Wi-Fi range extender asking to be added as a device


(Fiskr) #1

Hello!

I have a TL-WA855RE wi-fi range extender. Recently, I have been getting lots of seemingly random requests to be added as a device on my syncthing network, across multiple computers.

Here is a screenshot of what that request looks like:

I looked up the IP address via my router admin interface, hence how I found out it was my wi-fi extender.

Any thoughts on how this is happening and what I should do about it? It freaks me out a little bit; I worry my wi-fi extender is somehow compromised.

Thanks for reading.


(Audrius Butkevicius) #2

Your wifi extender is just a gateway, essentially the devices behind the extender are behind another router, so you see the routers “external address”, yet there is probably one of your devices behind there.


(Fiskr) #3

Hello @AudriusButkevicius, I am having difficulty understanding why this would result in a request from the extender to be added as a device… Normally to add as a device, I have to manually request this from one computer to another by adding it in my device list.

Should I accept it as a device, then? I found other devices on my network are asking to be added, though I don’t know which device they are (I know it’s not the extender).


(Audrius Butkevicius) #4

Using IP addresses to recognize devices is teh wrong approach. Devices might connect via relays and there are various other things which would make the IP look like they are coming from unknown places. The right way to understand which device is which is by checking their device ID.


(Fiskr) #5

What worries me is that none of my devices running Syncthing have that device ID (the 7RHIEFB-...), and there are many different device IDs requesting access through different IPs. What could explain this?


(Audrius Butkevicius) #6

Depends on the definition of many, but perhaps people think that you are running a relay due to something being misconfigured? Or some port scans happening. No idea, you should look at the logs if things fail with hello message exchange.


(Simon) #7

Are you in the same network as other Syncthing users? Maybe STUN resolves to the same port for you and other devices somehow.


(Fiskr) #8

Depends on the definition of many …

“Many” here just means at least two different IPs and two different Device IDs. I haven’t kept track of how many, but I have seen at least two consistently show up.

… but perhaps people think that you are running a relay due to something being misconfigured? Or some port scans happening.

This terrifies me slightly. :slight_smile:

No idea, you should look at the logs if things fail with hello message exchange.

OK, I will check it out - thanks.


(Fiskr) #9

Are you in the same network as other Syncthing users?

Yes, on my home network there is at least one other user (and I have ~7 computers on different networks all sharing with each other - I am not sure what you mean by user here.)

Maybe STUN resolves to the same port for you and other devices somehow.

What is STUN, and how does it relate to ports overlapping?


(Simon) #10

The following is just guessing (hopefully educated guessing, but I am not sure about that): STUN is a method to get around NATs (over KCP/UDP). Syncthing contacts a server to get information about the port-mapping and then somehow tries to do a direct connection to a configured other Syncthing device. If two Syncthing instances A and B in the same network (i.e. same global IP address) get the same information from the STUN server, I could imagine a scenario where a third device trying to connect to A actually arrives at B. Again, that may not be the case, @AudriusButkevicius actually knows about these things work.


(Audrius Butkevicius) #11

That would only happen if the NAT happened to assign you the same port on the internet as someone else previously had on your network, and advertised to discovery servers.

Yet same applies for UPnP, your router might map you a port that someone else has previously had and advertised to discovery servers.

This should be rare but not impossible.

Anyways, I am suspect this is not the case as devices don’t advertise their names (atleast in that one screenshot), and the logs around the time when these devices connected would help understand this better.


(Fiskr) #12

Anyways, I am suspect this is not the case as devices don’t advertise their names (atleast in that one screenshot)

Indeed, there is never a name associated with these (seemingly) random devices.

the logs around the time when these devices connected would help understand this better.

So, I ran syncthing -paths and got this:

Log file:
	/Users/$USER/Library/Application Support/Syncthing/syncthing.log

When I try to access that location, it says it doesn’t exist however, and in-fact a search of my whole system returns nothing:

find ~/ -name "*syncthing.log" -type f 2> /dev/null

and

find / -name "*syncthing.log" -type f 2> /dev/null

exit with no output.

