chrony is an implementation of the NTP (Network Time Protocol). It has some advantages against the standard ntpd (= Network Time Protocol daemon).
- chrony can synchronize to the timeserver much faster than NTP. This is good for laptops or desktops that don’t run constantly.
- It can compensate for fluctuating clock frequencies, such as when a host hibernates or enters sleep mode, or when the clock speed varies due to frequency stepping that slows clock speeds when loads are low.
- It handles intermittent network connections and bandwidth saturation.
- It adjusts for network delays and latency.
- After the initial time sync, chrony never steps the clock. This ensures stable and consistent time intervals for system services and applications.
- chrony can work even without a network connection. In this case, the local host or server can be updated manually.
Beitrag auf der neuen Website:
➡ OpenWRT – Verschlüsselte Zeitsynchronisation mit chrony
Official Website of the chrony project
In this setup the connection between your OpenWRT device and the NTP servers will be encrypted via `nts` which reduces the risk of Man-in-the-middle-attacks.
➡ https://de.wikipedia.org/wiki/Network_Time_Protocol#NTS/
Disable Time Synchronization
Disable the standard time synchronization.
System --> Time Synchronisation --> Enable NTP client
Uncheck Enable NTP client and click Save & Apply.
Install chrony-nts
Install the chrony-nts package.
Chrony Configuration
The standard chrony configuration file is located at /etc/config/chrony.
Remove the hole content. The file shall be empty.
The main configuration will be done in:
/etc/chrony/chrony.conf# Create backup
cp chrony chrony-bak
# Empty chrony file
>chronyEdit the main configuration file /etc/chrony/chrony.conf.
nano /etc/chrony/chrony.confPaste the following content
# Load UCI configuration
confdir /var/etc/chrony.d
# Load NTP servers from DHCP if enabled in UCI
sourcedir /var/run/chrony-dhcp
# Physikalisch-Technische Bundesanstalt / PTB (Germany)
server ptbtime1.ptb.de iburst nts
server ptbtime2.ptb.de iburst nts
server ptbtime3.ptb.de iburst nts
# Cloudflare (Anycast)
server time.cloudflare.com iburst nts
# Time.nl (Netherlands)
server ntppool1.time.nl iburst nts
server ntppool2.time.nl iburst nts
# Netnod (Sweden)
server nts.netnod.se iburst nts
minsources 2
authselectmode require
driftfile /var/run/chrony/drift
ntsdumpdir /var/run/chrony
cmdport 0
makestep 1.0 3
# Don't log client accesses
noclientlog
leapsectz right/UTC
rtconutc
# Mark the system clock as synchronized
rtcsync
allow 192.168.2.1/24
bindaddress 192.168.2.1Gib mir gerne einen Kaffee ☕ aus!
Wenn dir meine Beiträge gefallen und geholfen haben, dann kannst du mir gerne einen Kaffee ☕ ausgeben.
bc1qfuz93hw2fhdvfuxf6mlxlk8zdadvnktppkzqzj
server= Time server- List of NTP servers which support nts on Wikipedia: https://de.wikipedia.org/wiki/Network_Time_Protocol#NTS
- List of NTP servers which support nts on GitHub: https://gist.github.com/jauderho/2ad0d441760fc5ed69d8d4e2d6b35f8d
iburst= With this option, chronyd will start with a burst of 4-8 requests in order to make the first update of the clock sooner. It will also repeat the burst every time the source is switched from the offline state to online with the online command in chronyc.nts= This option enables authentication using the Network Time Security (NTS) mechanism. Unlike with the key option, the server and client do not need to share a key in a key file. NTS has a Key Establishment (NTS-KE) protocol using the Transport Layer Security (TLS) protocol to get the keys and cookies required by NTS for authentication of NTP packets.minsources= The minsources directive sets the minimum number of sources that need to be considered as selectable in the source selection algorithm before the local clock is updated. !!! In this configuration we set the value `2` therefor at least two NTP servers should be defined as `server`.authselectmode= NTP sources can be specified with the key or nts option to enable authentication to limit the impact of man-in-the-middle attacks. For each `server` the authenticationmode `nts` is defined.driftfile= One of the main activities of the chronyd program is to work out the rate at which the system clock gains or loses time relative to real time.ntsdumpdir= This directive specifies a directory where chronyd operating as an NTS server can save the keys which encrypt NTS cookies provided to clients. The keys are saved to a single file named ntskeys. When chronyd is restarted, reloading the keys allows the clients to continue using old cookies and avoids a storm of NTS-KE requests. By default, the server does not save the keys.cmdport= The cmdport directive allows the port that is used for run-time monitoring (via the chronyc program) to be altered from its default (323). If set to 0, chronyd will not open the port, this is useful to disable chronyc access from the Internet.makestep= Normally chronyd will cause the system to gradually correct any time offset, by slowing down or speeding up the clock as required. In certain situations, e.g. when chronyd is initially started, the system clock might be so far adrift that this slewing process would take a very long time to correct the system clock.noclientlog= This directive, which takes no arguments, specifies that client accesses are not to be logged.leapsectz= This directive specifies a timezone in the system timezone database which chronyd can use to determine when will the next leap second occur and what is the current offset between TAI and UTC. It will periodically check if 23:59:59 and 23:59:60 are valid times in the timezone. This normally works with the right/UTC timezone.rtcsync= The rtcsync directive enables a mode where the system time is periodically copied to the RTC and chronyd does not try to track its drift.
