Initiate wireguard after NTP success

24 days ... if the info and manuals were end consumer inteligible, non technical, graphical it would be 5 mins. Thanks for sticking around so far helping someone who is not an IT specialist getting wireguard to work on non RTC lede routers.

I can not make sense of what to put where. A simple screenshot example rather then many pages of text manuals for IT specialists would be fabulous.

I think you're fairly navigating a non-consumer - Linux-based third-party router distribution firmware, especially trying to setup custom Static Routes for a VPN...assuming your issue was a Real Time Clock on a non-Interent Private Network, when it's really allowing NTP on WAN.

Screen shot is unnecessary, you're looking at it (I really don't understand the difficulty). You will see 2 relevant sections:

  • Interface
    Target - Host-IP or Network

If your LAN DNS will be e.g. 1.1.1.1:

  • Configure Interface as your wireguard Interface
  • Enter Target as 1.1.1.1/32

If WAN DNS or NTP will be e.g. 8.8.8.8:

  • Configure Interface as WAN
  • Enter Target as 8.8.8.8/32

The router does not have a RTC like 90% of routers out there.
There is no non-Interent Private Network, only a home router.
NTP does not go to WAN when following Mullvad and Azire guides on setting up LEDE + wireguard, and without RTC there is no wireguard.

If anyone can help with a screenshot, that would be fa-bu-lous.

If you're seeking someone to setup your custom VPN setup, because you're following a setup for a PC...I hope all works out.

The information has been provided to you.

Everyone in this thread (and the other one) have been telling you that...so perhaps somethinng's wrong with your 10% idea of wanting to send time over a tunnel that's not up yet?

@lleachii I think you keep going off track with assumptions beyond topic? Thanks for having tried to help.

Both, Azire & Mullvad, offer standard openwrt/lede instructions, including openwrt/lede screenshots, but they offer no support how to get openwrt/lede NTP/RTC in good enough time for wireguard to work, which is what I seek here.

One solution as suggested several times by several people in this thread seems to be to allow NTP over regular WAN, and I hope I'm not a nuisance in asking the same question again: how does one do that as a non IT technical in LUCI? A screenshot of the rule(s)/relevant sections explains more then all the technical manual pages. Hopefully someone would be kind enough to screenshot and post theirs? Thank you.

You are, as your question was answered over 4 times.

You have been told multiple times that you do not have an RTC issue. You're choosing to firewall "all else" (including needed NTP), despite being told such creates a chicken-and-the-egg issue.

This is why you're creating mutiple threads, hiding the fact you're donig this because you don't want to send NTP packets on WAN.

EDIT: I think it's important to note, I use Wiregurad in the EXACT configuration you describe (consumer OpenWrt router with no RTC used for travel/quick deployment and turned off for days/weeks/months), MINE WORKS USING THE INSTRUCTIONS ABOVE.

If fixing the inherent race condition in software feels too complex to you, there is a very easy way out by fixing it once and for all in hardware, by picking a device with an onboard, battery backed, RTC. Pretty much all x86 gear does, so do few SBC and even less 'traditional routers' (e.g. turris omnia). The APU2 line from PC Engines would be an easy and reasonably affordable way out, cheaper than the turris omnia - and if you look further, there are plenty other x86 options below and above the APU2/ APU3, both in terms of performance or prices. Better than running around in circles forever.

2 Likes

1 Like

I hope someone can reply to the question asked rathern the bash around and send empty screenshots without any settings?

How can someone add YOUR IPs to the NTP and DNS servers that ONLY you know???

Are you serious?!?!?

Perhaps you should make an ad on a site e.g. Craigslits to hire someone to configure your OpenWrt device.

1 Like

Not helpful, not what was asked for either. What was asked for:

OMG...that is my config!

(EDIT here to add:) you really need to start thinking about: what you're trying to config, the PEOPLE helping you for 24+ days WITH NO PAY on this obdurate logical route through the forums that you need an RTC on a device that has true Internet, while asking them to pretend the device is on a closed network (the only clue you gave that I understood that wasn't true, was that you mentioned Azire, meaning your device had to be on the INTERNET!)...and them now having to read from you that you're not being satisfied because the config is empty and you expected it to be populated...YOU NEED TO THINK: "WHAT AM I DOING WRONG, AND IS IT RELATED TO WHAT @dlakelan, @jow, @jeff and others have been telling me???" Simply claiming something is off-topic doesn't mean it's true.

