diff --git a/etc/rc.d/rc.library.source b/etc/rc.d/rc.library.source
index 6bbb5dc8a..8db332b46 100644
--- a/etc/rc.d/rc.library.source
+++ b/etc/rc.d/rc.library.source
@@ -21,7 +21,7 @@ this() {
     grep -Pom1 "^$1 = \K.*" $CONF
     ;;
   'ntp'|'ssh')
-    grep -Po "^$1 \K.*" $CONF|tr '\n' ' '|sed 's/ $//'
+    grep -Po "^$1 \K\S+" $CONF|tr '\n' ' '|sed 's/ $//'
     ;;
   'nfs')
     grep -Pom1 "^RPC_NFSD_OPTS=\"$OPTIONS \K[^\"]+" $NFS
@@ -87,7 +87,7 @@ extra_name() {
   for net in $include_interfaces; do
     if $(isname $net); then
       # net is an interface name, validate
-      [[ -n $(show dev $net) && -z $(good $net) ]] && bind+=($net)
+      [[ $CALLER != ntp && -n $(show dev $net) && -z $(good $net) ]] && bind+=($net)
     else
       # net is an IP address, convert to name
       net=$(show $net)
@@ -116,8 +116,8 @@ extra_addr() {
       net4=$(show -4 to $net)
       net6=$(show -6 to $net)
     fi
-    [[ -n $net4 && -z $(good $(sub $net4)) ]] && ipv4=yes bind+=($(sub $net4))
-    [[ -n $net6 && -z $(good $(sub $net6)) ]] && ipv6=yes bind+=($(sub $net6))
+    [[ $CALLER != ntp && -n $net4 && -z $(good $(sub $net4)) ]] && ipv4=yes bind+=($(sub $net4))
+    [[ $CALLER != ntp && -n $net6 && -z $(good $(sub $net6)) ]] && ipv6=yes bind+=($(sub $net6))
   done
   for net in $exclude_interfaces; do
     if $(isname $net); then
@@ -143,7 +143,10 @@ check() {
       [[ -n $net ]] && bind+=($net)
       [[ -n ${net[1]} ]] && ipv4=yes
     else
-      [[ -n ${net[1]} ]] && ipv4=yes bind+=($(sub ${net[1]}))
+      # exclude wireguard tunnels for ntp
+      [[ $CALLER == ntp ]] && name=$(show ${net[1]}) || name=
+      [[ ${name:0:2} == wg ]] && wg=no || wg=yes
+      [[ $wg == yes && -n ${net[1]} ]] && ipv4=yes bind+=($(sub ${net[1]}))
     fi
   done <<< $(ip -br -4 addr|awk '/^(br|bond|eth|wg)[0-9]+(\.[0-9]+)?/ && $3 !~ "^169.254" {print $1,$3}')
   # active ipv6 interfaces (including wireguard)
@@ -153,7 +156,11 @@ check() {
       [[ -n $net && -z $(good $net) ]] && bind+=($net)
       [[ -n ${net[1]} ]] && ipv6=yes
     else
-      [[ -n ${net[1]} ]] && ipv6=yes bind+=($(sub ${net[1]}))
+      name=$(show ${net[1]})
+      # exclude wireguard tunnels for ntp
+      [[ $CALLER == ntp ]] && name=$(show ${net[1]}) || name=
+      [[ ${name:0:2} == wg ]] && wg=no || wg=yes
+      [[ $wg == yes && -n ${net[1]} ]] && ipv6=yes bind+=($(sub ${net[1]}))
     fi
   done <<< $(ip -br -6 addr|awk '/^(br|bond|eth|wg)[0-9]+(\.[0-9]+)?/ && $3 !~ "^fe80" {print $1,$3}')
   # add loopback interface
diff --git a/etc/rc.d/rc.ntpd b/etc/rc.d/rc.ntpd
index 71c6d38c8..aec0cd440 100755
--- a/etc/rc.d/rc.ntpd
+++ b/etc/rc.d/rc.ntpd
@@ -23,7 +23,7 @@ build_ntp() {
     [[ $ipv6 == no ]] && echo "interface ignore ipv6" >>$CONF
     # add listen interfaces
     for net in $bind; do
-      echo "interface listen $net" >>$CONF
+      echo "interface listen $net # $(show $net)" >>$CONF
     done
   fi
   # add configured NTP servers
diff --git a/etc/rc.d/rc.sshd b/etc/rc.d/rc.sshd
index b0a9e84d0..f3c4ca8c3 100755
--- a/etc/rc.d/rc.sshd
+++ b/etc/rc.d/rc.sshd
@@ -18,7 +18,7 @@ build_ssh() {
     sed -ri '/^#?(ListenAddress|AddressFamily) /d' $CONF
     # create new entries (in reverse order)
     for i in $(seq $((${#bind[@]}-1)) -1 0); do
-      sed -ri "/^#?Port /a ListenAddress ${bind[$i]}" $CONF
+      sed -ri "/^#?Port /a ListenAddress ${bind[$i]} # $(show ${bind[$i]})" $CONF
     done
     sed -ri "/^#?Port /a AddressFamily $family" $CONF
   fi