joe curlee

Using a local server as source of truth for your time sync March 27, 2026

Computer clocks naturally drift over time. When using Linux it is common practice to use a service like chrony in order to ping an NTP (Netowork Time Protocol) and keep your clock in sync. This usually happens right after booting or waking the computer up from sleep. Although this solves the clock drift problem, it creates a security hole: now your ISP or a network obsrver has a tracking becaon - your IP address and schedule is being revealed. If you're using a VPN this might happen before it is enabled, and even if you are using a VPN (for example outside of your real timezone), a request is being made with your real timezone which can be used as a way to deanonymize.

Network isolation with a local server

In order to keep your clocks in sync and stay private, you can use a single local server (such as a Raspberry Pi) to run a time syncing service that your other home computers can ping. That server becomes the single source of truth for time on your network, allowing you to futher tighten your workstation's firewall.

Here's how it works

  1. Install a lightweight time daemon (like chrony) on a Raspberry Pi. It fetches the time from the internet and opens a local listening port to serve that time to your home network.
  2. Use the same time daemon service on your workstation, but edit the time configuration file to remove default ineternet pools (such as debian.pool.ntp.org) and replace them with the local IP address of your Raspberry Pi.
  3. Now you can enable NTP syncing on your workstation. It keeps your clock accurate and your workstations never talk to the internet to get it.

Although your IP address is still being revealed, it prevents those services from collecting your local timezone when you are using a VPN or from determining your schedule.

Setup instructions

This guide assumes you have a Raspberry Pi, but it will work with any server.

Disable NTP on your workstation

First, determine which service you are running 

ls /etc/init.d/ | grep -E 'ntp|ntpd|chrony'

Disable the service 

sudo service chrony stop
# disable at start up
sudo update-rc.d chrony disable

Setup chrony your Raspberry Pi

  1. Install Chrony sudo apt install chrony
  2. edit the config sudo vim /etc/chrony/chrony.conf

  3. Add the following lines 

    # Allow anyone on your local home network to query this server
allow 192.168.1.0/24`

# Serve time even if not syncrhonized to an external source
local stratum 10
    Replace 192.168.1.0/24 with your actual subnet.

  4. Restart the chrony service sudo systemctl restart chrony

  5. Enable the chrony service sudo systemctl enable chrony
  6. Allow incoming UDP traffic on your firewall if using ufw sudo ufw allow 123/udp
  7. Verify the Pi is syncing chronyc sources -v

You should see a list of IP addresses with a * or + next to them, indicating the Pi has established a connection.

Setup chrony on your workstation

  1. Install chrony sudo apt install chrony
  2. Edit the config sudo vim /etc/chrony/chrony.conf
  3. Comment out lines starting with pool or server
  4. Add the line server [YOUR_PI_IP_HERE] iburst
  5. Restart chrony sudo service chrony restart (or sudo systemctl restart chrony)
  6. Run chronyc sources -v and you should see only one source listed (the IP address of your Raspberry Pi)

Disable all other NTP traffic

On your workstation run the following commands

  1. Allow traffic via ufw to your Pi sudo ufw allow out to [YOUR_PI_IP] port 123 proto udp
  2. Deny all other outgoing NTP traffic sudo ufw deny out 123/udp

This will prevent your workstation from access NTP services other than the one running on your Pi

Why is this needed?

Even if you've configured chrony or ntp to use your Pi, modern operating systems are "chatty."

  1. Bypassing Defaults: Some applications, browser extensions, or even system update scripts have hardcoded NTP servers (like time.google.com or pool.ntp.org) that they might try to reach out to independently of your system settings.
  2. Malware/Exfiltration: Port 123 is a common target for malware to use as a covert channel. Because it’s "just time," many firewalls leave it wide open. By blocking it, you ensure that no rogue process can use that port to "phone home" or leak metadata.
  3. Metadata Privacy: This forces your workstation to be silent on the public internet. To an outside observer (like your ISP), your workstation will appear to never check the time, further obfuscating your daily schedule.

Latest posts

View more posts