I'm not the one attempting to setup a route to exclude NTP and DNS...so I wouldn't need to be a psychic and have your IP addresses in there!

HOW DOES MINE WORK WITHOUT NEEDING TO ADD A DNS AND NTP SERVER??? BECAUSE I DID WHAT I SUGGESTED TO YOU AND USE DNS SERVERS OVER THE TUNNEL? WHAT ABOUT NTP? I SIMPLY DON'T BLOCK IT.

Why would anyone happen to have a config laying around to bypass YOUR NTP and DNS servers...are you thinking here?

I've made a stretch and helped you four times (you asked how...then after telling you how, you need instructions...how to in LuCI...then a screenshot request...then fill the screenshot out for you but be "my config") ...exactly as you've asked, and again you say it's not what you wanted...maybe you need to reevaluate what you're seeking.

Screenshot%20from%202018-06-17%2007-56-54

NOTE, THE IP IN THE SCREENSHOT IS AN EXAMPLE OF EXACTLY HOW TO ENTER WHAT I EXPLAINED ABOVE 4 TIMES [(EDIT) IN REGARDS TO ADDING A DNS EXCLUSION FOR THE LAN DNS SERVERS YOU WILL MAKE A DHCP OPTION 6 RULE FOR IN NETWORK > INTERFACES > LAN [please don't ask how, the example built-in and used in LuCI is EXACTLY how to add DHCP Option 6], YOU WILL ADD OTHER TO THE LIST AND SELECT INTERFACE "WAN" TO EXCLUDE THE NTP/DNS SERVERS THE WAN WILL USE...I DON'T KNOW HOW TO MAKE A BETTER SCREENSHOT FOR YOU, WITHOUT YOUR PAYING ME TO DO IT ON YOUR OpenWrt DEVICE FOR YOU], PLEASE USE YOUR OWN PUBLIC DNS AND NTP SERVERS, DON'T BLAME ME WHEN THAT IP DOESN'T WORK.

EDIT...also the ironic thing is...for someone to reconfigure their production router to your exact specifications for a screenshot would cause them a "leak" ...very "troll-ish"
:thinking:

@lleachii thank you for another round of bashing and not taking to the issue. You screenshot 1 rule and offer an offload of nonsense.

Taking 1 step back, the reason for the screenshot request is simple, I can not find a manual page explaining how to populate the fields on that LUCI page. With a screenshot of the said DNS, NTP, Wireguard, etc. routes I can try to work backwards what needs where and how.

:rofl:

Mods, I will test the config and reply back, so this thread can be closed. Obviously, the OP fails to realize that only they would know the IP addresses of the servers they plan to use...hence, no DNS, NTP routes have been "said."

Anyone else would like to help?

Don't you still have a thread open to inquire about flipping Wireguard tunnels???

That problem is related to this one. If I MAKE ANOTHER PICTURE for you showing "your said routes," then you will be unable to solve your issue in the other thread.

UPDATE: TESTED ON 3 OpenWrt-based and one Ubuntu-based Wireguard server: WAN SENDS NTP, NO DNS LEAKS FROM LAN, NO DNS REQUESTS FROM CLIENTS ON WAN, LAN MACHINES USE DNS SERVERS ON TUNNEL. ALL DEVICES HAVE TIME AND TUNNELS ARE UP.

My servers:

LAN DNS (Private IP on tunnel, will not disclose the RFC1918 /32 IP)
WAN DNS - Google DNS 8.8.8.8/32
WAN NTP: time-b-b.nist.gov (please get IP from https://tf.nist.gov/tf-cgi/servers.cgi)
Default route to tunnel: 0.0.0.0/0

I typed them in where I have given @pjp written instructions 3 times, and pictoral instructions 2 times, it worked! On Ubuntu, I used the corresponding ip route add commands.

