OpenWRT - Verschlüsselte Zeitsynchronisation mit chrony
chrony is an implementation of the NTP (Network Time Protocol). It has some advantages against the standard ntpd (= Network Time Protocol daemon).
- chrony can synchronize to the timeserver much faster than NTP. This is good for laptops or desktops that don't run constantly.
- It can compensate for fluctuating clock frequencies, such as when a host hibernates or enters sleep mode, or when the clock speed varies due to frequency stepping that slows clock speeds when loads are low.
- It handles intermittent network connections and bandwidth saturation.
- It adjusts for network delays and latency.
- After the initial time sync, chrony never steps the clock. This ensures stable and consistent time intervals for system services and applications.
- chrony can work even without a network connection. In this case, the local host or server can be updated manually.
Official Website of the chrony project
In this setup the connection between your OpenWrt device and the NTP servers will be encrypted via nts which reduces the risk of Man-in-the-middle-attacks.
Note
To make chrony work the firewall must allow NTP connections on port 123. Network Configuration
Disable Time Synchronization
Disable the standard time synchronization.
System --> Time Synchronisation --> Enable NTP client
Uncheck Enable NTP client and click Save & Apply.
Install chrony-nts
Install the chrony-nts package.
Chrony Configuration
- Empty
/etc/config/chrony
The standard chrony configuration file is located at /etc/config/chrony.
For this setup the configuration will be done in /etc/chrony/chrony.conf.
Remove the hole content. The file shall be empty.
# Create a backup
cd /etc/config/
cp chrony chrony-bak
# Empty chrony file
cd /etc/config/
>chrony
- Update
/etc/chrony/chrony.conf
Create backup file
cd /etc/chrony/
cp chrony.conf chrony.conf-back
Edit the main configuration file /etc/chrony/chrony.conf.
# Empty existing file
>chrony.conf
# Edit file and paste content
nano /etc/chrony/chrony.conf
Paste the following content.
# Load UCI configuration
confdir /var/etc/chrony.d
# Load NTP servers from DHCP if enabled in UCI
sourcedir /var/run/chrony-dhcp
# Physikalisch-Technische Bundesanstalt / PTB (Germany)
server ptbtime1.ptb.de iburst nts
server ptbtime2.ptb.de iburst nts
server ptbtime3.ptb.de iburst nts
# Cloudflare (Anycast)
server time.cloudflare.com iburst nts
# Time.nl (Netherlands)
server ntppool1.time.nl iburst nts
server ntppool2.time.nl iburst nts
# Netnod (Sweden)
server nts.netnod.se iburst nts
minsources 2
authselectmode require
driftfile /var/run/chrony/drift
ntsdumpdir /var/run/chrony
cmdport 0
makestep 1.0 3
# Don't log client accesses
noclientlog
leapsectz right/UTC
rtconutc
# Mark the system clock as synchronized
rtcsync
allow 192.168.2.1/24
bindaddress 192.168.2.1
# Uncomment the following line to turn logging on.
# Choose the logs as needed
#log tracking measurements statistics
# Log files location.
#logdir /mnt/sda1/chrony
For logging the logs can be saved to a 👉 USB storage device.
# Create log directory
mkdir /mnt/sda1/chrony
Gib mir gerne einen Kaffee ☕ aus ❗️
Wenn dir meine Beiträge gefallen und geholfen haben, dann kannst du mir gerne einen Kaffee ☕️ ausgeben.