However, I was running syncthing from a terminal window I still had open, so I went in search of anything related to this mystery device. The only line referencing the Device ID is:

[N4JA2] 15:42:28 INFO: Connection from 7RHIEFB-6XVEVP3-T6JDQWZ-3TVFNTE-PTXKVOU-EHJJ63Y-7JXTVM5-QKBLAQ7 at 192.168.1.4:22020 (kcp-server) rejected: unknown device

Here are the surrounding lines from the log:

[N4JA2] 15:40:51 INFO: Failed to exchange Hello messages with LR76FOF-GR3QF4G-OUZUNYY-LWE3QSP-7HDM7IK-JWWSKF7-AOBHKSG-352LBAK (192.168.1.2:22000): read tcp 192.168.1.11:52124->192.168.1.2:22000: i/o timeout
[N4JA2] 15:41:50 INFO: Connection to AJ2GQWR-KDDYVYC-IQ74TAY-LTDYMGP-CVV43EJ-ZDIYPD2-T6ZSPYI-N76JYA2 closed: writing message: write tcp 192.168.1.11:22000->192.168.1.13:59484: write: can't assign requested address
[N4JA2] 15:41:58 INFO: Connection to XVD4YVE-ZZCYN54-FVJYIRP-V4L7T27-HXOONLY-IDQNE4A-LFSNEMM-QEPC7QD closed: writing message: write tcp 192.168.1.11:52002->192.168.1.8:22000: write: can't assign requested address
[N4JA2] 15:42:28 INFO: Connection from 7RHIEFB-6XVEVP3-T6JDQWZ-3TVFNTE-PTXKVOU-EHJJ63Y-7JXTVM5-QKBLAQ7 at 192.168.1.4:22020 (kcp-server) rejected: unknown device
[N4JA2] 15:48:48 INFO: Couldn't fetch release information: Get https://upgrades.syncthing.net/meta.json: dial tcp: lookup upgrades.syncthing.net: no such host
[N4JA2] 15:48:50 INFO: Exiting backoff state.
[N4JA2] 15:48:50 INFO: Relay listener (dynamic+https://relays.syncthing.net/endpoint) starting
[N4JA2] 15:48:51 INFO: Relay listener (dynamic+https://relays.syncthing.net/endpoint) shutting down
[N4JA2] 15:48:51 INFO: c.S.listenerSupervisor: Failed service 'dynamic+https://relays.syncthing.net/endpoint' (1.000000 failures of 2.000000), restarting: true, error: "{dynamic+https://relays.syncthing.net/endpoint dynamic+https://relays.syncthing.net/endpoint} returned unexpectedly", stacktrace: [unknown stack trace]
[N4JA2] 15:48:51 INFO: Relay listener (dynamic+https://relays.syncthing.net/endpoint) starting
[N4JA2] 15:48:51 INFO: Relay listener (dynamic+https://relays.syncthing.net/endpoint) shutting down
[N4JA2] 15:48:51 INFO: c.S.listenerSupervisor: Failed service 'dynamic+https://relays.syncthing.net/endpoint' (1.999965 failures of 2.000000), restarting: true, error: "{dynamic+https://relays.syncthing.net/endpoint dynamic+https://relays.syncthing.net/endpoint} returned unexpectedly", stacktrace: [unknown stack trace]
[N4JA2] 15:48:51 INFO: Relay listener (dynamic+https://relays.syncthing.net/endpoint) starting
[N4JA2] 15:48:51 INFO: Relay listener (dynamic+https://relays.syncthing.net/endpoint) shutting down

LR76FOF is a device running on the same network, but is using a VPN (so perhaps it’s connecting over the VPN?)

AJ2GQWR is a desktop wired into the same network the laptop you are reading the logs from is connected to (but over wifi.)

