Initiate wireguard after NTP success

lleachii · June 15, 2018, 10:13pm

Then, this is what you need to fix.

Twice, I suggested you set an arbitrary time; and the third time, I sent you a link to the manual. You continue to say you don't know how:

You fix your firewall:

dlakelan · June 15, 2018, 11:49pm

I really think this is a bad idea. If you set an arbitrary time in the future once your router does get real time, it will fail to work until that future date passes... Time never goes backwards for wireguard.

What is needed is to allow ntp over the regular WAN, it's no good to try to prevent a "leak" here. There is no way to avoid using wan to do NTP

dlakelan · June 15, 2018, 11:51pm

This should read DHCP and NTP

lleachii · June 16, 2018, 2:29am

@dlakelan, I agree. Considering what the OP said at first:

At first, the OP described a situation where the 2 endpoints did not have Internet; but that's not truly the case. When actually, it's improper firewalling of WAN [NTP] traffic. The OP has a misconception about how a router obtains time:

As you stated:

This will solve the OP's chicken-and-the-egg issue, an issue contrived in their imagination.

pjp · June 16, 2018, 6:04am

How does one allow ntp over the regular WAN and all else only through wireguard ? Thanks.

lleachii · June 16, 2018, 4:03pm

@pjp, you're making your setup extremely difficult. It seems you have fears based in a misunderstanding of basic networking; and a fear that you will "leak" traffic. I think what you define as "all else" is not technically possible.

Simply:

Use a router with defaults
install wireguard and configure it (do not enable "Automatically Create Routes")
Setup static routes for the IPs of the NTP servers to use WAN using a /32 CIDR prefix
Setup /32 static routes for DNS server IPs (required if your WAN has to resolve a hostname)
Route all other traffic (0.0.0.0/0) via tunnel
Configure LAN to use DNS servers that are routed on the tunnel using DHCP Option 6
Make /32 static routes for those LAN DNS servers to use the tunnel
(Wireguard will automatically make a route to the /32 of the endpoint peer, so no chicken-and-the-egg issue there)
Reboot
Done!

pjp · June 16, 2018, 4:20pm

No fear here, just a non technical end consumer (LUCI) trying to get wireguard to work on a lede router regularly powerred off for hours/days and without RTC. I use the guides on Mullvad and Azire on how to set up wireguard and firewall.

Do you mean leave disabled in the wireguard network interface:
Route Allowed IPs - Create routes for Allowed IPs for this peer.

I'm lost as to how one does that?

lleachii · June 16, 2018, 4:28pm

@pjp ...at some point, don't you think you should be responsible for searching for a manual (or browsing the menu on the Heads-up-Display)?

This would be on the exact same LuCI menu: Network > Static Routes

You make the routes, it's menu-driven...not hard.

I do indeed mean that; because I instructed you to make your own routes, so you can make a route for: WAN DNS, WAN NTP, LAN DNSes and the default route (0.0.0.0/0).

pjp · June 16, 2018, 4:53pm

24 days ... if the info and manuals were end consumer inteligible, non technical, graphical it would be 5 mins. Thanks for sticking around so far helping someone who is not an IT specialist getting wireguard to work on non RTC lede routers.

I can not make sense of what to put where. A simple screenshot example rather then many pages of text manuals for IT specialists would be fabulous.

lleachii · June 16, 2018, 4:59pm

I think you're fairly navigating a non-consumer - Linux-based third-party router distribution firmware, especially trying to setup custom Static Routes for a VPN...assuming your issue was a Real Time Clock on a non-Interent Private Network, when it's really allowing NTP on WAN.

Screen shot is unnecessary, you're looking at it (I really don't understand the difficulty). You will see 2 relevant sections:

Interface
Target - Host-IP or Network

If your LAN DNS will be e.g. 1.1.1.1:

Configure Interface as your wireguard Interface
Enter Target as 1.1.1.1/32

If WAN DNS or NTP will be e.g. 8.8.8.8:

Configure Interface as WAN
Enter Target as 8.8.8.8/32

pjp · June 16, 2018, 5:24pm

The router does not have a RTC like 90% of routers out there.
There is no non-Interent Private Network, only a home router.
NTP does not go to WAN when following Mullvad and Azire guides on setting up LEDE + wireguard, and without RTC there is no wireguard.

If anyone can help with a screenshot, that would be fa-bu-lous.

lleachii · June 16, 2018, 5:32pm

If you're seeking someone to setup your custom VPN setup, because you're following a setup for a PC...I hope all works out.

The information has been provided to you.

Everyone in this thread (and the other one) have been telling you that...so perhaps somethinng's wrong with your 10% idea of wanting to send time over a tunnel that's not up yet?

pjp · June 16, 2018, 7:24pm

@lleachii I think you keep going off track with assumptions beyond topic? Thanks for having tried to help.

