You are not logged in.

#1 2023-02-27 20:32:45

jfk
Member
Registered: 2017-12-11
Posts: 81

[SOLVED] Wireguard blocks system clock synchronisation

Looking at my journal regarding another topic, Master seth made me realise that "systemd-timesyncd" couldn't sync:

systemd-timesyncd[836]: Timed out waiting for reply from 194.195.254.254:123 (2.arch.pool.ntp.org).

Thus:

$ timedatectl status
               Local time: lun 2023-02-27 21:23:52 CET
           Universal time: lun 2023-02-27 20:23:52 UTC
                 RTC time: lun 2023-02-27 20:23:52
                Time zone: Europe/Zurich (CET, +0100)
System clock synchronized: no
              NTP service: active
          RTC in local TZ: no

I tested a couple of services. Disabling "wg-quick" + restarting "systemd-timesyncd" did the trick. There must be an issue with my "client" configuration:

 
[Interface]
Address = 10.0.0.2/32
PrivateKey = XXX
DNS = XXX

[Peer]
PublicKey = XXX
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = XXX
PersistentKeepalive = 25

UFW:

$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
              
Anywhere                   ALLOW       192.168.8.0/24            

Last edited by jfk (2023-02-28 23:40:40)

Offline

#2 2023-02-28 12:07:37

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,867

Re: [SOLVED] Wireguard blocks system clock synchronisation

Your system has an ip-address in the 10.0.0.2/32 subnet, but ufw is configured to allow from a different subnet, 192.168.8.0/24 .
Try changing the subnet in ufw .


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Online

#3 2023-02-28 18:53:35

jfk
Member
Registered: 2017-12-11
Posts: 81

Re: [SOLVED] Wireguard blocks system clock synchronisation

Try changing the subnet in ufw

I'd already tried to disable UFW + running wireguard. It's really disabling wg-quick that solved the issue.

Last edited by jfk (2023-02-28 18:55:43)

Offline

#4 2023-02-28 20:51:45

seth
Member
Registered: 2012-09-03
Posts: 49,951

Re: [SOLVED] Wireguard blocks system clock synchronisation

Can you "ping 194.195.254.254" w/ wg active?
Seems like at least NordVPN actively blocks NTP, https://dietpi.com/forum/t/ntp-vpn-issues/15234/7 (google has many hits between VPNs and NTP)
You can try ntpdate instead of systemd-timesyncd, but in doubt will have to route NTP around the VPN or contact the provider.

Offline

#5 2023-02-28 23:40:17

jfk
Member
Registered: 2017-12-11
Posts: 81

Re: [SOLVED] Wireguard blocks system clock synchronisation

Seems like at least NordVPN actively blocks NTP

That's it. My VPS provider (on which Wireguard is installed) blocks ICMP traffic on uplink and require that we use its own NTP servers.

Simply ask your provider and modify "/etc/systemd/timesyncd.conf" on the "client" side:

[Time]
NTP=<Server IPs>

Restart "systemd-timesyncd".

Thank you (again) seth.

Last edited by jfk (2023-03-01 00:18:52)

Offline

Board footer

Powered by FluxBB