[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] running on same port as NTP

  • Subject: Re: [Openvpn-users] running on same port as NTP
  • From: Jan Just Keijser <janjust@xxxxxxxxx>
  • Date: Tue, 27 Nov 2007 09:46:47 +0100

OpenVPN 2.1 has a (little advertised) --multihome option that might do 
what you want.

Yes there will be a conflict between the two daemons, as the upstream 
ntpd daemon will try to synchronize with your openvpn server from time 
to time... also, running two services on the same port is not easy to do 
- most  software refuses to bind to a particular port if it is already 
in use by another piece of software.
Alternatively, don't run a full ntpd daemon on eth1 but passively sync 
with an external ntp server, e.g. run a cronjob every 5 minutes that 
does something like
  ntpdate -u 0.pool.ntp.org
(we won't go into the philosophical implications of running cron jobs, 
which use the clock, to synchronize this same clock ;-))
You can then run the ntpd daemon on the other interfaces (eth0, eth2, 
tun0) and use openvpn on intf eth1.



Florin Andrei wrote:
> I guess I can do some tests myself, but let me ask first, just in case 
> it's something that was already tested:
> Due to some restrictions that I cannot change, the only UDP port that I 
> can use from a certain location to connect to my OpenVPN server at home 
> is NTP (123/udp).
> Now, the OpenVPN server also runs ntpd, which is synchronizing to 
> various servers in the pool.ntp.org domain and provides time sync for 
> local clients (two or three machines on local networks).
> OpenVPN only needs to listen for clients on eth1 (outside interface) and 
> eth2 (local wireless interface), while ntpd only needs to listen for 
> local clients on eth0 (wired LAN) and tun0 (created by openvpnd).
> My only concern is with inbound NTP packets on eth1 (outside) that ntpd 
> is receiving from upstream NTP servers, and with inbound OpenVPN packets 
> on the same port and same interface (openvpnd is receiving them from 
> clients).
> Do you think there will be any conflict between the two daemons?
> If push comes to shove, I can probably run openvpnd on a TCP port, but I 
> wouldn't do that if I definitely don't have to.

Openvpn-users mailing list