I have a bit of an issue. I have my firewall set up to route all traffic through iface wg0 (VPN). However, the VPN protocol I use needs time to be somewhat correct, and my device does not have RTC. So I am stuck in a limbo - when I reboot the device - it can not access NTP servers to get time, as all traffic is routed through the VPN. The VPN can not start, because the time is not working on the router.
Is there a firewall rule, to allow NTP to go through eth0, while keeping everything else the same, so all traffic is still routed through wg0?
Yes, you should be able to either static route to a known IP address for one or more NTP servers you are authorized to directly engage (as DNS won't be up, nor easy to configure into rules), policy-route NTP traffic for some period of time, or just hold off on all forwarded traffic until you have "good" time, then bring up the VPN, then enable forwarded traffic.
"Correct" and "monotonically increasing" (time goes forward) are two different things, so knowing which, and if truly needed, "how correct", would be valuable.
See for more discussion and some ideas on how to get what might be "good enough" time:
Thank you! I think I might of have it figured out. Problem is - I disabled sysntpd when building the image and enabled ntpd. Is there a way to re-enable the busybox sysntpd and disable the ntpd I installed, without re-building the firmware? Like a command?
I tried /etc/init.d/sysntpd enable, however it shows that sysntpd is not found.
Trying to install a different version of busybox on a running instance is challenging, at best, even under failsafe mode. If your build doesn't include the NTP applet, a new build is the easiest and safest approach. A broken busybox can lead to a soft brick as it is needed by opkg.
No, the route you created does that. Also, I didn't add the NTP server IP to WAN, I added it in system (as I noted above).
I simply showed you the proper way to add what you noted to OpenWRT - per the manual. Although, as you demonstrated, Linux commands and scripts work also. Some people may think it looks cleaner to add the configs to their designated places in UCI; and perhaps others may want to know how to do so. That's all.