anyone using chrony-nts?

Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions
Author Message
wrtbob
DD-WRT Novice


Joined: 31 Dec 2023
Posts: 3

PostPosted: Fri Jul 05, 2024 21:48    Post subject: anyone using chrony-nts? Reply with quote
Hope I post in the right spot and peeps around here are familiar with chrony.
Not really an issue but recently I installed entware chrony-NTS, it is working as intended where the router is simply the server and devices on the LAN are clients with of course chrony installed as well.

I wanted clients to connect via NTS which involves setting up a certificate + key on the server for added packet security, was at first using symmetrical keys but the only cypher available on the router side is MD5. from entware I installed openssl, used a basic config file then with ssh shell issued the command

“openssl req -x509 -newkey rsa:4096 -keyout chrony.key -out chrony.crt -sha256 -days 3650 -nodes -subj "/C=CA/ST=ontario/L=toronto/O=chrony/OU=Office/CN=ddwrt" -config /opt/etc/ssl/openssl.cnf”

sudo cp chrony.crt to my arch linux client directory
“/etc/ca-certificates/trust-source/anchors/”

and then as root ran command:
“trust extract-compat”

Once the client tries to initiate the NTS connection, i get the following error:

“chronyd[1016198]: TLS handshake with 192.168.1.1:4460 (192.168.1.1) failed : Error in the certificate verification. The certificate is NOT trusted. The name in the certificate does not match the expected.”

I am wondering where exactly the certificate is not trusted , server or client side?
Am I even doing this the right way? do I have to instead use letsencrypt certs as suggested by my web search results in regards to ddwrt

I also found some interesting reads such as this one on self signed certificates “bbs.archlinux.org/viewtopic.php?id=286302”
which completly obliterated my brain. I really feel like it’s an easy task but can’t find anything explaining in layman's terms.

Basically I am trying to clear roadblocks, 1st is to make sure I am doing everything right on the ddwrt side of things. I am not expecting full support here as the issue is probably with chrony, arch linux or between the chair and the keyboard Rolling Eyes Anyways any help, suggestion or advice is apreciated and sorry if I posted where I shouldn’t, i could relocate or delete.

_________________
Router Linksys WRT1900AC v1
Firmware DD-WRT v3.0-r56932 std (06/18/24)
Kernel Version Linux 6.1.94-rt28 #233
br0 br1 br2 Vlan3
Freeradius OpenVPN Entware/ DNScrypt-Proxy2
Sponsor
wrtbob
DD-WRT Novice


Joined: 31 Dec 2023
Posts: 3

PostPosted: Wed Jul 10, 2024 1:27    Post subject: Reply with quote
Ok I finally did it.
TLS handshake is now successful between PC/chrony client and router/cchrony server.
Router side is connecting to nts time servers such as cloudflare and client pc receives nts data from the router.
I am not sure of what I did exactly, but it started working after properly setting the router name + ip in arch’s /etc/hosts file, to match the domain and router name in ddwrt GUI

#cat etc/hosts
server1.home.crazy.lan 192.168.1.1

Could have been a name resolution issue as well.
I use entware dnscrypt proxy 2, so I added a forwarding rule in dnscrypt-proxy.toml to send queries for the local domain to my router rather than an upstream dns resolver.
By the way there's a good dnscrypt proxy2 intro and install guide in this forum, by egc if I recall correctly.

#etc/hosts
server1.home.crazy.lan 192.168.1.1

After installing libopenssl (not sure if I should have done this, in case of conflicts with ddwrt firmware) I followed the below guide to create root pairs and intermediates

jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html

looks outdated a bit in terms of the commands used but I like the proposed structure
I followed the guide to the letter except I mkdir under /opt/etc/ rather than the proposed /root/ca
Out of pity for my poor old wrt1900ac on life support (laying on a laptop cooling pad) I created 2048 bit keys, on the client a CSR and signed it using my intermediate CA, then had the client device trust the certificate.

#chrony.conf on my router (server)
#more nts servers could be found online but not too many available, It is recommended to have at least 4 servers

server time.cloudflare.com iburst nts
server nts.netnod.se iburst nts

maxupdateskew 100
authselectmode require
driftfile /opt/var/lib/chrony/drift
keyfile /opt/etc/chrony/chrony.keys
ntsdumpdir /opt/var/lib/chrony
ntsservercert /opt/etc/chrony/server1.cert.pem
ntsserverkey /opt/etc/chrony/server1.key.pem
dumpdir /var/lib/chrony
makestep 1.0 3
leapsecmode slew
allow 192.168.1.0/24 #LAN br0
local stratum 8
rtcsync


#chrony.conf on client/pc
server server1.home.crazy.lan iburst xleave nts key 2
maxupdateskew 5
maxdrift 100
authselectmode require
driftfile /var/lib/chrony/drift
keyfile /etc/chrony.keys
ntsdumpdir /var/lib/chrony
dumpdir /var/lib/chrony
leapsectz right/UTC
leapsecmode slew
logdir /var/log/chrony
hwtimestamp *
rtcsync


from my client I can see chrony authenticated and receiving packets

# sudo chronyc selectdata -a -v

. State: N - noselect, s - unsynchronised, M - missing samples,
/ d/D - large distance, ~ - jittery, w/W - waits for others,
| S - stale, O - orphan, T - not trusted, P - not preferred,
| U - waits for update,, x - falseticker, + - combined, * - best.
| Effective options ---------. (N - noselect, P - prefer
| Configured options ----. \ T - trust, R - require)
| Auth. enabled (Y/N) -. \ \ Offset interval --.
| | | | |
S Name/IP Address Auth COpts EOpts Last Score Interval Leap
=======================================================================
* server1 Y ----- ----- 8 1.0 -16ms +16ms N


#sudo chronyc -N 'sources -a -v'

.-- Source mode '^' = server, '=' = peer, '#' = local clock.
/ .- Source state '*' = current best, '+' = combined, '-' = not combined,
| / 'x' = may be in error, '~' = too variable, '?' = unusable.
|| .- xxxx [ yyyy ] +/- zzzz
|| Reachability register (octal) -. | xxxx = adjusted offset,
|| Log2(Polling interval) --. | | yyyy = measured offset,
|| \ | | zzzz = estimated error.
|| | | \
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* server1.home.crazy.lan 8 3 377 27 +18us[ +18us] +/- 16ms


Maybe there's an easier way to achieve the same result but that's what worked for me. I learned so much from this forum but it was the first time I had such a headache on setting up something new.

_________________
Router Linksys WRT1900AC v1
Firmware DD-WRT v3.0-r56932 std (06/18/24)
Kernel Version Linux 6.1.94-rt28 #233
br0 br1 br2 Vlan3
Freeradius OpenVPN Entware/ DNScrypt-Proxy2
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum