Time Synchronization options & troubleshooting on Ubuntu Server

Default Time Synchronization (systemd-timesyncd)

By default, most Linux distributions use systemd-timesyncd, a simple NTP client that synchronizes the system clock using UDP port 123.

You can check its status:

systemctl status systemd-timesyncd

If it’s inactive, enable it with:

sudo timedatectl set-ntp on

However, this service may stop working in some network configurations — particularly when:

• You’re using a VPN that blocks UDP/123
• Your router or firewall drops NTP packets
• Your ISP filters or blocks NTP traffic

For that reason, I recommend to check the timedatectl status from time to time.

Troubleshooting Time Synchronization issues when using systemd-timesyncd

• If synchronization works with disabled VPN client, exclude NTP traffic from the VPN tunnel.

  Fix: Set Split Tunnel for systemd-timesyncd

  Alternate fix: Switch to Chrony

• If synchronization works on another network, such as a mobile hotspot, your primary network or ISP likely blocks UDP port 123.

  Fix: Switch to Chrony.

• If synchronization starts working again after a router reboot and then stops after some time, your router may have stale or stuck NAT entries for NTP traffic (UDP port 123).

  Fix: Set up an automatic NAT cleanup script on the router to periodically remove old NTP connections. Look for a guide: MikroTik RouterOS – NTP Port Cleanup Scheduler.

  Alternate fix: Switch to Chrony

Alternative Time Synchronization with Chrony

If systemd-timesyncd fails due to network restrictions (e.g. blocked UDP 123), or if you simply prefer a modern and more reliable NTP/NTS client, you can switch to Chrony. Chrony supports both traditional NTP over UDP and encrypted time synchronization via TCP using the Network Time Security (NTS) protocol.

Switching from systemd-timesyncd to Chrony

1. Stop, disable, and remove systemd-timesyncd

   sudo systemctl disable --now systemd-timesyncd
   sudo apt remove -y systemd-timesyncd

2. Install Chrony

   sudo apt update && sudo apt install -y chrony

3. Adjust Chrony configuration

   Edit sudo nano /etc/chrony/chrony.conf and update the NTP pool servers to include reliable global sources. These servers are usually accessible even behind strict ISP or VPN firewalls:

   pool time.cloudflare.com iburst
   pool time.google.com iburst
   pool ntp.ubuntu.com iburst
   pool pool.ntp.org iburst

   💡 To improve reliability and enable encrypted synchronization over TCP (in case UDP 123 is blocked), you can also add NTS-capable servers:

   server time.cloudflare.com iburst nts
   server time.google.com iburst nts

   Chrony will automatically prefer the most stable and reachable sources, switching seamlessly between UDP and TCP as needed.

4. Enable and start Chrony

   sudo systemctl enable --now chrony

   Once started, Chrony takes over system-wide time synchronization. The system clock and RTC will now stay continuously synchronized even if your network conditions change.

5. Monitor synchronization status

   You can verify that Chrony is working and tracking remote servers correctly:

   chronyc tracking

   chronyc sources -v

   Example output:

   Reference ID    : 55A3A8E3 (time.cloudflare.com)
   Stratum         : 3
   Ref time (UTC)  : Thu Oct 09 09:24:38 2025
   System time     : 0.0005 seconds fast of NTP time
   Last offset     : +0.0006 seconds
   RMS offset      : 0.0003 seconds
   Frequency       : 5.354 ppm slow
   Leap status     : Normal

   You can also confirm that the system clock is synchronized:

   timedatectl status

   System clock synchronized: yes
   NTP service: inactive (handled by chronyd)

Reverting back to systemd-timesyncd

If you ever wish to switch back to the default synchronization service:

sudo systemctl disable --now chrony
sudo apt remove -y chrony
sudo apt install -y systemd-timesyncd
sudo systemctl enable --now systemd-timesyncd