how to forward ntp traffic to default gateway instead of vpn tunnel

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












0















I have a small Raspberry Pi server connected to an openvpn provider, used as a VPN gateway. Almost everything works fine with the following iptables rules:



iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT


However, the VPN provider blocks NTP traffic (udp port 123).



How do I make iptables route all NTP traffic via the default gateway (which is 192.168.1.1 on eth0)?










share|improve this question
























  • have you considered running an ntp daemon on 192.168.1.1 and configuring all your LAN clients to use that?

    – cas
    Jun 4 '16 at 10:58











  • Tried that too, however the ntpd tries to access public NTP servers via VPN tunnel, of course without success. Tried to specify a server list in vpn.conf that should be exluded from routing via tunnel. This solution is unstable for me, as these servers might go offline at some point.

    – Branislav Zlatkovic
    Jun 4 '16 at 11:09











  • Does your router have another connection to the internet? if so, why is it routing ntp traffic via the Rpi? is the Rpi itself your router? i'm trying to understand your network structure...

    – cas
    Jun 4 '16 at 11:31











  • The default internet gateway on the LAN is a dd-wrt router at 192.168.1.1 Rpi is connected to the LAN on eth0, and using the default gateway to connect to the VPN. Rpi is set up as a router to/from the VPN. Some specific devices on the LAN that I want to go online though VPN have Rpi's address as their gateway. Rpi routes all traffic to the VPN by default, so I need only udp port 123 (NTP) to go via 192.168.1.1 instead to the VPN tun0.

    – Branislav Zlatkovic
    Jun 4 '16 at 11:37












  • ok, so why is your dd-wrt routing ntp packets via the rpi?

    – cas
    Jun 4 '16 at 11:39















0















I have a small Raspberry Pi server connected to an openvpn provider, used as a VPN gateway. Almost everything works fine with the following iptables rules:



iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT


However, the VPN provider blocks NTP traffic (udp port 123).



How do I make iptables route all NTP traffic via the default gateway (which is 192.168.1.1 on eth0)?










share|improve this question
























  • have you considered running an ntp daemon on 192.168.1.1 and configuring all your LAN clients to use that?

    – cas
    Jun 4 '16 at 10:58











  • Tried that too, however the ntpd tries to access public NTP servers via VPN tunnel, of course without success. Tried to specify a server list in vpn.conf that should be exluded from routing via tunnel. This solution is unstable for me, as these servers might go offline at some point.

    – Branislav Zlatkovic
    Jun 4 '16 at 11:09











  • Does your router have another connection to the internet? if so, why is it routing ntp traffic via the Rpi? is the Rpi itself your router? i'm trying to understand your network structure...

    – cas
    Jun 4 '16 at 11:31











  • The default internet gateway on the LAN is a dd-wrt router at 192.168.1.1 Rpi is connected to the LAN on eth0, and using the default gateway to connect to the VPN. Rpi is set up as a router to/from the VPN. Some specific devices on the LAN that I want to go online though VPN have Rpi's address as their gateway. Rpi routes all traffic to the VPN by default, so I need only udp port 123 (NTP) to go via 192.168.1.1 instead to the VPN tun0.

    – Branislav Zlatkovic
    Jun 4 '16 at 11:37












  • ok, so why is your dd-wrt routing ntp packets via the rpi?

    – cas
    Jun 4 '16 at 11:39













0












0








0








I have a small Raspberry Pi server connected to an openvpn provider, used as a VPN gateway. Almost everything works fine with the following iptables rules:



iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT


However, the VPN provider blocks NTP traffic (udp port 123).



How do I make iptables route all NTP traffic via the default gateway (which is 192.168.1.1 on eth0)?










share|improve this question
















I have a small Raspberry Pi server connected to an openvpn provider, used as a VPN gateway. Almost everything works fine with the following iptables rules:



iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT


However, the VPN provider blocks NTP traffic (udp port 123).



How do I make iptables route all NTP traffic via the default gateway (which is 192.168.1.1 on eth0)?







iptables vpn ntp






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jun 4 '16 at 10:58









cas

39.5k455103




39.5k455103










asked Jun 4 '16 at 10:29









Branislav ZlatkovicBranislav Zlatkovic

11




11












  • have you considered running an ntp daemon on 192.168.1.1 and configuring all your LAN clients to use that?

    – cas
    Jun 4 '16 at 10:58











  • Tried that too, however the ntpd tries to access public NTP servers via VPN tunnel, of course without success. Tried to specify a server list in vpn.conf that should be exluded from routing via tunnel. This solution is unstable for me, as these servers might go offline at some point.

    – Branislav Zlatkovic
    Jun 4 '16 at 11:09











  • Does your router have another connection to the internet? if so, why is it routing ntp traffic via the Rpi? is the Rpi itself your router? i'm trying to understand your network structure...

    – cas
    Jun 4 '16 at 11:31











  • The default internet gateway on the LAN is a dd-wrt router at 192.168.1.1 Rpi is connected to the LAN on eth0, and using the default gateway to connect to the VPN. Rpi is set up as a router to/from the VPN. Some specific devices on the LAN that I want to go online though VPN have Rpi's address as their gateway. Rpi routes all traffic to the VPN by default, so I need only udp port 123 (NTP) to go via 192.168.1.1 instead to the VPN tun0.

