Florin Andrei wrote:
Due to some restrictions that I cannot change, the only UDP port that I
can use from a certain location to connect to my OpenVPN server at home
is NTP (123/udp).
Now, the OpenVPN server also runs ntpd, which is synchronizing to
various servers in the pool.ntp.org domain and provides time sync for
local clients (two or three machines on local networks).
OpenVPN only needs to listen for clients on eth1 (outside interface) and
eth2 (local wireless interface), while ntpd only needs to listen for
local clients on eth0 (wired LAN) and tun0 (created by openvpnd).
As pointed out earlier, OpenNTP will allow you to bind NTP to local
(eth0 and tap0) interfaces only. Unless you can't use OpenNTP, using
it will make what you want to do a lot easier.
My only concern is with inbound NTP packets on eth1 (outside) that ntpd
is receiving from upstream NTP servers, and with inbound OpenVPN packets
on the same port and same interface (openvpnd is receiving them from
This isn't a problem as long as your NTP daemon is listening on
internal interfaces only. When your server establishes a connection to
public NTP servers, the local UDP port is dynamic (ie: not 123.) This
frees up UDP port 123 on your external interface.
Do you think there will be any conflict between the two daemons?
Not as long as your NTP daemon isn't listening on your public IP.
As an alternative, if you cannot (or choose not) to run OpenNTP, you
should be able to accomplish what you want with iptables. In this
setup you can let your NTP daemon bind to all interfaces on UDP port
123 and run OpenVPN on any port (I'll assume 1194 here.) iptables can
redirect the packet coming in on eth1 on UDP port 123 and send it to
your OpenVPN port internally so NTP never sees the packet. This also
allows you to continue using port 1194 for any VPN clients that aren't
restricted as you described above.
To do this, the following iptables rule will handle the redirection
(note that I've broken the line up to account for line-wrapping)
# redirect inbound packets on our public interface on
# UDP port 123 and send to this host on port 1194
iptables -A PREROUTING -t nat -i eth1 -p udp \
--dport 123 -j REDIRECT --to-ports 1194
Description: OpenPGP digital signature