Can I somehow move from NTP to NTS?

U53R · October 27, 2025, 2:16pm

Hi

On Linux (Ubuntu) I had just installed Chrony and entered server time.cloudflare.com nts to /etc/chrony/chrony.conf

This forces system to ask time via NTS (TLS) so nobody can intercept or spoof it.

The main question:
How can I do something similar on my GL.iNet GL-MT3000 (firmware 4.8.2 OP24)

packetmonkey · October 27, 2025, 7:17pm

While waiting for something new to be enabled on your router, you could always just point your router to your local NTS server using NTP and get on down the road.

U53R · October 27, 2025, 7:45pm

I don't have local server. And no ability to get some. Because I have only 2 laptops and phone.

I think it is better that Gl.iNet will make this official. For example Chrony is tiny. If they don't want to use chrony - ntsproxy or ntpsec should do the trick. But they must be built into firmware.

If you afraid of getting one fail point with cloud-based time here is more NTS providers:

time.cloudflare.com
ptbtime1.ptb.de
nts.netnod.se

Can you escalate this to RD?

packetmonkey · October 27, 2025, 8:27pm

I don’t have my MT3000 out, but they do have chrony-nts available for the flint3 in the repo. Should be easy enough to add yourself. It is under Applications, Plug-Ins. You will need to configure via CLI as there is not a LuCi package for it in the repo. Apologies if this package is not in the MT3000 repo.

packetmonkey · October 27, 2025, 9:08pm

BTW, I am not a gl-inet employee just for clarification. Just a user like you.

bruce · October 28, 2025, 2:13am

Hello,

The MT3000 warehouse already has the plug-in chrony-nts.

Install chrony-nts

opkg update && opkg install chrony-nts

Configure nts services

uci set chrony.@pool[0].hostname='time.cloudflare.com'
uci set chrony.@pool[0].iburst='1'
uci set chrony.@pool[0].nts='1'
uci set chrony.@nts[0]=nts
uci set chrony.@nts[0].systemcerts='yes'
uci commit chrony

Stop and disable the default sysntpd, and enable and start chronyd

/etc/init.d/sysntpd stop
/etc/init.d/sysntpd disable
/etc/init.d/chronyd enable
/etc/init.d/chronyd restart

Check if the chronyd service is running

root@GL-MT3000:~# ps | grep chrony
 3466 chrony   11560 S    /usr/sbin/chronyd -n
 3693 root      1244 S    grep chrony
root@GL-MT3000:~# chronyc tracking
Reference ID    : A29FC801 (time.cloudflare.com)
Stratum         : 4
Ref time (UTC)  : Tue Oct 28 02:18:31 2025
System time     : 0.000367018 seconds fast of NTP time
Last offset     : -0.000024226 seconds
RMS offset      : 0.003804589 seconds
Frequency       : 248.701 ppm slow
Residual freq   : +0.076 ppm
Skew            : 13.510 ppm
Root delay      : 0.145475194 seconds
Root dispersion : 0.003369628 seconds
Update interval : 128.4 seconds
Leap status     : Normal

bruce · October 28, 2025, 2:15am

For feature request, I will collect this request first, but we still need to evaluate it.

U53R · October 28, 2025, 9:24am

Do I need to change anything in LuCi? Because now it points to regular NTP

Thanks!

But this seems to be very logical, since in sketchy open networks (where for example Beryl designed to work) it can be any type of attack.

saki · October 28, 2025, 6:57pm

I think they should support either NTS or time via DNS. Since it is indeed trivial to spoof NTP.

Better use this config from Graphene OS for chrony

I agree with OP. Since Gl is for security oriented people, this should be implemented

bruce · October 29, 2025, 2:08am

Not required. Because in the command provided above, the sysntpd (NTP) has been disabled