rtconutc = chronyd assumes by default that the RTC keeps local time (including any daylight saving changes).
–
bindaddress = IP address of the OpenWRT device within your network.
The descriptions are from the official chrony documentation.
➡ https://chrony-project.org/doc/4.2/chrony.conf.html
Restart chrony service
Enable and restart chrony service
On Cli
/etc/init.d/chrony enable
/etc/init.d/chrony restartvia LuCi
System --> Startup
Check chrony service
Check NTP server availability
root@OpenWrt:~# chronyc activity
200 OK
7 sources online
0 sources offline
0 sources doing burst (return to online)
0 sources doing burst (return to offline)
0 sources with unknown addressactivity = This command reports the number of servers and peers that are online and offline
Check the availability of the NTP servers
root@OpenWrt:~# chronyc -N sources
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^+ ptbtime1.ptb.de 1 6 177 56 -331us[ -331us] +/- 13ms
^* ptbtime2.ptb.de 1 6 177 56 -469us[+8259ns] +/- 14ms
^+ ptbtime3.ptb.de 1 6 177 56 -27us[ +450us] +/- 13ms
^+ time.cloudflare.com 3 6 177 54 +3811us[+3811us] +/- 15ms
^+ ntppool1.time.nl 1 6 177 54 +2070us[+2070us] +/- 14ms
^+ ntppool2.time.nl 1 6 177 56 -685us[ -685us] +/- 12ms
^+ nts.netnod.se 1 6 177 54 +1160us[+1160us] +/- 20mssources = This command displays information about the current time sources that chronyd is accessing.
-N = This option enables printing of original hostnames or IP addresses of NTP sources that were specified in the configuration file, or chronyc commands. Without the -n and -N option, the printed hostnames are obtained from reverse DNS lookups and can be different from the specified hostnames.
root@OpenWrt:~# chronyc sources -v
.-- Source mode '^' = server, '=' = peer, '#' = local clock.
/ .- Source state '*' = current best, '+' = combined, '-' = not combined,
| / 'x' = may be in error, '~' = too variable, '?' = unusable.
|| .- xxxx [ yyyy ] +/- zzzz
|| Reachability register (octal) -. | xxxx = adjusted offset,
|| Log2(Polling interval) --. | | yyyy = measured offset,
|| \ | | zzzz = estimated error.
|| | | \
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^+ ptbtime1.ptb.de 1 6 377 9 +339us[ +339us] +/- 13ms
^* ptbtime2.ptb.de 1 6 377 10 +440us[ +282us] +/- 14ms
^+ ptbtime3.ptb.de 1 6 377 11 +646us[ +489us] +/- 14ms
^+ time.cloudflare.com 3 6 377 8 +721us[ +721us] +/- 12ms
^+ ntppool1.time.nl 1 6 377 8 +2118us[+2118us] +/- 14ms
^+ ntppool2.time.nl 1 6 377 11 +1328us[+1172us] +/- 14ms
^+ gbg2-ts.nts.netnod.se 1 6 377 8 -579us[ -579us] +/- 19ms-v = The -v option enables a verbose output. In this case, extra caption lines are shown as a reminder of the meanings of the columns.
