Hey guys,

I have a bit of an issue. I have my firewall set up to route all traffic through iface wg0 (VPN). However, the VPN protocol I use needs time to be somewhat correct, and my device does not have RTC. So I am stuck in a limbo - when I reboot the device - it can not access NTP servers to get time, as all traffic is routed through the VPN. The VPN can not start, because the time is not working on the router.

Is there a firewall rule, to allow NTP to go through eth0, while keeping everything else the same, so all traffic is still routed through wg0?

Thank you for all your help!

Wouldn't it be easier to modify the vpn startup script to get the time before starting the VPN?

LP,
Jure

Yes, you should be able to either static route to a known IP address for one or more NTP servers you are authorized to directly engage (as DNS won't be up, nor easy to configure into rules), policy-route NTP traffic for some period of time, or just hold off on all forwarded traffic until you have "good" time, then bring up the VPN, then enable forwarded traffic.

"Correct" and "monotonically increasing" (time goes forward) are two different things, so knowing which, and if truly needed, "how correct", would be valuable.

See for more discussion and some ideas on how to get what might be "good enough" time:

Thank you! I think I might of have it figured out. Problem is - I disabled sysntpd when building the image and enabled ntpd. Is there a way to re-enable the busybox sysntpd and disable the ntpd I installed, without re-building the firmware? Like a command?

I tried /etc/init.d/sysntpd enable, however it shows that sysntpd is not found.

Thanks!

Yes, if you have the web GUI, you simply do this under Startup.

• Disable ntpd
• Re-enable sysntpd

On the command line:

/etc/init.d/ntpd disable
/etc/init.d/sysntpd enable

More information avalable at:

https://openwrt.org/docs/guide-user/services/ntp/client-server

Trying to install a different version of busybox on a running instance is challenging, at best, even under failsafe mode. If your build doesn't include the NTP applet, a new build is the easiest and safest approach. A broken busybox can lead to a soft brick as it is needed by opkg.

Yes, just make a route for the NTP server's IP, to use WAN.

Time will always be obtained from that IP via WAN.

Alright guys, I feel a little stupid, as it was an easy task to do. But it is done now

For anyone wondering how - create a rc.local script that includes:

ip route add EnterIPofAnyTimeServerHere via eth0
followed by
ntpd EnterIPofAnyTimeServerHere

As I said - simple. Thanks for all your help guys!

Or in /etc/config/network:

config route
	option interface 'wan'
	option target 'xxx.xxx.xxx.xxx'
	option netmask '255.255.255.255'

This can also be configured in the UCI at /etc/config/system:

config timeserver 'ntp'
	option enabled '1'
	option enable_server '0'
	list server 'xxx.xxx.xxx.xxx'

Glad you for it working!

Wait, are you saying that if I add the IP of the time server under wan as option target - it will bypass the firewall rules, which route all traffic through the interface wg0 (vpn interface)?

If so - that sounds much easier and cleaner.

No, the route you created does that. Also, I didn't add the NTP server IP to WAN, I added it in system (as I noted above).

I simply showed you the proper way to add what you noted to OpenWRT - per the manual. Although, as you demonstrated, Linux commands and scripts work also. Some people may think it looks cleaner to add the configs to their designated places in UCI; and perhaps others may want to know how to do so. That's all.