I will not make another picture:

  • These are my IPs and I will not receive another obdurate response that they're not yours, yet you have not provided them
  • It is a security risk for anyone to show you a photo of their exact routes
  • It's not hard to type this stuff in, you have an example, if you don't know what the "Add" button on LuCI means without a manual, you should probably re-flash stock firmware
  • I think I'm too mature to keep drawing pictures for an adult
  • EDIT: to be clear, I added the configs via UCI (command line)...so I have no "picture" to produce unless I logged in to the GUI twice (visually verify then to take the snapshot)...but I'm not sure if he'd accept that as "said config" so I didn't waste my time. :smiley:

Target is the destination after the netmask is applied (basically use your NTP server IP, and netmask 255.255.255.255) interface is the one used to send the packet, gateway is the router to send to, metric is a "cost" lower is the route that's preferred. Doesn't matter here unless you have more than one route to this specific IP.

Of course it's not easy to choose a gateway if your device moves around and gets DHCP addresses. In that case you probably need hotplug scripts or some such thing.

@pjp

You dont need the correct time for wireguard to start, but if you need the system clock to be near UTC without NTP but has internet connection. NTP protocol might be blocked by higher level. I will not go into TLS/SSL security. The date command is all 1 line.

Install wget, type

opkg update
opkg install wget

Edit

Edit in /etc/rc.local file

/etc/init.d/wireguard stop
for site in www.example.com www.msn.com www.yahoo.com; do
   date --set "$(wget --no-check-certificate --server-response -qo- --no-hsts -T3 -t1 --spider https://$site|grep "^ *Date:"|head -1|awk 'BEGIN{IGNORECASE = 1; months="  JanFebMarAprMayJunJulAugSepOctNovDec"}{printf("%s-%02d-%d %s", $5,index(months,$4)/3,$3,$6)}')" --utc 2>/dev/null && break
done
/etc/init.d/wireguard start
exit 0
1 Like

I actually observed something else.

I had a device with RTC...the device never lost its time upon a reboot.

Despite having time, the Wireguard interface did not establish (it would not handshake).

Workaround: using an NTP server on the WAN interface subnet (route added by kernel). As soon as I added the server, Wireguard came up.

I think this may be an issue with Wg, as the tunnel shows up on the OpenWrt device.

EDIT: to answer the original OP's issue, you must also add an IPv4 Gateway IP (the upstream router) for Ethernet Interfaces (e.g. WAN).

The issue is entropy, NOT NTP.

I had an identical test device, but it was not in production use...I observed the issue you experienced; but could not determine the difference. I enabled use of the Random Number Generator in my device:

Disabled:

cat /proc/sys/kernel/random/entropy_avail

80

after enabled

3108

in the same time.

My Wireguard interface cam up faster. You can only bring the interface up faster with an RNG.

If you have an RNG installed, the package is rng-tools

Under /etc/config/system:

config rngd                           
        option enabled '1'      
        option device '/dev/<LOCATION_OF_RNG>'

EDIT: The device has an ath9k chip. Disabled, the entropy was much slower, as the Kernel can use the random noise.

1 Like

Wireguard still needs time, unlike OpenVPN even though the power outages will still be connected

In my case the following workaround did the trick :

Add the following script in /etc/config (to be preserved during sysupgrades) : e.g post_up.sh
Make it executable :

chmod +x /etc/config/post_up.sh

Copy this script :

#!/bin/ash

# Sync with public ntp server, try to resolve address with public cloudflare dns
syncntp () {
        ntpd -n -q -p $(nslookup 0.pool.ntp.org 1.1.1.1 | grep 'Address 1' | cut -d ' ' -f 3)
        if [ $? -eq 0 ]
        then
                return 0
        else
                return 1
        fi
}

# Stop wirguard
ifdown wg

# Attempt 3 times to sync with public ntp
i=0
until syncntp
do
        i=$((i+1))
        if [ "$i" -lt 3 ]
        then
                logger -t ntp_sync "NTP sync try "$i""
                syncntp
        else
                break
        fi
done

# Start wireguard
ifup wg

exit 0

Call the script in /etc/rc.local (since this is the last action to be done on boot) :

# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.

/etc/config/post_up.sh

exit 0

Hope it helps, worked for me

2 Likes