Secure NTP

[ks98330q]

Just checking to see if secure NTP can be configured on OPNSense.
If not, could it be enabled?

[CJ]

Interesting.  I hadn't realized there was an effort to do secure NTP.

Is your concern interception between the internet and the OPNSense machine, OPNSense and your LAN clients, or your LAN clients to the internet?

[lilsense]

you can install Chrony and use NTS.

[abulafia]

you can install Chrony and use NTS.

Yep. Here's a list of NTS servers:
- https://gist.github.com/jauderho/2ad0d441760fc5ed69d8d4e2d6b35f8d
- https://gitlab.com/-/snippets/2481323

I use:
time.cloudflare.com,ptbtime1.ptb.de,ptbtime2.ptb.de,ptbtime3.ptb.de,ntp2.glypnod.com,nts.sth1.ntp.se,nts.sth2.ntp.se,ntp.3eck.net,ntp.trifence.ch,ntp.zeitgitter.net,nts1.adopo.net,www.jabber-germany.de,www.masters-of-cloud.de,ntppool1.time.nl,ntppool2.time.nl,ptbtime4.ptb.de,paris.time.system76.com,ntp3.fau.de

[ks98330q]

Interesting.  I hadn't realized there was an effort to do secure NTP.

Is your concern interception between the internet and the OPNSense machine, OPNSense and your LAN clients, or your LAN clients to the internet?

Yes.  It obviously isnt well known, or most dont reallly give $.02 about it.  Anyway, NIST in the US offers an authenticated NTP service. Its free, and renews every september. 

[ks98330q]

you can install Chrony and use NTS.

Yep. Here's a list of NTS servers:
- https://gist.github.com/jauderho/2ad0d441760fc5ed69d8d4e2d6b35f8d
- https://gitlab.com/-/snippets/2481323

I use:
time.cloudflare.com,ptbtime1.ptb.de,ptbtime2.ptb.de,ptbtime3.ptb.de,ntp2.glypnod.com,nts.sth1.ntp.se,nts.sth2.ntp.se,ntp.3eck.net,ntp.trifence.ch,ntp.zeitgitter.net,nts1.adopo.net,www.jabber-germany.de,www.masters-of-cloud.de,ntppool1.time.nl,ntppool2.time.nl,ptbtime4.ptb.de,paris.time.system76.com,ntp3.fau.de

Ill give it a try....

[depc80]

you can install Chrony and use NTS.

Yep. Here's a list of NTS servers:
- https://gist.github.com/jauderho/2ad0d441760fc5ed69d8d4e2d6b35f8d
- https://gitlab.com/-/snippets/2481323

I use:
time.cloudflare.com,ptbtime1.ptb.de,ptbtime2.ptb.de,ptbtime3.ptb.de,ntp2.glypnod.com,nts.sth1.ntp.se,nts.sth2.ntp.se,ntp.3eck.net,ntp.trifence.ch,ntp.zeitgitter.net,nts1.adopo.net,www.jabber-germany.de,www.masters-of-cloud.de,ntppool1.time.nl,ntppool2.time.nl,ptbtime4.ptb.de,paris.time.system76.com,ntp3.fau.de

Awesome. How to create a cron job to get it update everyday?

[lilsense]

chrony/ntp updates itself automagically...

[depc80]

Thank you.
However I ran into an issue where enabled Chrony crashed OPNsense. Adguard logs see  a lot of queries every couple milliseconds. Took awhile to get to webgui so I could disable it. At first, I thought the issue was the redirect rule so I disabled it and also only added 1 server. Still seeing a lot of queries sending to Adguard. I ended up disabling Chrony for now.
Today I switched to Zenarmor since the latest update is working without problem for my OPNsense. Will try Chrony again later.

[abulafia]

Running adguard and chrony and never had an issue between those two.

I assume you have disabled the regular NTP server service? (Services -> Network Time -> General -> "Time Servers" empty and "Client Mode" ticked)

And another wild shot in the dark: You have disabled the rate limit in Adguard Home (Settings -> DNS Settings -> Rate Limit set to "0")?

[depc80]

Running adguard and chrony and never had an issue between those two.

I assume you have disabled the regular NTP server service? (Services -> Network Time -> General -> "Time Servers" empty and "Client Mode" ticked)

And another wild shot in the dark: You have disabled the rate limit in Adguard Home (Settings -> DNS Settings -> Rate Limit set to "0")?

I switch to Zenarmor for now, reduce ~40ms ping but it's a completely different topic. Anyway, would NAT redirect rule like DNS or NTP cause PTR flooding Adguard?
Today I installed Chrony and added a couple servers from here

Code Select Expand

https://gist.github.com/jauderho/2ad0d441760fc5ed69d8d4e2d6b35f8d
After that I see a buttload of PTR resolve in Unbound logs right away. However, things seem going back to normal after restart or maybe bc I change NAT redirect NTP rule before DNS. Can't re-create the issue.

[SteveK]

Just found this topic...while I was about to implement secure NTP, too.

I have a question...setup:
- Install chrony, enable it, check " NTS Client Support", add the appropriate NTP servers in "NTP Peers"
- and for the network time service: remote all entries of time servers and check "Client support"

So far, the network service has provided NTP in all interfaces (set in "Interfaces" accordingly).

What is the "right approach"? Set the chrony "Listen port" to "123" + manually enter the networks in "Allowed Networks", like "10.55.10.0/24; 10.55.160.0/23" in order to provide NTP service?
I mean that by enabling "Client support" for the network time service ends the NTP service.

[lilsense]

You'd want to leave everything as default, but yes you should use the IP subnets and the individual interfaces as you don't want attacks from outside on NTP ports.

[abulafia]

I gather the regular approach is to use firewall rules to control whether e.g. NTP is available or not to a given subnet, not limiting the "listen to" interface settings in each service.

Works for me. No WAN rule "pass"ing traffic to port 123 = nobody from outside can access my local NTP server.