Zum Inhalt

OpenWRT - Verschlüsselte Zeitsynchronisation mit chrony

chrony is an implementation of the NTP (Network Time Protocol). It has some advantages against the standard ntpd (= Network Time Protocol daemon).

  1. chrony can synchronize to the timeserver much faster than NTP. This is good for laptops or desktops that don't run constantly.
  2. It can compensate for fluctuating clock frequencies, such as when a host hibernates or enters sleep mode, or when the clock speed varies due to frequency stepping that slows clock speeds when loads are low.
  3. It handles intermittent network connections and bandwidth saturation.
  4. It adjusts for network delays and latency.
  5. After the initial time sync, chrony never steps the clock. This ensures stable and consistent time intervals for system services and applications.
  6. chrony can work even without a network connection. In this case, the local host or server can be updated manually.

Official Website of the chrony project

In this setup the connection between your OpenWrt device and the NTP servers will be encrypted via nts which reduces the risk of Man-in-the-middle-attacks.

Note

To make chrony work the firewall must allow NTP connections on port 123. Network Configuration

Disable Time Synchronization

Disable the standard time synchronization.

System --> Time Synchronisation --> Enable NTP client

OpenWrt - chrony

Uncheck Enable NTP client and click Save & Apply.

OpenWrt - chrony

Install chrony-nts

Install the chrony-nts package.

OpenWrt - chrony

Chrony Configuration

  1. Empty /etc/config/chrony

The standard chrony configuration file is located at /etc/config/chrony. For this setup the configuration will be done in /etc/chrony/chrony.conf.

Remove the hole content. The file shall be empty.

# Create a backup
cd /etc/config/

cp chrony chrony-bak


# Empty chrony file
cd /etc/config/

>chrony
  1. Update /etc/chrony/chrony.conf

Create backup file

cd /etc/chrony/

cp chrony.conf chrony.conf-back

Edit the main configuration file /etc/chrony/chrony.conf.

# Empty existing file
>chrony.conf

# Edit file and paste content
nano /etc/chrony/chrony.conf

Paste the following content.

# Load UCI configuration
confdir /var/etc/chrony.d

# Load NTP servers from DHCP if enabled in UCI
sourcedir /var/run/chrony-dhcp

# Physikalisch-Technische Bundesanstalt / PTB (Germany)
server ptbtime1.ptb.de iburst nts
server ptbtime2.ptb.de iburst nts
server ptbtime3.ptb.de iburst nts

# Cloudflare (Anycast)
server time.cloudflare.com iburst nts

# Time.nl (Netherlands)
server ntppool1.time.nl iburst nts
server ntppool2.time.nl iburst nts

# Netnod (Sweden)
server nts.netnod.se iburst nts


minsources 2
authselectmode require

driftfile /var/run/chrony/drift
ntsdumpdir /var/run/chrony

cmdport 0

makestep 1.0 3

# Don't log client accesses
noclientlog

leapsectz right/UTC
rtconutc

# Mark the system clock as synchronized
rtcsync

allow 192.168.2.1/24
bindaddress 192.168.2.1

# Uncomment the following line to turn logging on.
# Choose the logs as needed
#log tracking measurements statistics

# Log files location.
#logdir /mnt/sda1/chrony

For logging the logs can be saved to a 👉 USB storage device.

# Create log directory
mkdir /mnt/sda1/chrony

Gib mir gerne einen Kaffee ☕ aus ❗️

Wenn dir meine Beiträge gefallen und geholfen haben, dann kannst du mir gerne einen Kaffee ☕️ ausgeben.

