipp.txt#push "dhcp-option DNS 8.8.8.8"#push "dhcp-option DNS 8.8.4.4"#push "redirect-gateway def1 bypass-dhcp"#route-nopullpush "route 192.168.0.0 255.255.0.0"dh noneecdh-curve prime256v1tls-crypt tls-crypt.key#crl-verify crl.pemca fullchain.crtcert cert-server.pemkey server-key.pemauth SHA256cipher AES-256-GCMncp-ciphers AES-256-GCMtls-servertls-version-min 1.2#tls-cipher TLS_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256client-config-dir /etc/openvpn/ccdstatus /var/log/openvpn/status.loglog-append /var/log/openvpn/openvpn.logverb 3