2 facts about Yealink firmware regarding OpenVPN a) SHA256 is supported from FW 80 and later b) FW 83 is using OpenVPN 2.4.2, FW 86 is using 2.4.9
Hope that helps. Sent from a mobile device. Michael Keuter > Am 08.08.2025 um 15:28 schrieb Lonnie Abelbeck <[email protected]>: > > Hi Michael, > > Agreed, for public OpenVPN exposure, either TLS-Auth or strict firewall rules > are best practice. > > We have stuck with OpenVPN 2.4 to be backward compatible to older IP Phone > OpenVPN implementations. One of the few places OpenVPN is used over > WireGuard. > > I am not sure if Yealink always supported the TLS-Auth feature, you might > double-check your oldest Yealink firmware to make sure TLS-Auth is supported > across the board. > > Possibly using a low-end (inexpensive) GL.iNet box with WireGuard would be an > alternative to the OpenVPN solution via Yealink. > > Lonnie > > > >> On Aug 8, 2025, at 12:11 AM, Michael Knill >> <[email protected]> wrote: >> >> PS TLS Auth did solve the problem but having to redo all the OpenVPN certs >> is a daunting task. >> >> Regards >> Michael Knill >> From: Michael Knill <[email protected]> >> Date: Friday, 8 August 2025 at 2:41 pm >> To: AstLinux Users Mailing List <[email protected]> >> Subject: Re: [Astlinux-users] OpenVPN TLS Resource Exhaustion Event >> >> PS TLS Auth is easy to do but I would need to reissue all the certificates >> to the OpenVPN peers (mainly Yealink phones). >> We are testing it now but it would only be for new systems. If it works and >> we don’t have another option, we may need to suck it up and change them all. >> >> >> Regards >> Michael Knill >> From: Michael Knill <[email protected]> >> Date: Friday, 8 August 2025 at 1:41 pm >> To: AstLinux List <[email protected]> >> Subject: [Astlinux-users] OpenVPN TLS Resource Exhaustion Event >> >> Hi All >> >> We run pretty low memory on our hosted Astlinux systems with about 100M >> available and today we experienced an OpenVPN attack on a number of our >> systems. >> The attack consisted of around 1000 attempted logins between the period of >> 9:26:43 to 9:29:31. This number of failed TLS attempts caused many of our >> systems to run out of memory which became quite messy. >> >> After doing some research, it appears the issue is: >> • OpenVPN 2.4.12 has inherent memory management limitations with failed >> TLS connections. >> • While CVE-2017-7521 was patched, the 2.4.x architecture still leaks >> memory during TLS exhaustion attacks. >> • Each failed handshake leaves behind unfreed memory (~4-8KB), >> accumulating over thousands of attempts. >> >> To fix this problem we need to upgrade to OpenVPN 2.5.x or 2.6.x and add the >> tls-auth directive however as this is not easy to do, what are my other >> options. >> Can I enable adaptive ban for OpenVPN? Implement rate limiting in iptables? >> >> Thanks all. >> >> Regards >> Michael Knill >> Managing Director >> D: +61 2 6189 1360 >> P: +61 2 6140 4656 >> E: [email protected] >> W: ipcsolutions.com.au >> <image001.png>Smarter Business Communications >> _______________________________________________ >> Astlinux-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> [email protected]. > > > > > _______________________________________________ > Astlinux-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > [email protected]. _______________________________________________ Astlinux-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [email protected].
