|
|
Hi Jason,
In my case, ntp is running, but it doesn't help the situation. Let's
assume a machine is off when the time changes. The machine comes back
on, and the hardware clock is now, say, 2:00 AM when the real time is
say, 1:00 AM. Let's say OpenVPN starts at 2:00 AM in the boot sequence,
but then ntpdate runs (in our ntpd start script) and sets the clock back
to 1:00 AM. ntp (at least with our configuration) wouldn't have
touched a time that was out by an hour, and even if it would, I was
wondering whether the slew would cause any difficulty for OpenVPN. A
slew backwards slowly or making the time jump back during boot would
basically be the same thing, the key component being that the time would
be going backwards. If OpenVPN wasn't happy with time going back, it
wouldn't matter whether ntpdate was doing it or ntpd... It seems like
the time going back could very well cause a problem since the result of
unixtime for the first call when OpenVPN started would be more than the
second call... It seems like James will handle this in the 2.1 branch by
holding the time the same.... hmmmm..... I'm not sure the best way to
handle this... I certainly don't want all of our machines (which are
using OpenVPN for NFS) to crash when there is a time change backwards,
but on the other hand, I don't want to lose the replay protection...
Jas.
Jason Haar wrote:
James Yonan wrote:
If OpenVPN (internally) uses UTC (or unixtime) there should be no issue
Just to cover my ar*e - UTC isn;t an TLA for "unixtime" - as James says
all Unix systems internal clock is based on the number of seconds since
Jan 1 1970. And yes, it is immune to daylight saving issues.
One thing to note about the original question. There was a comment about
resetting the clock via ntpdate every hour? That could cause a problem.
You are hard-resetting the time - jumping around in time. Always a bad
thing (except if you're the Doctor ;-) .You can end up with "impossible"
events like a syslog entry at one time, followed by the next entry at an
earlier time. And when I refer to jumping around in time - I am
referring to "real time" - UTC or unixtime - not "human time" which has
weird concepts such as daylight savings/etc.
If you can use ntpdate, you should be able to use ntpd and "do it
right". The daemon will *slew* time - speeding up or slowing down the OS
clock until the time is synchronized.
____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users
|