How to switch from ntpd to chrony? [SOLVED]

[FarmServer]

I currently have the opnsense ntpd setup to provide time sync for all connected clients and to force any client trying to use its own ntp address to sync with the opnsense ntp.

I would like to do a similar thing using chrony so that I can also take advantage of NTS since that is now available. 

This is how I configured it

enabled: true
listen port: 123 (it defaulted to 323 for some reason)
nts client support: true
ntp peers: time.cloudflare.com
allowed networks: 192.168.1.1 , 192.168.2.1 (my subnets)

Then I stopped the ntp service, there seemed to be no way to explicitly disable ntpd in the gui.

Is this set up correct?

how can I disable ntpd in opnsense? I assume it will just restart after a reboot.

[FarmServer]

meh, it took a while but the time did not resync for my client. So it must be misconfigured the way I had it setup

[mimugmail]

Allowed networks is 192.168.1.0/24 and 2.0/24 from syntax.
In the normal ntpd just remove all peers, then the service is stopped, also at boot. Then restart chrony and you are good.

[koushun]

SSH in to your fw.

Check connectivity with these commands:

chronyc sources
chronyc sourcestats
chronyc tracking

See if you are connected securely with NTS:
sudo chronyc -N authdata

If you disable ntpd, which you should if you want Chrony to listen to port 123, remember to do something to make the fw synchronize itself (cron job + ntpdate)


Some more information can be found here:
https://github.com/opnsense/plugins/issues/2162
https://github.com/opnsense/core/issues/2012

Try to manually, on a client on a LAN, synchronize time from the OPNsense fw.


 

[FarmServer]

Thanks, ill get on the suggestions. I goofed not specifying the subnets correctly.

[FarmServer]

I think I got it working, hope this helps anyone else.

The firewall time seemed to update itself. But since it was suggested to add a cron job I just did this:
crontab -e
which opened up the cron jobs already enabled in opnsense. Then I added

*    3    *    *    *     (ntpdate -v -u 192.168.1.1) > /dev/null

So hopefully this means it will update tomorrow morning at 3am. And every day after.

[koushun]

Nice.

Maybe mark this post as [SOLVED]?

I'm new to this forum- but I have browsed through every page of forum posts to check where I might be of help- and there were many posts which were solved, but not marked as such.

Should be a rule in the forum guidelines about this.

koushun

[mimugmail]

I will add your ideas to the UI the next days/weeks

https://github.com/opnsense/plugins/issues/2209

[mimugmail]

I added couple of diagnostics tabs:

https://github.com/opnsense/plugins/pull/2220

[koushun]

mimugmail

Great job! Looking forward to check this one out.

How about adding

Code: [Select]

chronyc clientshttps://github.com/opnsense/plugins/issues/2162#issuecomment-757388998

..And what about the cron job workaround for synchronizing the firewall itself when Network Time is disabled?

[mimugmail]

Something like this:

root@OPNsense:~ # date
Thu Feb 11 22:34:15 CET 2021
root@OPNsense:~ # chronyc -a makestep
200 OK
root@OPNsense:~ # date
Thu Feb 11 21:37:56 CET 2021


https://stackoverflow.com/questions/49730407/how-to-resynchronize-with-chrony