Initiate wireguard after NTP success

Thanks dlakelan!
What does it do exactly? I mean, I have the firewall rules set up for all traffic through wireguard as per mullvad and azire config instructions. Will this NTP without wireguard?

It looks like it receives a message from the NTP system that the time has been set, and then it restarts wireguard. If you "disable" wireguard so it doesn't start on boot, then you have this hotplug script, once NTP gets the time, your wireguard will come up.

1 Like

And I just want to be certain...are you sure the issue is NTP, and not something simple like - you misconfigured DNS?

I've only experienced this issue when the WAN port cannot resolve the hostname of the far wg endpoint, or I try to assign DNS servers the WAN connection does not permit. I resolve this limitation by:

  • configuring LAN DHCP to hand out DNS servers accessible only thru the tunnel; and
  • allowing WAN to use the DNS server assigned by DHCP

or

  • I use the IP of the wg endpoint and assign LAN DHCP to assign DNS servers accessible only thru the tunnel

You can eliminate all DNS requests leaking to WAN by using the IP of the wg endpoint; but the UDP connection will obviously be seen by those who control the WAN.

I think I can be certain. DNS servers, endpoint, NTP, etc are all configured as IP and not as hostnames.

Thanks! I've configured this, will see if it holds over the next few days when the router boot date/time goes back.

EDIT: it does not work.
I set wireguard interface - advanced to "Bring up on boot" off
I ssh the code and checked the file afterwards
I reboot and wireguard does not come up, I have to manually sync time with browser and then manually start wireguard, so the code doesn't start wireguard after NTP, and NTP does not get set.

This seems logical to me, as per https://mullvad.net/media/uploads/2018/01/11/lede-zones.png all connections including NTP need to go through the WG tunnel, which does not come up without NTP.

How does one get this to work without manual intervetion?

Have you tried using a script to set an arbitrary date and time yet?

I have no clue how to do this for date/time to get close enough to real date/time for the wireguard tunnel to be working when a travel router is not powered on for a while.

I asked both Mullvad and Azire, both confirmed their wireguard endpoints/servers do not serve NTP. Also, the tunnel would not be up to serve NTP before date/time is within wireguard acceptable error margin.
That is of course as far as my little grey cells can manage to understand, I may be completely wrong or misunderstanding.

I believe you do misunderstand. You are still creating a chicken-and-the-egg problem for yourself.

  • Mullvad and Azire do not offer NTP ; and even if they offered NTP, you'd have to establish the tunnel FIRST then use the tunnel IP of thier NTP server in order for there to be no "leak"!
  • You are attempting to sync time over the tunnel
  • You must have time before the tunnel comes up, therefore, it is impossible to obtain time over the tunnel

Simply use the date program to set a time (e.g. January 1, 2019). The server will have time, and then proceed to connect.

Only your NTP request(s) should "leak." You can configure the LAN to hand out DNS servers that are only accessible within the tunnel. If a "leak" is your only remaining concern, you may need to go over some Basic Networking.

This I understand. I also understand the firewall rules are set up so everything needs to go over the tunnel.

This I do not know how to do. Wouldn't it be cleaner (date/time wise) to let NTP (and only NTP) bypass the firewall and the tunnel until success? If so, how could I do this?

  1. All forwarded traffic blocked; output traffic permitted (at least DHCP, DNS, and NTP)
  2. DHCP assigns address to your outside interface
  3. NTP starts at boot, makes DNS calls to get servers, synchronizes time
  4. Start Wireguard
  5. Allow forwarded traffic through the tunnel
  6. Route all traffic except DHCP and to the remote tunnel endpoint through the tunnel
1 Like

Then, this is what you need to fix.

Twice, I suggested you set an arbitrary time; and the third time, I sent you a link to the manual. You continue to say you don't know how:

You fix your firewall:

I really think this is a bad idea. If you set an arbitrary time in the future once your router does get real time, it will fail to work until that future date passes... Time never goes backwards for wireguard.

What is needed is to allow ntp over the regular WAN, it's no good to try to prevent a "leak" here. There is no way to avoid using wan to do NTP

1 Like

This should read DHCP and NTP

1 Like

@dlakelan, I agree. Considering what the OP said at first:

At first, the OP described a situation where the 2 endpoints did not have Internet; but that's not truly the case. When actually, it's improper firewalling of WAN [NTP] traffic. The OP has a misconception about how a router obtains time:

As you stated:

This will solve the OP's chicken-and-the-egg issue, an issue contrived in their imagination.

How does one allow ntp over the regular WAN and all else only through wireguard ? Thanks.

@pjp, you're making your setup extremely difficult. It seems you have fears based in a misunderstanding of basic networking; and a fear that you will "leak" traffic. I think what you define as "all else" is not technically possible.

Simply:

  • Use a router with defaults
  • install wireguard and configure it (do not enable "Automatically Create Routes")
  • Setup static routes for the IPs of the NTP servers to use WAN using a /32 CIDR prefix
  • Setup /32 static routes for DNS server IPs (required if your WAN has to resolve a hostname)
  • Route all other traffic (0.0.0.0/0) via tunnel
  • Configure LAN to use DNS servers that are routed on the tunnel using DHCP Option 6
  • Make /32 static routes for those LAN DNS servers to use the tunnel
  • (Wireguard will automatically make a route to the /32 of the endpoint peer, so no chicken-and-the-egg issue there)
  • Reboot
  • Done!
1 Like

No fear here, just a non technical end consumer (LUCI) trying to get wireguard to work on a lede router regularly powerred off for hours/days and without RTC. I use the guides on Mullvad and Azire on how to set up wireguard and firewall.

Do you mean leave disabled in the wireguard network interface:
Route Allowed IPs - Create routes for Allowed IPs for this peer.

I'm lost as to how one does that?

@pjp ...at some point, don't you think you should be responsible for searching for a manual (or browsing the menu on the Heads-up-Display)?

This would be on the exact same LuCI menu: Network > Static Routes

You make the routes, it's menu-driven...not hard.

I do indeed mean that; because I instructed you to make your own routes, so you can make a route for: WAN DNS, WAN NTP, LAN DNSes and the default route (0.0.0.0/0).

24 days ... if the info and manuals were end consumer inteligible, non technical, graphical it would be 5 mins. Thanks for sticking around so far helping someone who is not an IT specialist getting wireguard to work on non RTC lede routers.

I can not make sense of what to put where. A simple screenshot example rather then many pages of text manuals for IT specialists would be fabulous.

I think you're fairly navigating a non-consumer - Linux-based third-party router distribution firmware, especially trying to setup custom Static Routes for a VPN...assuming your issue was a Real Time Clock on a non-Interent Private Network, when it's really allowing NTP on WAN.

Screen shot is unnecessary, you're looking at it (I really don't understand the difficulty). You will see 2 relevant sections:

  • Interface
    Target - Host-IP or Network

If your LAN DNS will be e.g. 1.1.1.1:

  • Configure Interface as your wireguard Interface
  • Enter Target as 1.1.1.1/32

If WAN DNS or NTP will be e.g. 8.8.8.8:

  • Configure Interface as WAN
  • Enter Target as 8.8.8.8/32

The router does not have a RTC like 90% of routers out there.
There is no non-Interent Private Network, only a home router.
NTP does not go to WAN when following Mullvad and Azire guides on setting up LEDE + wireguard, and without RTC there is no wireguard.

If anyone can help with a screenshot, that would be fa-bu-lous.