[silasdavis]

Tangential: I have a pi 4 running openwrt and a wireguard interface that is routed over the WiFi access point. If you connect to this network it's as if you are connecting in another country. I have outbound traffic only going over wireguard. If wireguard is down then no internet (to avoid any leakage). However if pi loses power the clock resets, wireguard can't handshake with that much clock skew, NTP can't connect without wireguard. So I need to manually update clock after a power failure.

I guess I need requests to the NTP server to go over WAN directly. Always seemed like a hassle to get this to work with openwrt zones and stuff. My eternal gratitude to anyone who shoves me in the right direction...

[ogurechny]

If you “always” have Internet access, you should really just place ntpd onto the physical network where it belongs. Otherwise, the options are all mentioned in the article (and might be used in your distribution).

— Restoring more sane shutdown timestamp from file instead of just using 1980.

— Making blind single use ntpdate request to some public server to set local time after the network is available, but before any other application uses it. There might be appropriate hooks in your init system if you don't want to make it an independent step.

— The same, but using some local time source. It is not widely known that even plain old Windows desktops, while not having a complete NTP server, can be trivially configured to announce time over some form of SNTP. If you have any computer with a real clock running nearby, you can probably rely on it. Next step router is also a good potential candidate.

As for compartments and access control, you can try to use basic VLANs (one for ntp traffic, and only it, and one for VPN) or maybe some two-step network configuration process (get time with one configuration, reset and proceed with other services).

All of that is not a problem, the problem is what to do when something fails. Time server becomes unavailable, intermittent internet connectivity, server you use for pings is available, but others are not, etc. You can choose to stop completely if there is no time source, and wait, but that might render the system unavailable for remote configuration. You can try to restart the device or restart the network router automatically (though only a fixed number of times, restart loop will surely break something), but that won't help if the problem gets fixed some time later. You can also use a fallback configuration that doesn't depend on correct time (e. g. only start an ssh server so you can connect to it).

[nix0n]

> I guess I need requests to the NTP server to go over WAN directly. ... My eternal gratitude to anyone who shoves me in the right direction...

Do you have something on the LAN side that could run an NTP server? I'm thinking you could add your laptop to your Pi's list of NTP servers, then just start that service up temporarily as-needed to give the Pi a time that's good enough, then it can get actual correct time sync from somewhere else once Wireguard is working.

[hcfman]

I also use wireguard a lot. I didn't know that clock sensitivity could be an issue here. I've never seen an issue before. Now that I know it could be one I'll make a point of deploying all cellular based systems with a GPS synched time source as well and avoid that sort of problem.

[pynne]

Yeah you got it. Set the listening interface to eth0 or whatever the wan interface is. Might need to get full ntpd instead of the busy box version. The Interface option here: https://www.ntp.org/documentation/4.2.8-series/miscopt/

I’m actually setting up a router with a rpi4 right now, only using Fedora IoT instead of OpenWrt. It’s a bit more assembly required lol

[silasdavis]

I need to have a play with it, but the problem is i deliberately have a 'kill switch' style setup to stop any requests accidentally going not over wireguard (for reasons) so I assume I'll need to do some other firewall type thing. Maybe something something tagging.