[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] running on same port as NTP

  • Subject: Re: [Openvpn-users] running on same port as NTP
  • From: Josh Cepek <josh.cepek@xxxxxxx>
  • Date: Wed, 28 Nov 2007 15:44:54 -0600
  • Openpgp: id=2E5A5127
  • Z-usanet-msgid: XID191LkbVtB0132X29

Florin Andrei wrote:
Due to some restrictions that I cannot change, the only UDP port that I 
can use from a certain location to connect to my OpenVPN server at home 
is NTP (123/udp).
Now, the OpenVPN server also runs ntpd, which is synchronizing to 
various servers in the pool.ntp.org domain and provides time sync for 
local clients (two or three machines on local networks).

OpenVPN only needs to listen for clients on eth1 (outside interface) and 
eth2 (local wireless interface), while ntpd only needs to listen for 
local clients on eth0 (wired LAN) and tun0 (created by openvpnd).

As pointed out earlier, OpenNTP will allow you to bind NTP to local (eth0 and tap0) interfaces only.  Unless you can't use OpenNTP, using it will make what you want to do a lot easier.

My only concern is with inbound NTP packets on eth1 (outside) that ntpd 
is receiving from upstream NTP servers, and with inbound OpenVPN packets 
on the same port and same interface (openvpnd is receiving them from 

This isn't a problem as long as your NTP daemon is listening on internal interfaces only.  When your server establishes a connection to public NTP servers, the local UDP port is dynamic (ie: not 123.)  This frees up UDP port 123 on your external interface.

Do you think there will be any conflict between the two daemons?

Not as long as your NTP daemon isn't listening on your public IP.

As an alternative, if you cannot (or choose not) to run OpenNTP, you should be able to accomplish what you want with iptables.  In this setup you can let your NTP daemon bind to all interfaces on UDP port 123 and run OpenVPN on any port (I'll assume 1194 here.)  iptables can redirect the packet coming in on eth1 on UDP port 123 and send it to your OpenVPN port internally so NTP never sees the packet.  This also allows you to continue using port 1194 for any VPN clients that aren't restricted as you described above.

To do this, the following iptables rule will handle the redirection (note that I've broken the line up to account for line-wrapping)
# redirect inbound packets on our public interface on
# UDP port 123 and send to this host on port 1194
iptables -A PREROUTING -t nat -i eth1 -p udp \
--dport 123 -j REDIRECT --to-ports 1194


Attachment: signature.asc
Description: OpenPGP digital signature