Procd one-shot init script to set clock early in boot process?

glxwrt · November 25, 2025, 2:11am

Hi, I’m trying to write an init script to call BusyBox ntpd to set the clock as early as possible in the boot process, related to the much-discussed chicken-and-egg issue with Wireguard interfaces not coming up when the clock is set sufficiently far off from the true time.

The command line for this if run manually would look something like

ntpd -n -q -N -p ntp.example.com -p ntp.domain.com -p ntp.time.com

I note when examining /etc/init.d/sysntpd that it makes use of procd to do things like run ntpd in a jail, set the user and group to ntp, and so forth.

I’d like to do this in my own script, but I don’t need any process monitoring or respawn features as I will strictly be running ntpd as a one-shot.

Does anyone know of an example of a one-shot service managed by procd, or is this a bad idea?

Alternatively: I’ve seen it suggested to use a hotplug script to only bring any Wireguard interface up after an ntpd stratum change event. I am open to being persuaded that this is a better approach.

Either way, I don’t know how to allow traffic to/from ntpd across the WAN interface while disallowing all other traffic (to prevent leaks while Wireguard is not up). I’ve seen it suggested to set up a static route to the IP addresses (/32) of some NTP servers, but I’d much rather allow traffic from ntpd in a manner which doesn’t depend on the IP address of the peers. If anybody has any pointers on how to do this, I’d love to hear it.

brada4 · November 25, 2025, 7:14am

Answer is in the question. .... nftables output .... skuid ntp accept

lleachii · November 25, 2025, 7:41am

How to solve the other much-discussed chicken-and-egg issue with WG, where a user configures DNS only via the tunnel?

Except the leak described in this feature request, correct?

Yeah.

jonathans · November 25, 2025, 6:35pm

Just some additional ideas.

Aside from the obvious choice of switching to a platform with an RTC, how about adding a local clock source of some kind, to avoid having to use the network to set time initially? Depending on your hardware and where you’re deploying, a USB GPS dongle could work. There’s also this USB RTC project, or it looks like you can order a similar device from Japan.

good luck.

MakeWiFiGreatAgain · November 25, 2025, 7:24pm

I had a similar problem with wireguard. I turn off my network when not home for security and power savings reasons. This presents a problem for me which was that my openwrt router boots up faster then my dsl modem can and dsl sync after turning them both on. It's annoying to have to wait around for modem to sync (can be 1 minute, but can also be 10 minutes) and then manually log in to my router and reboot it after so I bought a $9 ds3231 rtc from amazon. Took 10 minutes to install and configure. No more issues. Flip a switch, have a coke and internet is up.
If you can add rtc then do it.