Both, Azire & Mullvad, offer standard openwrt/lede instructions, including openwrt/lede screenshots, but they offer no support how to get openwrt/lede NTP/RTC in good enough time for wireguard to work, which is what I seek here.

One solution as suggested several times by several people in this thread seems to be to allow NTP over regular WAN, and I hope I'm not a nuisance in asking the same question again: how does one do that as a non IT technical in LUCI? A screenshot of the rule(s)/relevant sections explains more then all the technical manual pages. Hopefully someone would be kind enough to screenshot and post theirs? Thank you.

lleachii · June 17, 2018, 2:15am

You are, as your question was answered over 4 times.

You have been told multiple times that you do not have an RTC issue. You're choosing to firewall "all else" (including needed NTP), despite being told such creates a chicken-and-the-egg issue.

This is why you're creating mutiple threads, hiding the fact you're donig this because you don't want to send NTP packets on WAN.

EDIT: I think it's important to note, I use Wiregurad in the EXACT configuration you describe (consumer OpenWrt router with no RTC used for travel/quick deployment and turned off for days/weeks/months), MINE WORKS USING THE INSTRUCTIONS ABOVE.

slh · June 17, 2018, 3:19am

If fixing the inherent race condition in software feels too complex to you, there is a very easy way out by fixing it once and for all in hardware, by picking a device with an onboard, battery backed, RTC. Pretty much all x86 gear does, so do few SBC and even less 'traditional routers' (e.g. turris omnia). The APU2 line from PC Engines would be an easy and reasonably affordable way out, cheaper than the turris omnia - and if you look further, there are plenty other x86 options below and above the APU2/ APU3, both in terms of performance or prices. Better than running around in circles forever.

lleachii · June 17, 2018, 3:22am

pjp · June 17, 2018, 5:51am

I hope someone can reply to the question asked rathern the bash around and send empty screenshots without any settings?

lleachii · June 17, 2018, 5:57am

How can someone add YOUR IPs to the NTP and DNS servers that ONLY you know???

Are you serious?!?!?

Perhaps you should make an ad on a site e.g. Craigslits to hire someone to configure your OpenWrt device.

pjp · June 17, 2018, 11:12am

Not helpful, not what was asked for either. What was asked for:

lleachii · June 17, 2018, 11:36am

OMG...that is my config!

(EDIT here to add:) you really need to start thinking about: what you're trying to config, the PEOPLE helping you for 24+ days WITH NO PAY on this obdurate logical route through the forums that you need an RTC on a device that has true Internet, while asking them to pretend the device is on a closed network (the only clue you gave that I understood that wasn't true, was that you mentioned Azire, meaning your device had to be on the INTERNET!)...and them now having to read from you that you're not being satisfied because the config is empty and you expected it to be populated...YOU NEED TO THINK: "WHAT AM I DOING WRONG, AND IS IT RELATED TO WHAT @dlakelan, @jow, @jeff and others have been telling me???" Simply claiming something is off-topic doesn't mean it's true.

I'm not the one attempting to setup a route to exclude NTP and DNS...so I wouldn't need to be a psychic and have your IP addresses in there!

HOW DOES MINE WORK WITHOUT NEEDING TO ADD A DNS AND NTP SERVER??? BECAUSE I DID WHAT I SUGGESTED TO YOU AND USE DNS SERVERS OVER THE TUNNEL? WHAT ABOUT NTP? I SIMPLY DON'T BLOCK IT.

Why would anyone happen to have a config laying around to bypass YOUR NTP and DNS servers...are you thinking here?

I've made a stretch and helped you four times (you asked how...then after telling you how, you need instructions...how to in LuCI...then a screenshot request...then fill the screenshot out for you but be "my config") ...exactly as you've asked, and again you say it's not what you wanted...maybe you need to reevaluate what you're seeking.

NOTE, THE IP IN THE SCREENSHOT IS AN EXAMPLE OF EXACTLY HOW TO ENTER WHAT I EXPLAINED ABOVE 4 TIMES [(EDIT) IN REGARDS TO ADDING A DNS EXCLUSION FOR THE LAN DNS SERVERS YOU WILL MAKE A DHCP OPTION 6 RULE FOR IN NETWORK > INTERFACES > LAN [please don't ask how, the example built-in and used in LuCI is EXACTLY how to add DHCP Option 6], YOU WILL ADD OTHER TO THE LIST AND SELECT INTERFACE "WAN" TO EXCLUDE THE NTP/DNS SERVERS THE WAN WILL USE...I DON'T KNOW HOW TO MAKE A BETTER SCREENSHOT FOR YOU, WITHOUT YOUR PAYING ME TO DO IT ON YOUR OpenWrt DEVICE FOR YOU], PLEASE USE YOUR OWN PUBLIC DNS AND NTP SERVERS, DON'T BLAME ME WHEN THAT IP DOESN'T WORK.

EDIT...also the ironic thing is...for someone to reconfigure their production router to your exact specifications for a screenshot would cause them a "leak" ...very "troll-ish"