NTP to NTS security

warrior09 · October 28, 2025, 3:00pm

Hi

On Linux (Ubuntu) I had just installed Chrony and entered server time.cloudflare.com nts to /etc/chrony/chrony.conf

This forces system to ask time via NTS (TLS) so nobody can intercept or spoof it.

The main question:
How can I do something similar on my 24.10.3 (r28872-daca7c049b)
Firmware link
GL.iNet GL-MT3000

brada4 · October 28, 2025, 3:14pm

you should install chrony-nts which contains "full" set of features like found on non-embedded linuxes
You have to disable service sysntpd before other NTP service can go ahead.

before or after install luci-app-attendedsysupgrade and upgrade to 24.10.4

Note that NTS protects from your provider close to home sabotaging NTP, you still need multiple alternative time sources to elect correct time trend.

warrior09 · October 28, 2025, 7:07pm

server time.cloudflare.com iburst nts
server ntppool1.time.nl iburst nts
server nts.netnod.se iburst nts
server ptbtime1.ptb.de iburst nts
server time.dfm.dk iburst nts
server time.cifelli.xyz iburst nts

Will this be enough?

Yeah. It's time to. I just afraid to brick router, since I have no devices that support LAN port. But I think I should have been already purchased external adapter

A little dumb question: won't this conflict with NTP settings in LuCi?

Anyways, many thanks for your help!

brada4 · October 28, 2025, 7:17pm

chronyd has no relation with luci settings for sysntpd.

AndrewZ · October 28, 2025, 7:23pm

Here they recommend having four servers:

You should consider server accuracy or stratum when building your list.

systemcrash · October 28, 2025, 8:06pm

Have a play with luci-app-chrony

lunar_rover · October 28, 2025, 9:16pm

luci-app-chrony depends on regular chrony which conflicts with chrony-nts

brada4 · October 28, 2025, 9:33pm

Add here provides chrony line to satisfy luci app requirement @mlichvar - will it work?

github.com/openwrt/packages

net/chrony/Makefile

333a1e534


      
            PROVIDES:=nts
          endef
          
          define Package/chrony
          $(call Package/chrony/Default)
            TITLE+= (without NTS)
            VARIANT:=normal
            CONFLICTS:=chrony-nts
          endef
          
          define Package/chrony-nts
          $(call Package/chrony/Default)
            TITLE+= (with NTS)
            DEPENDS+= +PACKAGE_chrony-nts:libgnutls +PACKAGE_chrony-nts:ca-bundle
            VARIANT:=with-nts
          endef
          
          define Package/chrony/description
          	An NTP client and server designed to perform well in a wide range
          	of conditions. It can synchronize the system clock with NTP servers,
          	reference clocks, and manual input using wristwatch and keyboard.

mlichvar · October 29, 2025, 7:44am

I don't know, I'm not very familiar with the dependency resolver. If a newly installed package has a dependency on chrony and neither variant is installed, would the resolver prefer the non-nts variant, or select it randomly?

brada4 · October 29, 2025, 7:55am

totally works.... just that opkg selects candidate at random

> opkg install luci-app-chrony
Installing luci-app-chrony (25.299.71202~85db833) to root...
Downloading https://downloads.openwrt.org/releases/24.10-SNAPSHOT/packages/aarch64_cortex-a53/luci/luci-app-chrony_25.299.71202~85db833_all.ipk
Installing libgmp10 (6.3.0-r1) to root...
Downloading https://downloads.openwrt.org/releases/24.10-SNAPSHOT/packages/aarch64_cortex-a53/base/libgmp10_6.3.0-r1_aarch64_cortex-a53.ipk
Installing libnettle8 (3.9.1-r1) to root...
Downloading https://downloads.openwrt.org/releases/24.10-SNAPSHOT/packages/aarch64_cortex-a53/base/libnettle8_3.9.1-r1_aarch64_cortex-a53.ipk
Installing libgnutls (3.8.5-r1) to root...
Downloading https://downloads.openwrt.org/releases/24.10-SNAPSHOT/packages/aarch64_cortex-a53/packages/libgnutls_3.8.5-r1_aarch64_cortex-a53.ipk
Installing chrony-nts (4.6.1-r1) to root...
Downloading https://downloads.openwrt.org/releases/24.10-SNAPSHOT/packages/aarch64_cortex-a53/packages/chrony-nts_4.6.1-r1_aarch64_cortex-a53.ipk
Configuring libgmp10.
Configuring libnettle8.
Configuring libgnutls.
Configuring chrony-nts.
Configuring luci-app-chrony.

NTS option displayed prominently by default (you have to use actual nts server, not pool one)

warrior09 · October 29, 2025, 12:29pm

Tested. Yeah. It works. So thats it? Or I need to change native settings to point something to chrony?

systemcrash · October 29, 2025, 1:42pm

I’ve submitted a PR to main which should fix the provides.

If you want NTS - you need chrony-nts, and check the NTS box for a pool. Refer to the linked documentation in the GUI if you’re unsure. That’s what it’s for.

brada4 · October 29, 2025, 3:09pm

You have to remove all ntp servers and replace them with nts servers
Leave ONE pool entry though - nts needs valid https: key set and correct time in advance....

lunar_rover · October 31, 2025, 6:39pm

On OpenWrt chrony will ignore cert time for the first query if RTC doesn’t exist

github.com/openwrt/packages

net/chrony/files/chronyd.init

5a9763dea


      
          	echo makestep $threshold $limit
          }
          
          handle_nts() {
          	local cfg=$1 rtccheck systemcerts trustedcerts
          
          	config_get_bool rtccheck "$cfg" rtccheck 0
          	config_get_bool systemcerts "$cfg" systemcerts 1
          	config_get trustedcerts "$cfg" trustedcerts
          	# Disable certificate time checks if no RTC is present
          	[ "$rtccheck" = "1" ] && ! [ -c $RTCDEVICE ] && echo nocerttimecheck 1
          	[ "$systemcerts" = "0" ] && echo nosystemcert
          	[ -n "$trustedcerts" ] && echo ntstrustedcerts "$trustedcerts"
          }
          
          handle_smoothtime() {
          	local cfg=$1 maxppm maxwander leaponly suffix
          	config_get maxppm "$cfg" maxppm
          	config_get maxwander "$cfg" maxwander
          	config_get_bool leaponly "$cfg" leaponly 0
          	[ "$leaponly" = "1" ] && suffix=leaponly