Jump to content
Not connected, Your IP: 100.26.35.111
cboettcher

Martian packets after openvpn connection

Recommended Posts

Background:

I connect to AirVPN servers via an openvpn client (v2.4.4) from the command line (though this also happens when I use the AirVPN hummingbird client) from behind a router running OpenWRT.

Lately, I've been seeing the following in my syslog:
Aug  8 17:16:28 Deluxe kernel: [12972.603549] IPv4: martian source 192.168.1.100 from 34.210.182.212, on dev eno1
Aug  8 17:16:28 Deluxe kernel: [12972.603572] ll header: 00000000: d0 17 c2 ac 64 4b c4 e9 84 48 79 32 08 00        ....dK...Hy2..
Aug  8 17:16:28 Deluxe kernel: [12972.910801] IPv4: martian source 192.168.1.100 from 34.210.182.212, on dev eno1
Aug  8 17:16:28 Deluxe kernel: [12972.910822] ll header: 00000000: d0 17 c2 ac 64 4b c4 e9 84 48 79 32 08 00        ....dK...Hy2..
Aug  8 17:16:28 Deluxe kernel: [12973.230932] IPv4: martian source 192.168.1.100 from 34.210.182.212, on dev eno1
Aug  8 17:16:28 Deluxe kernel: [12973.230953] ll header: 00000000: d0 17 c2 ac 64 4b c4 e9 84 48 79 32 08 00        ....dK...Hy2..

The first MAC address in the `ll header` line is my NIC, the second is an ethernet interface on the router.

My route table looks like this before connecting:
[2020-08-08 ☱ 18:35 ☴  .ovpn]$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eno1
10.171.32.0     0.0.0.0         255.255.255.0   U     0      0        0 lxdbr0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eno1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eno1


And it looks like this after shortly after connecting:
[2020-08-08 ☱ 18:35 ☴  iptables]$ route -n                                                
Kernel IP routing table                                                                   
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface             
0.0.0.0         10.28.169.1     128.0.0.0       UG    0      0        0 tun0              
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eno1              
10.28.169.0     0.0.0.0         255.255.255.0   U     0      0        0 tun0              
10.171.32.0     0.0.0.0         255.255.255.0   U     0      0        0 lxdbr0            
128.0.0.0       10.28.169.1     128.0.0.0       UG    0      0        0 tun0              
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eno1              
184.75.221.178  192.168.1.1     255.255.255.255 UGH   0      0        0 eno1              
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eno1              

The host IP listed second from the bottom is the VPN gateway.

After three to five minutes, martian traffic will die down and appear infrequently. I've tested connecting via openvpn without the router in place (connected directly to my modem) and the same occurs.

I'm going out on a limb here, but it seems like, when there's an abrupt change in routing (as occurs with a VPN connection) existing connections persist and are flagged. Over time, these connections die off.

Question:

Is my understanding correct, or should I be doing something to avoid "martian" traffic, either via iptables or direct route manipulation?


 

Share this post


Link to post
1 hour ago, cboettcher said:

Is my understanding correct, or should I be doing something to avoid "martian" traffic, either via iptables or direct route manipulation?

Do you have any Iphone/Tablets devices connected to the ISP modem primary WiFi?
If you do connect them to Guest V-mode WiFi. Reconnect and See if this "martian packets" happens.
Similar case scenario--->>>https://forums.openvpn.net/viewtopic.php?f=4&t=28111&sid=badb8b86ad6b858dc8b25d6864b208be

Share this post


Link to post

Hi, Flx. Thanks for the reply.

I do have phones and laptops connected to the router via wireless (and wired) interfaces, but the traffic that I'm seeing is reported within a log that's on a node in the local network (a desktop, whose IP is 192.168.1.100) and not a router.

Share this post


Link to post
2 hours ago, cboettcher said:

After three to five minutes, martian traffic will die down and appear infrequently. I've tested connecting via openvpn without the router in place (connected directly to my modem) and the same occurs.

I'm going out on a limb here, but it seems like, when there's an abrupt change in routing (as occurs with a VPN connection) existing connections persist and are flagged. Over time, these connections die off.

Do you have the routing table when you connect directly to the ISP modem can you please post that?