• 
Bitcoin Address: bc1qfuz93hw2fhdvfuxf6mlxlk8zdadvnktppkzqzj
server= Time server- List of NTP servers which support nts on Wikipedia: https://de.wikipedia.org/wiki/Network_Time_Protocol#NTS
- List of NTP servers which support nts on GitHub: https://gist.github.com/jauderho/2ad0d441760fc5ed69d8d4e2d6b35f8d
iburst= With this option, chronyd will start with a burst of 4-8 requests in order to make the first update of the clock sooner. It will also repeat the burst every time the source is switched from the offline state to online with the online command in chronyc.nts= This option enables authentication using the Network Time Security (NTS) mechanism. Unlike with the key option, the server and client do not need to share a key in a key file. NTS has a Key Establishment (NTS-KE) protocol using the Transport Layer Security (TLS) protocol to get the keys and cookies required by NTS for authentication of NTP packets.minsources= The minsources directive sets the minimum number of sources that need to be considered as selectable in the source selection algorithm before the local clock is updated. !!! In this configuration we set the value `2` therefor at least two NTP servers should be defined as `server`.authselectmode= NTP sources can be specified with the key or nts option to enable authentication to limit the impact of man-in-the-middle attacks. For each `server` the authenticationmode `nts` is defined.driftfile= One of the main activities of the chronyd program is to work out the rate at which the system clock gains or loses time relative to real time.ntsdumpdir= This directive specifies a directory where chronyd operating as an NTS server can save the keys which encrypt NTS cookies provided to clients. The keys are saved to a single file named ntskeys. When chronyd is restarted, reloading the keys allows the clients to continue using old cookies and avoids a storm of NTS-KE requests. By default, the server does not save the keys.cmdport= The cmdport directive allows the port that is used for run-time monitoring (via the chronyc program) to be altered from its default (323). If set to 0, chronyd will not open the port, this is useful to disable chronyc access from the Internet.makestep= Normally chronyd will cause the system to gradually correct any time offset, by slowing down or speeding up the clock as required. In certain situations, e.g. when chronyd is initially started, the system clock might be so far adrift that this slewing process would take a very long time to correct the system clock.noclientlog= This directive, which takes no arguments, specifies that client accesses are not to be logged.leapsectz= This directive specifies a timezone in the system timezone database which chronyd can use to determine when will the next leap second occur and what is the current offset between TAI and UTC. It will periodically check if 23:59:59 and 23:59:60 are valid times in the timezone. This normally works with the right/UTC timezone.rtconutc= chronyd assumes by default that the RTC keeps local time (including any daylight saving changes).2.rtcsync= The rtcsync directive enables a mode where the system time is periodically copied to the RTC and chronyd does not try to track its drift.rtcsync= The rtcsync directive enables a mode where the system time is periodically copied to the RTC and chronyd does not try to track its drift.log= The log directive indicates that certain information is to be logged. The log files are written to the directory specified by the logdir directive. A banner is periodically written to the files to indicate the meanings of the columns.logdir= This directive specifies the directory for writing log files enabled by the log directive. If the directory does not exist, it will be created automatically.tracking= This option logs changes to the estimate of the system’s gain or loss rate, and any slews made, to a file called tracking.log.measurements= This option is identical to the rawmeasurements option, except it logs only valid measurements from synchronised sources, i.e. measurements which passed the RFC 5905 tests 1 through 7. This can be useful for producing graphs of the source’s performance.statistics= This option logs information about the regression processing to a file called statistics.log.
These two lines are relevant if the OpenWrt shall be the NTP server within you network.
allow= 192.168.1.1/24 replace the IP address range with your own.bindaddress= IP address of the OpenWrt device within your network.
The descriptions are from the official chrony documentation.
- 👉 chrony.conf(5) - chronyd configuration file - https://chrony-project.org/documentation.html
Restart chrony service
Enable and restart chrony service
On Cli
/etc/init.d/chronyd enable
/etc/init.d/chronyd restart
via LuCi
System --> Startup
Check chrony service
Check NTP server availability
root@OpenWrt:~# chronyc activity
200 OK
7 sources online
0 sources offline
0 sources doing burst (return to online)
0 sources doing burst (return to offline)
0 sources with unknown address
activity = This command reports the number of servers and peers that are online and offline
Check the availability of the NTP servers
root@OpenWrt:~# chronyc -N sources
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^+ ptbtime1.ptb.de 1 6 177 56 -331us[ -331us] +/- 13ms
^* ptbtime2.ptb.de 1 6 177 56 -469us[+8259ns] +/- 14ms
^+ ptbtime3.ptb.de 1 6 177 56 -27us[ +450us] +/- 13ms
^+ time.cloudflare.com 3 6 177 54 +3811us[+3811us] +/- 15ms
^+ ntppool1.time.nl 1 6 177 54 +2070us[+2070us] +/- 14ms
^+ ntppool2.time.nl 1 6 177 56 -685us[ -685us] +/- 12ms
^+ nts.netnod.se 1 6 177 54 +1160us[+1160us] +/- 20ms
sources = This command displays information about the current time sources that chronyd is accessing.
-N = This option enables printing of original hostnames or IP addresses of NTP sources that were specified in the configuration file, or chronyc commands. Without the -n and -N option, the printed hostnames are obtained from reverse DNS lookups and can be different from the specified hostnames.
root@OpenWrt:~# chronyc sources -v
.-- Source mode '^' = server, '=' = peer, '#' = local clock.
