Jump to content
  • rc.ntpd does not account for Wireguard tunnel interfaces causing server time to drift (VPNs)


    pants
    • Minor

    rc.ntpd contains the following lines:

      # restrict NTP to management interface only
      ETH=eth0
      [[ -e /sys/class/net/bond0 ]] && ETH=bond0
      [[ -e /sys/class/net/br0 ]] && ETH=br0
      echo "interface ignore wildcard" >>/etc/ntp.conf
      echo "interface listen $ETH" >>/etc/ntp.conf

    When a Wireguard tunnel interface is configured all traffic, including ntp traffic, is sent over wg0. This causes ntp to fail to hear responses from any external ntp servers. The symptom is that ntpq -p shows external ntp servers in the .INIT. state and server time may gradually drift out-of-sync depending on the accuracy of the local clock. E.g.

    :~# ntpq -p
         remote           refid      st t when poll reach   delay   offset  jitter
    ==============================================================================
     LOCAL(0)        .LOCL.          10 l    6   64    1    0.000   +0.000   0.000
     pscolka.of.pl   .INIT.          16 u    -   64    0    0.000   +0.000   0.000
     laika.paina.net .INIT.          16 u    -   64    0    0.000   +0.000   0.000
     138.68.201.49 ( .INIT.          16 u    -   64    0    0.000   +0.000   0.000
     198.255.68.106  .INIT.          16 u    -   64    0    0.000   +0.000   0.000

     

    Adding the following line to rc.ntpd after ETH=br0 resolved the issue for me:

      [[ -e /sys/class/net/wg0 ]] && ETH=wg0


      




    User Feedback

    Recommended Comments

    Just upgraded to Unraid 6.10.3 and have confirmed that this issue is still present.

     

    root@myserver:~# ntpq -p
         remote           refid      st t when poll reach   delay   offset  jitter
    ==============================================================================
    *LOCAL(0)        .LOCL.          10 l   18   64  377    0.000   +0.000   0.000
     time1.google.co .INIT.          16 u    -  128    0    0.000   +0.000   0.000
     time.cloudflare .INIT.          16 u    -  128    0    0.000   +0.000   0.000
     uschi5-ntp-001. .INIT.          16 u    -   64    0    0.000   +0.000   0.000
     168.61.215.74   .INIT.          16 u    -   64    0    0.000   +0.000   0.000

     

    Link to comment
    Quote

    When a Wireguard tunnel interface is configured all traffic, including ntp traffic, is sent over wg0.

     

    Not normally, what "Peer type of access" are you using?

    Link to comment

    This problem occurs when tunneling the entire system's access to the WAN using peer type "VPN tunneled access for system"

    Link to comment

    OK I can see that. So we can't automatically do this:

      [[ -e /sys/class/net/wg0 ]] && ETH=wg0

    it would have to be only for the tunnel of type "VPN tunneled access for system", and only when that tunnel is up.

     

    How long do you have to keep the tunnel up in order for the time drift to be a problem?

     

    TBH I expect very few systems are running in this mode long term, most are probably using "VPN tunneled access docker".

     

    I think your currently solution of modifying the file yourself is probably a good one.

     

    Link to comment

    The amount of time required for the time drift to become relevant may be hardware dependent as I think the system relies on an oscillator/clock on the motherboard to keep time when ntp is unreachable meaning drift rate would depend on how accurate those components of the board are. 

    For me a drift of a few seconds was noticeable within tens of minutes/an hour and the problem became serious when the server time drifted far enough that my dockers which are configured to use one-time-passwords generated by authenticator apps (e.g. BitWarden/VaultWarden) were out of sync with network time by at least one "password window". This resulted in the docker container not agreeing with the password generated by the authenticator and blocking log-ins.

    My current solution is to create a custom slackware package containing a modified copy of rc.ntpd adding the line mentioned above that I place in /boot/extra so it automatically overwrites the original rc.ntpd during startup (package attached for reference). I am content with this fix but since rc.ntpd may change between Unraid versions I have to rebuild the package as part of my upgrade process just to be safe so it makes Unraid OS upgrades a bit more cumbersome.

    Since "VPN tunneled access for system" is an option presented to the user in the UI it would be nice to get an official fix at some point.

    rc.ntpd-fixed.tgz

    Link to comment


    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Restore formatting

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Status Definitions

     

    Open = Under consideration.

     

    Solved = The issue has been resolved.

     

    Solved version = The issue has been resolved in the indicated release version.

     

    Closed = Feedback or opinion better posted on our forum for discussion. Also for reports we cannot reproduce or need more information. In this case just add a comment and we will review it again.

     

    Retest = Please retest in latest release.


    Priority Definitions

     

    Minor = Something not working correctly.

     

    Urgent = Server crash, data loss, or other showstopper.

     

    Annoyance = Doesn't affect functionality but should be fixed.

     

    Other = Announcement or other non-issue.

×
×
  • Create New...