Share this post


Link to post

I connected the desktop to the modem directly, as before, and then did the following:

[2020-08-08 ☱ 23:13 ☴  iptables]$ sudo cp /etc/network/interfaces /etc/network/interfaces.bkup        
[2020-08-08 ☱ 23:27 ☴  iptables]$ vim /etc/network/interfaces #changing relevant interface to dhcp to get IP from ISP                                        
[2020-08-08 ☱ 23:28 ☴  iptables]$ sudo ip route flush table main                                               
[2020-08-08 ☱ 23:29 ☴  iptables]$ route -n                                                            
Kernel IP routing table                                                                               
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface                                               

[2020-08-08 ☱ 23:29 ☴  iptables]$ sudo ifdown eno1                                                    
RTNETLINK answers: No such process                                                                    
Internet Systems Consortium DHCP Client 4.3.5                                                         
Copyright 2004-2016 Internet Systems Consortium.                                                      
All rights reserved.                                                                                  
For info, please visit https://www.isc.org/software/dhcp/  
Listening on LPF/eno1/d0:17:c2:ac:64:4b                                                               
Sending on   LPF/eno1/d0:17:c2:ac:64:4b                                                               
Sending on   Socket/fallback                                                                          
DHCPRELEASE on eno1 to 192.168.1.1 port 67 (xid=0x3d1afa46)                                           
send_packet: Network is unreachable                                                                   
send_packet: please consult README file regarding broadcast address.                                  
dhclient.c:2864: Failed to send 300 byte long packet over fallback interface.                         

[2020-08-08 ☱ 23:29 ☴  iptables]$ sudo ifup eno1                                                      
Internet Systems Consortium DHCP Client 4.3.5                                                         
Copyright 2004-2016 Internet Systems Consortium.                                                      
All rights reserved.                                                                                  
For info, please visit https://www.isc.org/software/dhcp/  
Listening on LPF/eno1/d0:17:c2:ac:64:4b                                                               
Sending on   LPF/eno1/d0:17:c2:ac:64:4b                                                               
Sending on   Socket/fallback                                                                          
DHCPDISCOVER on eno1 to 255.255.255.255 port 67 interval 3 (xid=0x871abd5f)                           
DHCPDISCOVER on eno1 to 255.255.255.255 port 67 interval 8 (xid=0x871abd5f)                           
DHCPDISCOVER on eno1 to 255.255.255.255 port 67 interval 9 (xid=0x871abd5f)                           
DHCPREQUEST of <ip address> on eno1 to 255.255.255.255 port 67 (xid=0x5fbd1a87)                      
DHCPOFFER of <ip address> from 10.246.16.1                                                           
DHCPACK of <ip address> from 10.246.16.1                                                             
cmp: EOF on /tmp/tmp.1E6p2z0glz which is empty                                                        
bound to <ip address> -- renewal in 1640 seconds.                                                    

[2020-08-08 ☱ 23:29 ☴  iptables]$ route -n                                                            
Kernel IP routing table                                                                               
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface                         
0.0.0.0        <isp gateway>     0.0.0.0         UG    0      0        0 eno1                          
<isp network>     0.0.0.0         255.255.255.0   U     0      0        0 eno1                          
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eno1                          