Check encryption with NTP servers
root@OpenWrt:~# chronyc -N authdata
Name/IP address Mode KeyID Type KLen Last Atmp NAK Cook CLen
=========================================================================
ptbtime1.ptb.de NTS 1 15 256 55m 0 0 8 100
ptbtime2.ptb.de NTS 1 15 256 55m 0 0 8 100
ptbtime3.ptb.de NTS 1 15 256 55m 0 0 8 100
time.cloudflare.com NTS 1 15 256 55m 0 0 8 100
ntppool1.time.nl NTS 1 15 256 55m 0 0 8 100
ntppool2.time.nl NTS 1 15 256 55m 0 0 8 100
nts.netnod.se NTS 1 15 256 55m 0 0 8 100The columns KeyID, Type and KeyLen shall contain no 0 values!
authdata = The authdata command displays information specific to authentication of NTP sources.
Display connected clients
List clients that user your OpenWRT as it’s NTP server
chronyc clientsclients = This command shows a list of clients that have accessed the server, through the NTP, command, or NTS-KE port. It does not include accesses over the Unix domain command socket.
Display tracking information
root@OpenWrt:~# chronyc tracking
Reference ID : CD2EB2A9 (ptbtime3.ptb.de)
Stratum : 2
Ref time (UTC) : Thu Aug 17 14:07:34 2023
System time : 0.000000000 seconds slow of NTP time
Last offset : -0.000754178 seconds
RMS offset : 0.000754178 seconds
Frequency : 12.441 ppm slow
Residual freq : -111.668 ppm
Skew : 0.514 ppm
Root delay : 0.024521304 seconds
Root dispersion : 0.001687375 seconds
Update interval : 0.0 seconds
Leap status : Normaltracking = The tracking command displays parameters about the system’s clock performance.
Display drift rate
root@OpenWrt:~# chronyc sourcestats -v
.- Number of sample points in measurement set.
/ .- Number of residual runs with same sign.
| / .- Length of measurement set (time).
| | / .- Est. clock freq error (ppm).
| | | / .- Est. error in freq.
| | | | / .- Est. offset.
| | | | | | On the -.
| | | | | | samples. \
| | | | | | |
Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev
==============================================================================
ptbtime1.ptb.de 7 4 389 +2.347 12.531 +154us 588us
ptbtime2.ptb.de 15 8 718 +0.263 2.952 -300us 658us
ptbtime3.ptb.de 15 7 720 +0.006 1.886 -326us 436us
time.cloudflare.com 15 7 717 +0.866 6.063 +1235us 1239us
ntppool1.time.nl 15 9 719 -0.206 3.470 -50us 792us
ntppool2.time.nl 15 8 717 +0.372 4.637 +88us 1084us
gbg2-ts.nts.netnod.se 14 9 718 -0.010 3.677 -433us 760ussourcestats = The sourcestats command displays information about the drift rate and offset estimation process for each of the sources currently being examined by chronyd.
The line shows that the connection to one of our NTP servers in detail.
➡ https://chrony-project.org/doc/4.3/chronyc.html
Gib mir gerne einen Kaffee ☕ aus!
Wenn dir meine Beiträge gefallen und geholfen haben, dann kannst du mir gerne einen Kaffee ☕ ausgeben.
bc1qfuz93hw2fhdvfuxf6mlxlk8zdadvnktppkzqzj
OpenWRT Manauals
All OpenWRT manuals are available at
➡ https://strobelstefan.de/category/openwrt/
or at codeberg.org
➡ https://codeberg.org/strobelstefan.org/openwrt-configuration
Image: Official OpenWRT Logo – https://openwrt.org/_media/docs/guide-graphic-designer/openwrt-logo-usage-guidelines.pdf
ist absolut technik-begeistert und großer Fan von Linux und Open Source. Raspberry Pi Bastler der ersten Stunde und nach wie vor begeistert von dem kleinen Stück Hardware, auf dem er tolle Projekte umsetzt. Teilt hier seine Erfahrungen mit Nextcloud, Pi-hole, YubiKey, Synology und openmediavault und anderen spannenden IT-Themen. Nutzt Markdown und LaTeX zum Dokumentieren seiner Projekte und Gitea zum Versionieren. Sitzt vor einem 49“ Monitor, nutzt Windows und MacOS zum Arbeiten, Linux auf seinen Servern und virtuellen Maschinen und hört dabei Spotify und MP3s und Radio-Streams über seinen RadioPi.
Trinkt gerne fairen Kaffee und freut sich deshalb sehr über jede Spende.
• 