XVD4YVE is another desktop also wired into the same network. Note both desktops so far are connected through ethernet extenders that plug into wall sockets.

7RHIEFB is the mystery device asking to be added from the wi-fi extender’s IP address.


(Audrius Butkevicius) #13

So it looks like something is screwed on your network, as it feels like you get a new private ip half way through the log, as if you were moving between wifi stations, and essentially routers are leaking some traffic intended for someone else to you by accident, because UDP is stateless.

The more interesting thing is that the traffic somehow manages to get past TLS handshake over kcp (which means it must be talking syncthing protocol) yet fails at the handshake.

I can’t explain this, and feels like you need to call a priest.

Perhaps @calmh has better insights given he knows about networks.

But yeah, don’t accept IDs you don’t recognize.


(Fiskr) #14

This sounds really bad… I do have two or three wifi options available, none of which are broadcasted. Is it possible this is happening because my laptop is selecting a better wifi connection? I am a developer, so I don’t really know much about networking. I think I have heard of UDP from Starcraft and Factorio (I think Factorio used it for a while as a way to manage multiplayer), but I really know little about it. Is it a sort of peer to peer protocol?

I can’t explain this, and feels like you need to call a priest.

Uh… that’s never a good thing to hear, and sounds like the start of a Call of Cthulhu campaign.

But yeah, don’t accept IDs you don’t recognize.

Good idea, but are there other ways I could sniff out a device if it’s coming from my network? For example, is there a way to get a MAC address from the Device ID or anything else that would help me?


(Audrius Butkevicius) #15

Well wireshark/pcap, but given the ip address is that of the extender, my money is on the mac address will match the extender one too, as the extender is acting as if it’s a NAT, and rewriting addresses.

Perhaps you could track packets on the extender.


(Fiskr) #16

How would I do this? And what packets should I look for?

If I can’t easily reproduce the mystery device asking to connect, it seems like chance whether it will happen (so should I monitor all packets somehow? Seems like a lot of logging…)

Like I said, I know little about networking - I know packets are basically data units getting sent around on a network, but how I could trace specific packets or watch them from the extender in particular is a bit unclear to me.

I downloaded wireshark, and I am able to see network traffic:

I am just not sure what I should be looking for, or what to do next.


(Audrius Butkevicius) #17

As I said, your extender acts as a gateway, if you don’t have terminal access on it, I don’t think you can do that. You can google around to try and find how to snoop your network, this is a forum for discussions about syncthing.


(Jakob Borg) #18

I have no idea either. There’s a whole bunch of strange things.

192.168.1.4:22020 is the default KCP port on 192.168.1.4. If 192.168.1.4 is not a Syncthing device, it’s really odd it would be speaking anything on that port. We don’t request port forwards or anything for the UDP stuff on port 22020 so it shouldn’t be “reflected” packets or stuff either.

We apparently complete a KCP handshake and then a TLS handshake on top to get the device ID in question. That’s quite odd if the other side isn’t Syncthing, as KCP is a fairly exotic protocol and especially to run TLS over.

Honestly the most likely explanation to me, who don’t know anything about you or your network, is that 192.168.1.4 is a Syncthing device that you’ve forgotten about and that it’s not actually your WiFi extender at all.


(Fiskr) #19

Honestly the most likely explanation to me, who don’t know anything about you or your network, is that 192.168.1.4 is a Syncthing device that you’ve forgotten about and that it’s not actually your WiFi extender at all.

That would be the simplest answer, but I’m afraid it is falsified by the router, which shows 192.168.1.4 is my wifi extender:

Additionally, I am seeing the mystery device request from a new IP address (note, this happened right after hard resetting the wifi extender and setting it back up - I think there is some correlation between the extender and the mystery device):

I wonder what 24.214.169.244:22020 is… It’s not a local 192.168.1.X IP, so I’m not familiar with it. It seems to be my Netgear router.

