This is a spinoff of task https://vyos.dev/T5691
The issue in T5691 was that firewall rules to allow for traffic to/from localhost are missing by default in VyOS and have to be added manually.
That is handled in task https://vyos.dev/T5509
This task is regarding to add localhost by default as allowed source to speak to chronyd (the current NTP daemon in VyOS).
But also that it seems according to https://manpages.debian.org/bookworm/chrony/chrony.conf.5.en.html that both bindaddress and binddevice can only be specified once.
The documentation isnt clear about what will happen if both are specified but you can only have one bindaddress and one binddevice, not multiple of each.
Generally speaking binddevice is the better option since that will also work if the IP-address of the interface is set dynamically.
Suggestion is to modify the allow and listen sections of /usr/share/vyos/templates/chrony/chrony.conf.j2 into this:
# Allowed clients configuration # Localhost shall always be allowed allow 127.0.0.1 {% if allow_client.address is vyos_defined %} {% for address in allow_client.address %} allow {{ address }} {% endfor %} {% endif %} # NTP should only listen on configured address {% if listen_address is vyos_defined %} bindaddress {{ listen_address }} {% endif %} {% if interface is vyos_defined %} binddevice {{ interface }} {% endif %}