I believe the email is: team [AT] wireguard [DOT] com
Given that Wireguard is an experimental protocol that is still under development, not a turn-key user application for non-technical users, I'd take some time to learn the basics of TCP/IP and NTP, as well as the basic workings of Unix-like operating systems, including shell scripting. Another valuable skill would be knowing how to gather log information and debug information. That knowledge and skill set would be assumed when interacting with a development community.
As lleachii pointed out, unless you've got a specific contribution to make to the Wireguard project, sending mail to the mailing list rather than the project lead will likely get a more positive response.
1 Like
It's a command you can ssh into the router and cut and paste onto the command line. It looks like in the quote you lose a newline, so here it is again.
mkdir -p /etc/hotplug.d/ntp
cat > /etc/hotplug.d/ntp/90-wireguard << EOT
#!/bin/sh
[ $ACTION = stratum ] && /etc/init.d/wireguard restart
EOT
Or if you know how to edit files, you can just create the directory /etc/hotplug.d/ntp and edit the file 90-wireguard in that directory to have the contents:
#!/bin/sh
[ $ACTION = stratum ] && /etc/init.d/wireguard restart
Thanks dlakelan!
What does it do exactly? I mean, I have the firewall rules set up for all traffic through wireguard as per mullvad and azire config instructions. Will this NTP without wireguard?
It looks like it receives a message from the NTP system that the time has been set, and then it restarts wireguard. If you "disable" wireguard so it doesn't start on boot, then you have this hotplug script, once NTP gets the time, your wireguard will come up.
1 Like
And I just want to be certain...are you sure the issue is NTP, and not something simple like - you misconfigured DNS?
I've only experienced this issue when the WAN port cannot resolve the hostname of the far wg endpoint, or I try to assign DNS servers the WAN connection does not permit. I resolve this limitation by:
- configuring LAN DHCP to hand out DNS servers accessible only thru the tunnel; and
- allowing WAN to use the DNS server assigned by DHCP
or
- I use the IP of the wg endpoint and assign LAN DHCP to assign DNS servers accessible only thru the tunnel
You can eliminate all DNS requests leaking to WAN by using the IP of the wg endpoint; but the UDP connection will obviously be seen by those who control the WAN.
I think I can be certain. DNS servers, endpoint, NTP, etc are all configured as IP and not as hostnames.
Thanks! I've configured this, will see if it holds over the next few days when the router boot date/time goes back.
EDIT: it does not work.
I set wireguard interface - advanced to "Bring up on boot" off
I ssh the code and checked the file afterwards
I reboot and wireguard does not come up, I have to manually sync time with browser and then manually start wireguard, so the code doesn't start wireguard after NTP, and NTP does not get set.
This seems logical to me, as per https://mullvad.net/media/uploads/2018/01/11/lede-zones.png all connections including NTP need to go through the WG tunnel, which does not come up without NTP.
How does one get this to work without manual intervetion?
Have you tried using a script to set an arbitrary date and time yet?
I have no clue how to do this for date/time to get close enough to real date/time for the wireguard tunnel to be working when a travel router is not powered on for a while.
I asked both Mullvad and Azire, both confirmed their wireguard endpoints/servers do not serve NTP. Also, the tunnel would not be up to serve NTP before date/time is within wireguard acceptable error margin.
That is of course as far as my little grey cells can manage to understand, I may be completely wrong or misunderstanding.
I believe you do misunderstand. You are still creating a chicken-and-the-egg problem for yourself.
- Mullvad and Azire do not offer NTP ; and even if they offered NTP, you'd have to establish the tunnel FIRST then use the tunnel IP of thier NTP server in order for there to be no "leak"!
- You are attempting to sync time over the tunnel
- You must have time before the tunnel comes up, therefore, it is impossible to obtain time over the tunnel
Simply use the date program to set a time (e.g. January 1, 2019). The server will have time, and then proceed to connect.
Only your NTP request(s) should "leak." You can configure the LAN to hand out DNS servers that are only accessible within the tunnel. If a "leak" is your only remaining concern, you may need to go over some Basic Networking.
This I understand. I also understand the firewall rules are set up so everything needs to go over the tunnel.
This I do not know how to do. Wouldn't it be cleaner (date/time wise) to let NTP (and only NTP) bypass the firewall and the tunnel until success? If so, how could I do this?
- All forwarded traffic blocked; output traffic permitted (at least DHCP, DNS, and NTP)
- DHCP assigns address to your outside interface
- NTP starts at boot, makes DNS calls to get servers, synchronizes time
- Start Wireguard
- Allow forwarded traffic through the tunnel
- Route all traffic except DHCP and to the remote tunnel endpoint through the tunnel
1 Like
Then, this is what you need to fix.
Twice, I suggested you set an arbitrary time; and the third time, I sent you a link to the manual. You continue to say you don't know how:
You fix your firewall:
I really think this is a bad idea. If you set an arbitrary time in the future once your router does get real time, it will fail to work until that future date passes... Time never goes backwards for wireguard.
What is needed is to allow ntp over the regular WAN, it's no good to try to prevent a "leak" here. There is no way to avoid using wan to do NTP
1 Like
This should read DHCP and NTP
1 Like
@dlakelan, I agree. Considering what the OP said at first:
At first, the OP described a situation where the 2 endpoints did not have Internet; but that's not truly the case. When actually, it's improper firewalling of WAN [NTP] traffic. The OP has a misconception about how a router obtains time:
As you stated:
This will solve the OP's chicken-and-the-egg issue, an issue contrived in their imagination.
How does one allow ntp over the regular WAN and all else only through wireguard ? Thanks.
@pjp, you're making your setup extremely difficult. It seems you have fears based in a misunderstanding of basic networking; and a fear that you will "leak" traffic. I think what you define as "all else" is not technically possible.
Simply:
- Use a router with defaults
- install wireguard and configure it (do not enable "Automatically Create Routes")
- Setup static routes for the IPs of the NTP servers to use WAN using a /32 CIDR prefix
- Setup /32 static routes for DNS server IPs (required if your WAN has to resolve a hostname)
- Route all other traffic (0.0.0.0/0) via tunnel
- Configure LAN to use DNS servers that are routed on the tunnel using DHCP Option 6
- Make /32 static routes for those LAN DNS servers to use the tunnel
- (Wireguard will automatically make a route to the /32 of the endpoint peer, so no chicken-and-the-egg issue there)
- Reboot
- Done!
1 Like
No fear here, just a non technical end consumer (LUCI) trying to get wireguard to work on a lede router regularly powerred off for hours/days and without RTC. I use the guides on Mullvad and Azire on how to set up wireguard and firewall.
Do you mean leave disabled in the wireguard network interface:
Route Allowed IPs - Create routes for Allowed IPs for this peer.
I'm lost as to how one does that?
@pjp ...at some point, don't you think you should be responsible for searching for a manual (or browsing the menu on the Heads-up-Display)?
This would be on the exact same LuCI menu: Network > Static Routes
You make the routes, it's menu-driven...not hard.
I do indeed mean that; because I instructed you to make your own routes, so you can make a route for: WAN DNS, WAN NTP, LAN DNSes and the default route (0.0.0.0/0).