Here are the log messages:

[N4JA2] 15:36:02 INFO: Device XVD4YVE-ZZCYN54-FVJYIRP-V4L7T27-HXOONLY-IDQNE4A-LFSNEMM-QEPC7QD client is "syncthing v0.14.41" named "ligand"
[N4JA2] 15:36:28 INFO: Established secure connection to AJ2GQWR-KDDYVYC-IQ74TAY-LTDYMGP-CVV43EJ-ZDIYPD2-T6ZSPYI-N76JYA2 at 192.168.1.13:22000-192.168.1.12:43298 (tcp-server) (TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305)
[N4JA2] 15:36:28 INFO: Device AJ2GQWR-KDDYVYC-IQ74TAY-LTDYMGP-CVV43EJ-ZDIYPD2-T6ZSPYI-N76JYA2 client is "syncthing v0.14.41" named "Tree"
[N4JA2] 15:36:57 INFO: Connection from 7RHIEFB-6XVEVP3-T6JDQWZ-3TVFNTE-PTXKVOU-EHJJ63Y-7JXTVM5-QKBLAQ7 at 24.214.169.244:22020 (kcp-client) rejected: unknown device
[N4JA2] 15:37:39 INFO: Exiting backoff state.
[N4JA2] 15:37:39 INFO: Relay listener (dynamic+https://relays.syncthing.net/endpoint) starting
[N4JA2] 15:37:42 INFO: Connection from 7RHIEFB-6XVEVP3-T6JDQWZ-3TVFNTE-PTXKVOU-EHJJ63Y-7JXTVM5-QKBLAQ7 at 24.214.169.244:22020 (kcp-client) rejected: unknown device
[N4JA2] 15:37:56 INFO: Joined relay relay://107.161.30.17:8080
[N4JA2] 15:38:07 INFO: Established secure connection to TLPXPQX-HAMDA4N-V4TXT2E-BDHS4RV-2VBA4H2-LUCLI5Q-LBGGUHL-TM7RCAN at 192.168.1.13:22000-204.78.58.42:54655 (tcp-server) (TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305)
[N4JA2] 15:38:07 INFO: Replacing old connection 192.168.1.13:60431-209.212.146.36:22067/relay-client with 192.168.1.13:22000-204.78.58.42:54655/tcp-server for TLPXPQX-HAMDA4N-V4TXT2E-BDHS4RV-2VBA4H2-LUCLI5Q-LBGGUHL-TM7RCAN
[N4JA2] 15:38:07 INFO: Connection to TLPXPQX-HAMDA4N-V4TXT2E-BDHS4RV-2VBA4H2-LUCLI5Q-LBGGUHL-TM7RCAN closed: reading length: read tcp 192.168.1.13:60431->209.212.146.36:22067: use of closed network connection
[N4JA2] 15:38:07 INFO: Device TLPXPQX-HAMDA4N-V4TXT2E-BDHS4RV-2VBA4H2-LUCLI5Q-LBGGUHL-TM7RCAN client is "syncthing v0.14.41" named "neuron (Scripps Desktop)"
[N4JA2] 15:38:07 INFO: Would have removed EQ7ZENR-KX75QU6-BJ7YD2I-3BGM45X-SIYP7PV-LY65THA-MDCL377-FZYOTAU as TLPXPQX-HAMDA4N-V4TXT2E-BDHS4RV-2VBA4H2-LUCLI5Q-LBGGUHL-TM7RCAN no longer shares any folders, yet there are other folders that are shared with this device that haven't been introduced by this introducer.
[N4JA2] 15:38:16 INFO: Connection from 7RHIEFB-6XVEVP3-T6JDQWZ-3TVFNTE-PTXKVOU-EHJJ63Y-7JXTVM5-QKBLAQ7 at 24.214.169.244:22020 (kcp-client) rejected: unknown device
