Booting wireguard on routers without a realtime clock

Wireguard depends on proper time, otherwise the tunnel connection will not work properly.

On routers without a realtime clock [I have 2 of them] I noticed that the local time is not synced properly on boot time. So many times after boot or power-on the wireguard tunnel connection will not work.

I've seen on this forum many topics on this issue.

Some suggest installing ntpclient or sync the time in rc.local using ntpd command. These methods have been error prone to me. Probably because there are many timing dependencies and latencies between the ntp sync and startup of vpn tunnel, which are not made explicit in these solutions.

I've found a solution which works all the time on 2 different routers and on many reboots and power-ons.

  1. configure vpn interface not to start on boot.

This makes sure that you always have a working internet connection in order to sync time with the ntp server(s). If a vpn tunnel is started on boot, while the time is incorrect, will ruin the internet connection, so the ntp sync cannot be done.

  1. add a command line in /etc/rc.local [or in Luci menu System->Startup, tab Local startup]:

touch /etc/banner && sleep 10 && ifup {vpn interface}

Startup vpn tunnel, after time is synced.

This solution works, but still not elegant for me, as the command line has a dependency with the vpn configuration. If you have a more elegant solution, please post.

Put the NTP sync in the wireguard script, so it's always run before wg starts?

Sounds like a good idea.

Can you be more specific:

  1. name & location of script? In init.d I only see "network", not interface specific scripts
  2. script not overwritten on boot or upgrades?
  3. is this script a configuration which is automatically backup'ed?