Donation via PayPalDonation via LiberaPay

Donation via Bitcoin
Bitcoin Address: bc1qfuz93hw2fhdvfuxf6mlxlk8zdadvnktppkzqzj

  • server = Time server
  • List of NTP servers which support nts on Wikipedia: https://de.wikipedia.org/wiki/Network_Time_Protocol#NTS
  • List of NTP servers which support nts on GitHub: https://gist.github.com/jauderho/2ad0d441760fc5ed69d8d4e2d6b35f8d
  • iburst = With this option, chronyd will start with a burst of 4-8 requests in order to make the first update of the clock sooner. It will also repeat the burst every time the source is switched from the offline state to online with the online command in chronyc.
  • nts = This option enables authentication using the Network Time Security (NTS) mechanism. Unlike with the key option, the server and client do not need to share a key in a key file. NTS has a Key Establishment (NTS-KE) protocol using the Transport Layer Security (TLS) protocol to get the keys and cookies required by NTS for authentication of NTP packets.
  • minsources = The minsources directive sets the minimum number of sources that need to be considered as selectable in the source selection algorithm before the local clock is updated. !!! In this configuration we set the value `2` therefor at least two NTP servers should be defined as `server`.
  • authselectmode = NTP sources can be specified with the key or nts option to enable authentication to limit the impact of man-in-the-middle attacks. For each `server` the authenticationmode `nts` is defined.
  • driftfile = One of the main activities of the chronyd program is to work out the rate at which the system clock gains or loses time relative to real time.
  • ntsdumpdir = This directive specifies a directory where chronyd operating as an NTS server can save the keys which encrypt NTS cookies provided to clients. The keys are saved to a single file named ntskeys. When chronyd is restarted, reloading the keys allows the clients to continue using old cookies and avoids a storm of NTS-KE requests. By default, the server does not save the keys.
  • cmdport = The cmdport directive allows the port that is used for run-time monitoring (via the chronyc program) to be altered from its default (323). If set to 0, chronyd will not open the port, this is useful to disable chronyc access from the Internet.
  • makestep = Normally chronyd will cause the system to gradually correct any time offset, by slowing down or speeding up the clock as required. In certain situations, e.g. when chronyd is initially started, the system clock might be so far adrift that this slewing process would take a very long time to correct the system clock.
  • noclientlog = This directive, which takes no arguments, specifies that client accesses are not to be logged.
  • leapsectz = This directive specifies a timezone in the system timezone database which chronyd can use to determine when will the next leap second occur and what is the current offset between TAI and UTC. It will periodically check if 23:59:59 and 23:59:60 are valid times in the timezone. This normally works with the right/UTC timezone.
  • rtconutc = chronyd assumes by default that the RTC keeps local time (including any daylight saving changes).2. rtcsync = The rtcsync directive enables a mode where the system time is periodically copied to the RTC and chronyd does not try to track its drift.
  • rtcsync = The rtcsync directive enables a mode where the system time is periodically copied to the RTC and chronyd does not try to track its drift.
  • log = The log directive indicates that certain information is to be logged. The log files are written to the directory specified by the logdir directive. A banner is periodically written to the files to indicate the meanings of the columns.
  • logdir = This directive specifies the directory for writing log files enabled by the log directive. If the directory does not exist, it will be created automatically.
  • tracking = This option logs changes to the estimate of the system’s gain or loss rate, and any slews made, to a file called tracking.log.
  • measurements = This option is identical to the rawmeasurements option, except it logs only valid measurements from synchronised sources, i.e. measurements which passed the RFC 5905 tests 1 through 7. This can be useful for producing graphs of the source’s performance.
  • statistics = This option logs information about the regression processing to a file called statistics.log.

These two lines are relevant if the OpenWrt shall be the NTP server within you network.

  • allow = 192.168.1.1/24 replace the IP address range with your own.
  • bindaddress = IP address of the OpenWrt device within your network.

The descriptions are from the official chrony documentation.

Restart chrony service

Enable and restart chrony service

On Cli

/etc/init.d/chronyd enable
/etc/init.d/chronyd restart

via LuCi

System --> Startup

OpenWrt - chrony

Check chrony service

Check NTP server availability

root@OpenWrt:~# chronyc activity
200 OK
7 sources online
0 sources offline
0 sources doing burst (return to online)
0 sources doing burst (return to offline)
0 sources with unknown address

activity = This command reports the number of servers and peers that are online and offline

Check the availability of the NTP servers

root@OpenWrt:~# chronyc -N sources
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^+ ptbtime1.ptb.de               1   6   177    56   -331us[ -331us] +/- 13ms
^* ptbtime2.ptb.de               1   6   177    56   -469us[+8259ns] +/- 14ms
^+ ptbtime3.ptb.de               1   6   177    56    -27us[ +450us] +/- 13ms
^+ time.cloudflare.com           3   6   177    54  +3811us[+3811us] +/- 15ms
^+ ntppool1.time.nl              1   6   177    54  +2070us[+2070us] +/- 14ms
^+ ntppool2.time.nl              1   6   177    56   -685us[ -685us] +/- 12ms
^+ nts.netnod.se                 1   6   177    54  +1160us[+1160us] +/- 20ms

sources = This command displays information about the current time sources that chronyd is accessing.

-N = This option enables printing of original hostnames or IP addresses of NTP sources that were specified in the configuration file, or chronyc commands. Without the -n and -N option, the printed hostnames are obtained from reverse DNS lookups and can be different from the specified hostnames.