[N4JA2] 15:38:40 INFO: Connection from 7RHIEFB-6XVEVP3-T6JDQWZ-3TVFNTE-PTXKVOU-EHJJ63Y-7JXTVM5-QKBLAQ7 at 24.214.169.244:22020 (kcp-client) rejected: unknown device
[N4JA2] 15:39:17 INFO: Connection from 7RHIEFB-6XVEVP3-T6JDQWZ-3TVFNTE-PTXKVOU-EHJJ63Y-7JXTVM5-QKBLAQ7 at 24.214.169.244:22020 (kcp-client) rejected: unknown device
[N4JA2] 15:39:41 INFO: Connection from 7RHIEFB-6XVEVP3-T6JDQWZ-3TVFNTE-PTXKVOU-EHJJ63Y-7JXTVM5-QKBLAQ7 at 24.214.169.244:22020 (kcp-client) rejected: unknown device
[N4JA2] 15:40:15 INFO: Connection from 7RHIEFB-6XVEVP3-T6JDQWZ-3TVFNTE-PTXKVOU-EHJJ63Y-7JXTVM5-QKBLAQ7 at 24.214.169.244:22020 (kcp-client) rejected: unknown device
[N4JA2] 15:40:46 INFO: Connection from 7RHIEFB-6XVEVP3-T6JDQWZ-3TVFNTE-PTXKVOU-EHJJ63Y-7JXTVM5-QKBLAQ7 at 24.214.169.244:22020 (kcp-client) rejected: unknown device
[N4JA2] 15:41:20 INFO: Connection from 7RHIEFB-6XVEVP3-T6JDQWZ-3TVFNTE-PTXKVOU-EHJJ63Y-7JXTVM5-QKBLAQ7 at 24.214.169.244:22020 (kcp-client) rejected: unknown device
[N4JA2] 15:41:43 INFO: Connection from 7RHIEFB-6XVEVP3-T6JDQWZ-3TVFNTE-PTXKVOU-EHJJ63Y-7JXTVM5-QKBLAQ7 at 24.214.169.244:22020 (kcp-client) rejected: unknown device
[N4JA2] 15:42:08 INFO: Connection from 7RHIEFB-6XVEVP3-T6JDQWZ-3TVFNTE-PTXKVOU-EHJJ63Y-7JXTVM5-QKBLAQ7 at 24.214.169.244:22020 (kcp-client) rejected: unknown device
[N4JA2] 15:42:43 INFO: Connection from 7RHIEFB-6XVEVP3-T6JDQWZ-3TVFNTE-PTXKVOU-EHJJ63Y-7JXTVM5-QKBLAQ7 at 24.214.169.244:22020 (kcp-client) rejected: unknown device
[N4JA2] 15:43:07 INFO: Connection from 7RHIEFB-6XVEVP3-T6JDQWZ-3TVFNTE-PTXKVOU-EHJJ63Y-7JXTVM5-QKBLAQ7 at 24.214.169.244:22020 (kcp-client) rejected: unknown device
[N4JA2] 15:43:41 INFO: Connection from 7RHIEFB-6XVEVP3-T6JDQWZ-3TVFNTE-PTXKVOU-EHJJ63Y-7JXTVM5-QKBLAQ7 at 24.214.169.244:22020 (kcp-client) rejected: unknown device
[N4JA2] 15:44:05 INFO: Connection from 7RHIEFB-6XVEVP3-T6JDQWZ-3TVFNTE-PTXKVOU-EHJJ63Y-7JXTVM5-QKBLAQ7 at 24.214.169.244:22020 (kcp-client) rejected: unknown device

Any thoughts?

As a post-script, I do spot 24.214.169.244:22020 on wireshark as a UDP connection, though I don’t know what to do with that information:

Note that 192.168.1.13 is the laptop I am getting the device requests from in these examples, though other computers have received the requests before - so it’s not unique to the this laptop.


(Audrius Butkevicius) #20

Is that one of your external addresses?