OPNsense Forum
Archive => 21.1 Legacy Series => Topic started by: Mr.Goodcat on July 19, 2021, 09:04:03 pm
-
Hi,
I recently decided to switch to chrony which is working great so far :D
Unfortunately though, the pluging doesn't allow to specify the authselectmode, i.e. how to handle NTS. Currently it seems to be set to "require", meaning all non-NTS servers are ignored. However, I'd like to run a mix of remote NTS servers plus local non-NTS servers. Thus it would be great if the options "prefer" and "mix" were available. Would it be possible to add this with an upcoming update? Thanks!
-
Can you open a feature request in GitHub? I'll take it then
-
Hi,
thank you for your help! :D
Can you open a feature request in GitHub? I'll take it then
I opened up a request on Github, not sure if this is the right format though:
https://github.com/opnsense/plugins/issues/2470 (https://github.com/opnsense/plugins/issues/2470)
-
The request is a bit non-sensical in that public NTP servers will be of a lower stratum than an internal one - which presumably will be tied to a GPS device. When mixing and matching multiple lower stratum clocks against a single stratum 0 one (gps/atomic) it will be discarded as
'x' = may be in error
The better option in the absence of an rtc clock would be to add the NTS servers both with DNS entries and IPs, so that a power outage doesn't create a chicken and egg problem when all SSL based services including DNS come up and nothing works because the time is incorrect.
Other alternatives to consider: Rpi + GPS dongle and/or RTC clock module.
-
I would like to have this as well.
On my (VLAN) interfaces I have port redirect for 123 pointing to the Chrony service over at 127.0.0.1:123 (having the default NTPD disabled).
Chrony is using NTS enabled NTP servers:
time.cloudflare.com
nts.netnod.se
sth1.nts.netnod.se
sth2.nts.netnode.se
However, I have been unable to incorporate my RPi with GPS HAT with this setup, because the NTP server on the RPi does not use NTS.
I have not thought of the condition described in the comment from newsense.
It would induce a whole lot of problems when I come to think of it, because I do port redirect :53 to Unbound as well, which only uses DoT upstream servers (they are configured using IP - 95.215.19.53@853 - https://dns.njal.la ) - but in regards to certificates, time is of the essence.
Good cactch, newsense- thanks. Let's see if I find any ip addresses for these NTS enabled NTP servers. ..
-
What is the exact syntax you use to achieve this?
Currently it seems not possible as templating is adding "nts" to every record as soon as you enalbe "NTS"
-
What is the exact syntax you use to achieve this?
Currently it seems not possible as templating is adding "nts" to every record as soon as you enalbe "NTS"
https://chrony.tuxfamily.org/doc/devel/chrony.conf.html (https://chrony.tuxfamily.org/doc/devel/chrony.conf.html)
NTS should only be added to servers specifically configured with NTS. Then it will be sufficient to add a line with "authselect MODE", where mode can be require/prefer/mix/ignore.
-
Hm, this wont work in the current setup as the checkbox does this for all, so this is an all or nothing setup. :(
-
OK. good news, I guess you mean that the current setup configuration that's there will need to be corrected, excellent. :)
-
Hm, this wont work in the current setup as the checkbox does this for all, so this is an all or nothing setup. :(
Yes, it would need to be along the lines of something like the "users" section of freeradius, i.e. with an individual "NTS" checkbox per Server.
-
I think I will add a single field for initial query, like with dnscrypt
-
I don't quite get it but still look forward to your update ;D