And the traffic in the log looks like this:
│Aug  8 23:30:44 Deluxe kernel: [19586.154497] IPv4: martian source 209.42.140.126 from 209.42.140.1, on dev eno1
│Aug  8 23:30:44 Deluxe kernel: [19586.154518] ll header: 00000000: ff ff ff ff ff ff b0 90 7e 0e 88 19 08 06        ........~.....
│Aug  8 23:30:48 Deluxe kernel: [19590.296195] net_ratelimit: 43 callbacks suppressed
│Aug  8 23:30:48 Deluxe kernel: [19590.296218] IPv4: martian source 72.9.9.145 from 72.9.9.1, on dev eno1
│Aug  8 23:30:48 Deluxe kernel: [19590.296224] ll header: 00000000: ff ff ff ff ff ff b0 90 7e 0e 88 19 08 06        ........~.....
│Aug  8 23:30:48 Deluxe kernel: [19590.366534] IPv4: martian source 69.161.98.170 from 69.161.98.1, on dev eno1
│Aug  8 23:30:48 Deluxe kernel: [19590.366538] ll header: 00000000: ff ff ff ff ff ff b0 90 7e 0e 88 19 08 06        ........~.....
│Aug  8 23:30:48 Deluxe kernel: [19590.450452] IPv4: martian source 65.99.114.187 from 52.22.97.255, on dev eno1
│Aug  8 23:30:48 Deluxe kernel: [19590.450472] ll header: 00000000: d0 17 c2 ac 64 4b b0 90 7e 0e 88 19 08 00        ....dK..~.....
│Aug  8 23:30:48 Deluxe kernel: [19590.454533] IPv4: martian source 65.99.122.56 from 65.99.122.1, on dev eno1
│Aug  8 23:30:48 Deluxe kernel: [19590.454551] ll header: 00000000: ff ff ff ff ff ff b0 90 7e 0e 88 19 08 06        ........~.....
│Aug  8 23:30:48 Deluxe kernel: [19590.548524] IPv4: martian source 173.44.97.94 from 173.44.97.1, on dev eno1
│Aug  8 23:30:48 Deluxe kernel: [19590.548549] ll header: 00000000: ff ff ff ff ff ff b0 90 7e 0e 88 19 08 06        ........~.....
│Aug  8 23:30:48 Deluxe kernel: [19590.634221] IPv4: martian source 69.161.98.248 from 69.161.98.1, on dev eno1
│Aug  8 23:30:48 Deluxe kernel: [19590.634241] ll header: 00000000: ff ff ff ff ff ff b0 90 7e 0e 88 19 08 06        ........~.....
│Aug  8 23:30:48 Deluxe kernel: [19590.650058] IPv4: martian source 65.99.114.187 from 104.244.42.194, on dev eno1
│Aug  8 23:30:48 Deluxe kernel: [19590.650076] ll header: 00000000: d0 17 c2 ac 64 4b b0 90 7e 0e 88 19 08 00        ....dK..~.....
│Aug  8 23:30:48 Deluxe kernel: [19590.671690] IPv4: martian source 65.99.114.187 from 52.22.97.255, on dev eno1
│Aug  8 23:30:48 Deluxe kernel: [19590.671708] ll header: 00000000: d0 17 c2 ac 64 4b b0 90 7e 0e 88 19 08 00        ....dK..~.....
│Aug  8 23:30:49 Deluxe kernel: [19590.757104] IPv4: martian source 69.161.99.143 from 69.161.99.1, on dev eno1
│Aug  8 23:30:49 Deluxe kernel: [19590.757125] ll header: 00000000: ff ff ff ff ff ff b0 90 7e 0e 88 19 08 06        ........~.....
│Aug  8 23:30:49 Deluxe kernel: [19590.866503] IPv4: martian source 69.161.105.205 from 69.161.104.1, on dev eno1
│Aug  8 23:30:49 Deluxe kernel: [19590.866525] ll header: 00000000: ff ff ff ff ff ff b0 90 7e 0e 88 19 08 06        ........~.....


                                              

 

Share this post


Link to post
1 hour ago, cboettcher said:

I do have phones and laptops connected to the router via wireless (and wired) interfaces, but the traffic that I'm seeing is reported within a log that's on a node in the local network (a desktop, whose IP is 192.168.1.100) and not a router.

I can see that. Unless local network access is required by any WiFi connected devices ALWAYS connect them in Guest mode(No access to your local network). Before and After routing tables posted(above) is from your Desktop(192.168.1.100) connected to OpenWRT.

Share this post


Link to post

Sorry, let me do that last test again, as I'm not sure if I disconnected and reconnected the openvpn client at the right moment.

Share this post


Link to post
2 minutes ago, cboettcher said:

Sorry, let me do that last test again, as I'm not sure if I disconnected and reconnected the openvpn client at the right moment.

Ok :)
@Staffmay be able to help you out on this further....Go through the linked topic above and see what a mess android/Iphones/tablets devices can do when you allow them local network access.

Share this post


Link to post
2 hours ago, cboettcher said:

DHCPOFFER of <ip address> from 10.246.16.1                                                           
DHCPACK of <ip address> from 10.246.16.1   

If AirVPN Ip-range(10.x) conflicts with your ISP ip-range(10.x) that might be the cause of your problem.
Can you change it from 10.x to 192.168.1.10-192.168.1.254 in your ISP modem(Network Settings)?
 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...