Hi guys

Just wanted to check how everything is running now.

After almost three weeks after escalating with TP-Link which fixed the issue - the problem reappeared on the same controllers (routers) - synced by the minute (I am actively monitoring UDP 1194 availability - remotely)

The controllers are on two different networks, different providers, different cities - basically impossible to believe that they're both being attacked in the same minute every ~24 hours.

How are yours working now?

Thank you!

  @laurentiu907 Here everything is running stable since moving the service to an alternate port.

Yes, for two days now it started breaking again with that swiss watch precision and syncronicity.

I will open another support ticket with TP-LINK - but wanted to make sure I'm not imagining things.

So any other confirmations would be great. 

P.S. Firewall is set to max protection. This is not related to DDoS but to router firmware versioning which matches on all devices glitching.

  @laurentiu907  The OpenVPN server on mine breaks about every other week.  I have a backup cellular hotspot that I've connected (ironically) a tplink smart plug that I can cycle power to the ER605 and get it all working again.  

  @laurentiu907 Digging into my log I see a flood of these "maxium number of connections" and then TLS failures.  I only have one person trying to connect right now to OpenVPN so not sure if this is an attack or what's causing it.  But, it brings OpenVPN down.  

  @laurentiu907 I have the same problem, every 24 hours the clients breakdown or cant connect. I have to turn off/on the service or restart the ER605. 

And I have a Daily Reboot Schedule at 6:00 already but it doesnt solve anything. I still have to reboot when the problem occurs...

The weird is, this was working fine from the beginning and for a few months and this started recently out of the blue.

  @Whitefury I think it's an bot hacking attempt.  Mine was working as well but then started to get worse.  I'm pretty sure this is why another user changed the default OpenVPN service port and it became more stable but I would imagine that would be a temporary fix.  However, other internet facing OpenVPN servers (not on the ER605) are constantly dealing with this so not sure why the ER605 built-in server crumbles so easily.  This is just a hunch on my part as to what's happening here.  One thing to try is an ACL under the Firewall setting to block IP's on GEO location, you can specifiy to block per service port and single out OpenVPN, only.  I'm in the US and I was going to try to block all other countries, only based on the assumption this originating from outside the US.  Sure wish the LOGS were better so I would not have to guess. 

Guys, it's impossible that this "attack" is happening all over the world at the same time since mutliple controllers I manage are affected - while other versions aren't..

Even if I don't know you I can ABSOLUTELY presume that the version of your ER605 router is this one: ER605 v2.20 - firmware 2.2.6 Build 20240718 Rel.82712 - since you are also affected.

Let me know if I'm correct. Because from the 10-12 controllers that I manage only these router versions are the ones crashing.

Now... I have this information in the Global View Firmware tab... like there would be an update for the main router: 

But accessing the controller doesn't inform you of this update just as if it wouldn't be compatible or smth. So I'm wondering.. Should I update? I don't want to brick them since these are critical for the clients and I don't want to run live tests.

So if you would be so kind to work with me on this one, I'm pretty sure that we can identify the affected lot. And yes, even running syslog server - the retained logs are virtually empty when looking into OpenVPN logs.

  @laurentiu907 That's a good point.  Well, so much for my theory.  I've updated my three to the latest 2.3.0 build 20250428 rel.18967 in hopes it would fix something but it did not.  I don't think updating would help you.  I also run a syslog server to watch my units, the logs are not very useful.  

As far as the log, do you see "OpenVPN TLS key negotiation timeout" and "OpenVPN TLS handshake failed" errors?  Do you also see "OpenVPN server has reached it's maximum number of connections" in the log?

I have my time/date all set correctly as far as basics on the TLS error.  I have no users reporting they cannot connect when I get the specific TLS errors, I have those errors when none of my users are connecting.  This is why I thought it was bot attack related.