root@OpenWrt:~# chronyc sources -v

  .-- Source mode  '^' = server, '=' = peer, '#' = local clock.
 / .- Source state '*' = current best, '+' = combined, '-' = not combined,
| /             'x' = may be in error, '~' = too variable, '?' = unusable.
||                                                 .- xxxx [ yyyy ] +/- zzzz
||      Reachability register (octal) -.           |  xxxx = adjusted offset,
||      Log2(Polling interval) --.      |          |  yyyy = measured offset,
||                                \     |          |  zzzz = estimated error.
||                                 |    |           \
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^+ ptbtime1.ptb.de               1   6   377     9   +339us[ +339us] +/- 13ms
^* ptbtime2.ptb.de               1   6   377    10   +440us[ +282us] +/- 14ms
^+ ptbtime3.ptb.de               1   6   377    11   +646us[ +489us] +/- 14ms
^+ time.cloudflare.com           3   6   377     8   +721us[ +721us] +/- 12ms
^+ ntppool1.time.nl              1   6   377     8  +2118us[+2118us] +/- 14ms
^+ ntppool2.time.nl              1   6   377    11  +1328us[+1172us] +/- 14ms
^+ gbg2-ts.nts.netnod.se         1   6   377     8   -579us[ -579us] +/- 19ms

-v = The -v option enables a verbose output. In this case, extra caption lines are shown as a reminder of the meanings of the columns.

Check encryption with NTP servers

root@OpenWrt:~# chronyc -N authdata
Name/IP address             Mode KeyID Type KLen Last Atmp  NAK Cook CLen
=========================================================================
ptbtime1.ptb.de              NTS     1   15  256  55m    0    0    8  100
ptbtime2.ptb.de              NTS     1   15  256  55m    0    0    8  100
ptbtime3.ptb.de              NTS     1   15  256  55m    0    0    8  100
time.cloudflare.com          NTS     1   15  256  55m    0    0    8  100
ntppool1.time.nl             NTS     1   15  256  55m    0    0    8  100
ntppool2.time.nl             NTS     1   15  256  55m    0    0    8  100
nts.netnod.se                NTS     1   15  256  55m    0    0    8  100

The columns KeyID, Type and KeyLen shall contain no 0 values!

authdata = The authdata command displays information specific to authentication of NTP sources.

Display connected clients

🚨 The option noclientlog needs to be commented in the config file.

List clients that use your OpenWrt as its NTP server.

chronyc clients

clients = This command shows a list of clients that have accessed the server, through the NTP, command, or NTS-KE port. It does not include accesses over the Unix domain command socket.

Display tracking information

root@OpenWrt:~# chronyc tracking
Reference ID    : CD2EB2A9 (ptbtime3.ptb.de)
Stratum         : 2
Ref time (UTC)  : Thu Aug 17 14:07:34 2023
System time     : 0.000000000 seconds slow of NTP time
Last offset     : -0.000754178 seconds
RMS offset      : 0.000754178 seconds
Frequency       : 12.441 ppm slow
Residual freq   : -111.668 ppm
Skew            : 0.514 ppm
Root delay      : 0.024521304 seconds
Root dispersion : 0.001687375 seconds
Update interval : 0.0 seconds
Leap status     : Normal

tracking = The tracking command displays parameters about the system’s clock performance.

Display drift rate

root@OpenWrt:~# chronyc sourcestats -v
                             .- Number of sample points in measurement set.
                            /    .- Number of residual runs with same sign.
                           |    /    .- Length of measurement set (time).
                           |   |    /      .- Est. clock freq error (ppm).
                           |   |   |      /           .- Est. error in freq.
                           |   |   |     |           /         .- Est. offset.
                           |   |   |     |          |          |   On the -.
                           |   |   |     |          |          |   samples. \
                           |   |   |     |          |          |             |
Name/IP Address            NP  NR  Span  Frequency  Freq Skew  Offset  Std Dev
==============================================================================
ptbtime1.ptb.de             7   4   389     +2.347     12.531   +154us   588us
ptbtime2.ptb.de            15   8   718     +0.263      2.952   -300us   658us
ptbtime3.ptb.de            15   7   720     +0.006      1.886   -326us   436us
time.cloudflare.com        15   7   717     +0.866      6.063  +1235us  1239us
ntppool1.time.nl           15   9   719     -0.206      3.470    -50us   792us
ntppool2.time.nl           15   8   717     +0.372      4.637    +88us  1084us
gbg2-ts.nts.netnod.se      14   9   718     -0.010      3.677   -433us   760us

sourcestats = The sourcestats command displays information about the drift rate and offset estimation process for each of the sources currently being examined by chronyd.

The line shows that the connection to one of our NTP servers in detail.

OpenWrt Manuals

All articles of the OpenWrt blog series

Gib mir gerne einen Kaffee ☕ aus ❗️

Wenn dir meine Beiträge gefallen und geholfen haben, dann kannst du mir gerne einen Kaffee ☕️ ausgeben.

Donation via PayPalDonation via LiberaPay

Donation via Bitcoin
Bitcoin Address: bc1qfuz93hw2fhdvfuxf6mlxlk8zdadvnktppkzqzj

Source

Image: Official OpenWrt Logo - https://openwrt.org/_media/docs/guide-graphic-designer/openwrt-logo-usage-guidelines.pdf