How to create a regular expression for an openvpn fail2ban filter

Question

Some people are trying to get into my openvpn server. For now I'm manually banning each IPs because I don't know how to setup a fail2ban regex. The content below is basically what is found in my /var/log/syslog

Jun 18 19:57:01 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]196.52.43.65:6666
Jun 18 19:57:03 Server ovpn-openvpn_tcp[856]: 196.52.43.65:6666 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Jun 18 19:57:03 Server ovpn-openvpn_tcp[856]: 196.52.43.65:6666 Connection reset, restarting [0]
Jun 18 19:57:03 Server ovpn-openvpn_tcp[856]: 196.52.43.65:6666 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jun 18 20:42:20 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]23.239.65.138:61397
Jun 18 20:42:20 Server ovpn-openvpn_tcp[856]: 23.239.65.138:61397 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Jun 18 20:42:20 Server ovpn-openvpn_tcp[856]: 23.239.65.138:61397 Connection reset, restarting [0]
Jun 18 20:42:20 Server ovpn-openvpn_tcp[856]: 23.239.65.138:61397 SIGUSR1[soft,connection-reset] received, client-instance restarting

I attempted to create a filter by following the official fail2ban guide for openvpn but I think it's outdated and doesn't parse properly after I run some tests. The guides told me to do what's below:

#Fail2Ban filter for selected OpenVPN rejections 

[Definition]

# Example messages (other matched messages not seen in the testing server's logs):
# Fri Sep 23 11:55:36 2016 TLS Error: incoming packet authentication failed from [AF_INET]59.90.146.160:51223
# Thu Aug 25 09:36:02 2016 117.207.115.143:58922 TLS Error: TLS handshake failed

failregex = ^ TLS Error: incoming packet authentication failed from \[AF_INET\]<HOST>:\d+$
            ^ <HOST>:\d+ Connection reset, restarting
            ^ <HOST>:\d+ Fatal TLS Error
            ^ <HOST>:\d+ TLS Error: TLS handshake failed$
            ^ <HOST>:\d+ VERIFY ERROR
            ^ <HOST>:\d+ Bad encapsulated packet length

ignoreregex =

This is in my jail.local file:

[openvpndeny]

enabled  = true
port     = 443
protocol = tcp
filter   = openvpndeny
logpath  =  /var/log/syslog
maxretry = 3

Unfortunately, after running fail2ban-regex /var/log/syslog /etc/fail2ban/filter.d/openvpndeny.conf I get the output below

Running tests
=============

Use   failregex filter file : openvpndeny, basedir: /etc/fail2ban
Use         log file : /var/log/syslog
Use         encoding : UTF-8


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [4608] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
`-

Lines: 4608 lines, 0 ignored, 0 matched, 4608 missed
[processed in 3.78 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 4608 lines

[edit] I started to learn how to use regular expressions today because I already asked in stackoverflow and no one really could help. I'm not sure about how fail2ban defines <HOST> to get the IPs. I tried to get the IPs my own way by doing one filter like this:

(\d+\.\d+\.\d+\.\d+:\d+ Connection reset, restarting) it works in https://regex101.com/ but not fail2ban.

Answer 1

I was able to create a filter like this for fail2ban after learning more about regex

[Definition]

failregex = <HOST>:\d+ (Connection reset, restarting|TLS Error: TLS handshake failed|Fatal TLS error|VERIFY ERROR|WARNING: Bad encapsulated packet length)
ignoreregex =