Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NTP Service Fails to Start When Using WireGuard on the Same Interface #8341

Open
mxc opened this issue Feb 18, 2025 · 4 comments
Open

NTP Service Fails to Start When Using WireGuard on the Same Interface #8341

mxc opened this issue Feb 18, 2025 · 4 comments
Labels
support Community support

Comments

@mxc
Copy link

mxc commented Feb 18, 2025

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

Describe the bug
After upgrading to OPNsense 25.1-amd64, the NTP service fails to start when a WireGuard instance is configured on the same physical interface that NTP is set to listen on.

Unfortunately, I am unsure of the exact previous version, but it was from the 24.x branch. I attempted to use opnsense-revert to determine the last known working version but was unable to retrieve this information.

To Reproduce

Steps to reproduce the behaviour:

  1. Create a wireguard instance on an interface (re0_vlan225 - Lab)
  2. In the NTP Service setting assign the interface (Lab)
  3. Click apply
  4. Start the service
  5. The service does not start. The log contains:
    2025-02-18T10:00:00 Error ntpd unable to create socket on wg0 (15) for 172.29.0.1:123
    2025-02-18T10:00:00 Error ntpd bind(35) AF_INET 172.29.0.1:123 flags 0x11 failed: Address already in use
    2025-02-18T10:00:00 Error ntpd daemon child died with signal 11

Expected behavior

The NTP server should start

Describe alternatives you considered

I tried unassigning the wg0 interface to see if that would work but get the same error.

Screenshots

NA

Relevant log files

NA

Additional context

Add any other context about the problem here.

NA

Software version used and hardware type if relevant, e.g.:

OPNsense 25.1 (amd64).
@mxc
Copy link
Author

mxc commented Feb 18, 2025

If I stop the Wireguard instance and then start the Time Service and then restart the Wireguard instance it works

@AdSchellevis AdSchellevis added the support Community support label Feb 18, 2025
@Monviech
Copy link
Member

https://docs.opnsense.org/manual/settingsmenu.html#listen-interfaces

This applies to any kind of service that you try to bind to specific interfaces, especially vpn ones. Use any interface instead and control access via firewall rules.

@fichtner
Copy link
Member

If I stop the Wireguard instance and then start the Time Service and then restart the Wireguard instance it works

Because it ends up not binding to WireGuard? You can easily check the diff of the config file...

@mxc
Copy link
Author

mxc commented Feb 20, 2025
edited
Loading

Thinking about it I got my logic wrong because I don't think wireguard binds to any physical interface it's purely virtual. I am not sure why the Time Services want to open a port on it since it is not available as an interface to bind to in the config ui.

@Monviech I don't select the wireguard interface to have NTP services bound to in the config UI. The configuration attempts to start an NTP server on it by itself for some reason.

@fichtner It works for a while before the NTP server fails again. Still investigating it. Will check the config file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
support Community support
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mxc @fichtner @AdSchellevis @Monviech