I installed fail2ban to watch over an openvpn service on a system that uses systemd (and hence journald), as well as firewalld. These are the changes I had to make. Most of it is derived from this wiki entry.
The filter /etc/fail2ban/filter.d/openvpn.local unchanged from the wiki:
# Fail2Ban filter for selected OpenVPN rejections
#
#
[Definition]
# Example messages (other matched messages not seen in the testing server's logs):
# Fri Sep 23 11:55:36 2016 TLS Error: incoming packet authentication failed from [AF_INET]59.90.146.160:51223
# Thu Aug 25 09:36:02 2016 117.207.115.143:58922 TLS Error: TLS handshake failed
failregex = ^ TLS Error: incoming packet authentication failed from \[AF_INET\]<HOST>:\d+$
^ <HOST>:\d+ TLS Auth Error
^ <HOST>:\d+ TLS Error: TLS handshake failed$
^ <HOST>:\d+ VERIFY ERROR
^ <HOST>:\d+ Connection reset, restarting
ignoreregex =
The jail file /etc/fail2ban/jail.d/openvpn.local enables the jail for openvpn and the wiki missed out the .local extension without which it will not be registered:
# Fail2Ban configuration fragment for OpenVPN
[openvpn]
enabled = true
port = 1194
protocol = udp
filter = openvpn
journalmatch = _SYSTEMD_UNIT=openvpn@yourhost.service
backend = systemd
logpath = /var/log/fail2ban.log
maxretry = 3
The important line is the backend = systemd. The journalmatch makes scanning the journal more efficient. Usually the openvpn service has @hostname appended as there could be more than one instance. You could also log it to the system journal but here I use a separate log file.
And finally you need to link this jail to firewalld in /etc/fail2ban/jail.local:
# Do all your modifications to the jail's configuration in jail.local!This calls firewall-cmd to use an ipset to ban the hosts.
[DEFAULT]
banaction = firewallcmd-ipset