/ .- Source state '*' = current best, '+' = combined, '-' = not combined,
| / 'x' = may be in error, '~' = too variable, '?' = unusable.
|| .- xxxx [ yyyy ] +/- zzzz
|| Reachability register (octal) -. | xxxx = adjusted offset,
|| Log2(Polling interval) --. | | yyyy = measured offset,
|| \ | | zzzz = estimated error.
|| | | \
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^+ ptbtime1.ptb.de 1 6 377 9 +339us[ +339us] +/- 13ms
^* ptbtime2.ptb.de 1 6 377 10 +440us[ +282us] +/- 14ms
^+ ptbtime3.ptb.de 1 6 377 11 +646us[ +489us] +/- 14ms
^+ time.cloudflare.com 3 6 377 8 +721us[ +721us] +/- 12ms
^+ ntppool1.time.nl 1 6 377 8 +2118us[+2118us] +/- 14ms
^+ ntppool2.time.nl 1 6 377 11 +1328us[+1172us] +/- 14ms
^+ gbg2-ts.nts.netnod.se 1 6 377 8 -579us[ -579us] +/- 19ms
-v = The -v option enables a verbose output. In this case, extra caption lines are shown as a reminder of the meanings of the columns.
Check encryption with NTP servers
root@OpenWrt:~# chronyc -N authdata
Name/IP address Mode KeyID Type KLen Last Atmp NAK Cook CLen
=========================================================================
ptbtime1.ptb.de NTS 1 15 256 55m 0 0 8 100
ptbtime2.ptb.de NTS 1 15 256 55m 0 0 8 100
ptbtime3.ptb.de NTS 1 15 256 55m 0 0 8 100
time.cloudflare.com NTS 1 15 256 55m 0 0 8 100
ntppool1.time.nl NTS 1 15 256 55m 0 0 8 100
ntppool2.time.nl NTS 1 15 256 55m 0 0 8 100
nts.netnod.se NTS 1 15 256 55m 0 0 8 100
The columns KeyID, Type and KeyLen shall contain no 0 values!
authdata = The authdata command displays information specific to authentication of NTP sources.
Display connected clients
🚨 The option noclientlog needs to be commented in the config file.
List clients that use your OpenWrt as its NTP server.
chronyc clients
clients = This command shows a list of clients that have accessed the server, through the NTP, command, or NTS-KE port. It does not include accesses over the Unix domain command socket.
Display tracking information
root@OpenWrt:~# chronyc tracking
Reference ID : CD2EB2A9 (ptbtime3.ptb.de)
Stratum : 2
Ref time (UTC) : Thu Aug 17 14:07:34 2023
System time : 0.000000000 seconds slow of NTP time
Last offset : -0.000754178 seconds
RMS offset : 0.000754178 seconds
Frequency : 12.441 ppm slow
Residual freq : -111.668 ppm
Skew : 0.514 ppm
Root delay : 0.024521304 seconds
Root dispersion : 0.001687375 seconds
Update interval : 0.0 seconds
Leap status : Normal
tracking = The tracking command displays parameters about the system’s clock performance.
Display drift rate
root@OpenWrt:~# chronyc sourcestats -v
.- Number of sample points in measurement set.
/ .- Number of residual runs with same sign.
| / .- Length of measurement set (time).
| | / .- Est. clock freq error (ppm).
| | | / .- Est. error in freq.
| | | | / .- Est. offset.
| | | | | | On the -.
| | | | | | samples. \
| | | | | | |
Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev
==============================================================================
ptbtime1.ptb.de 7 4 389 +2.347 12.531 +154us 588us
ptbtime2.ptb.de 15 8 718 +0.263 2.952 -300us 658us
ptbtime3.ptb.de 15 7 720 +0.006 1.886 -326us 436us
time.cloudflare.com 15 7 717 +0.866 6.063 +1235us 1239us
ntppool1.time.nl 15 9 719 -0.206 3.470 -50us 792us
ntppool2.time.nl 15 8 717 +0.372 4.637 +88us 1084us
gbg2-ts.nts.netnod.se 14 9 718 -0.010 3.677 -433us 760us
sourcestats = The sourcestats command displays information about the drift rate and offset estimation process for each of the sources currently being examined by chronyd.
The line shows that the connection to one of our NTP servers in detail.
OpenWrt Manuals
All articles of the OpenWrt blog series
Gib mir gerne einen Kaffee ☕ aus ❗️
Wenn dir meine Beiträge gefallen und geholfen haben, dann kannst du mir gerne einen Kaffee ☕️ ausgeben.
•
Bitcoin Address: bc1qfuz93hw2fhdvfuxf6mlxlk8zdadvnktppkzqzj
Follow Me❗️
Source
Image: Official OpenWrt Logo - https://openwrt.org/_media/docs/guide-graphic-designer/openwrt-logo-usage-guidelines.pdf