    – Branislav Zlatkovic
    Jun 4 '16 at 11:37












  • ok, so why is your dd-wrt routing ntp packets via the rpi?

    – cas
    Jun 4 '16 at 11:39

















  • have you considered running an ntp daemon on 192.168.1.1 and configuring all your LAN clients to use that?

    – cas
    Jun 4 '16 at 10:58











  • Tried that too, however the ntpd tries to access public NTP servers via VPN tunnel, of course without success. Tried to specify a server list in vpn.conf that should be exluded from routing via tunnel. This solution is unstable for me, as these servers might go offline at some point.

    – Branislav Zlatkovic
    Jun 4 '16 at 11:09











  • Does your router have another connection to the internet? if so, why is it routing ntp traffic via the Rpi? is the Rpi itself your router? i'm trying to understand your network structure...

    – cas
    Jun 4 '16 at 11:31











  • The default internet gateway on the LAN is a dd-wrt router at 192.168.1.1 Rpi is connected to the LAN on eth0, and using the default gateway to connect to the VPN. Rpi is set up as a router to/from the VPN. Some specific devices on the LAN that I want to go online though VPN have Rpi's address as their gateway. Rpi routes all traffic to the VPN by default, so I need only udp port 123 (NTP) to go via 192.168.1.1 instead to the VPN tun0.

    – Branislav Zlatkovic
    Jun 4 '16 at 11:37












  • ok, so why is your dd-wrt routing ntp packets via the rpi?

    – cas
    Jun 4 '16 at 11:39
















have you considered running an ntp daemon on 192.168.1.1 and configuring all your LAN clients to use that?

– cas
Jun 4 '16 at 10:58





have you considered running an ntp daemon on 192.168.1.1 and configuring all your LAN clients to use that?

– cas
Jun 4 '16 at 10:58













Tried that too, however the ntpd tries to access public NTP servers via VPN tunnel, of course without success. Tried to specify a server list in vpn.conf that should be exluded from routing via tunnel. This solution is unstable for me, as these servers might go offline at some point.

– Branislav Zlatkovic
Jun 4 '16 at 11:09





Tried that too, however the ntpd tries to access public NTP servers via VPN tunnel, of course without success. Tried to specify a server list in vpn.conf that should be exluded from routing via tunnel. This solution is unstable for me, as these servers might go offline at some point.

– Branislav Zlatkovic
Jun 4 '16 at 11:09













Does your router have another connection to the internet? if so, why is it routing ntp traffic via the Rpi? is the Rpi itself your router? i'm trying to understand your network structure...

– cas
Jun 4 '16 at 11:31





Does your router have another connection to the internet? if so, why is it routing ntp traffic via the Rpi? is the Rpi itself your router? i'm trying to understand your network structure...

– cas
Jun 4 '16 at 11:31













The default internet gateway on the LAN is a dd-wrt router at 192.168.1.1 Rpi is connected to the LAN on eth0, and using the default gateway to connect to the VPN. Rpi is set up as a router to/from the VPN. Some specific devices on the LAN that I want to go online though VPN have Rpi's address as their gateway. Rpi routes all traffic to the VPN by default, so I need only udp port 123 (NTP) to go via 192.168.1.1 instead to the VPN tun0.

– Branislav Zlatkovic
Jun 4 '16 at 11:37






The default internet gateway on the LAN is a dd-wrt router at 192.168.1.1 Rpi is connected to the LAN on eth0, and using the default gateway to connect to the VPN. Rpi is set up as a router to/from the VPN. Some specific devices on the LAN that I want to go online though VPN have Rpi's address as their gateway. Rpi routes all traffic to the VPN by default, so I need only udp port 123 (NTP) to go via 192.168.1.1 instead to the VPN tun0.

– Branislav Zlatkovic
Jun 4 '16 at 11:37














ok, so why is your dd-wrt routing ntp packets via the rpi?

– cas
Jun 4 '16 at 11:39





ok, so why is your dd-wrt routing ntp packets via the rpi?

– cas
Jun 4 '16 at 11:39










1 Answer
1






active

oldest

votes


















0














Policy routing to rescue. At your RPi as root do the following:



# echo 100 direct >> /etc/iproute2/rt_tables
# ip rule add fwmark 123 table direct
# ip route add default via 192.168.1.1 dev eth0 table direct
# iptables -t mangle -A OUTPUT -p udp --dport 123 -j MARK --set-mark 123





share|improve this answer























  • Unfortunately this doesn't work either from Rpi or any device that has Rpi as a router. Running tcpdump on eth0 shows this for ntp requests made by Rpi: IP 10.125.14.6.56940 > 78.46.37.9.123: NTPv2, Reserved, length 12 IP 10.125.14.6.56940 > 78.46.37.9.123: NTPv2, Reserved, length 12

    – Branislav Zlatkovic
    Jun 4 '16 at 12:36












  • It should not do this for other devices as you did not mention that RPi should forward ntp traffic for others as well. To allow forwarding you should add the same rule to PREROUTING in a mangle table as well. Also, check that your ntp client is bound to eth0 at RPi

    – Serge
    Jun 4 '16 at 12:44











  • Adding the same rule to PREROUTING did the trick for others. For the ntpd on Rpi, the following rule did the trick: iptables -A POSTROUTING -t nat -o eth0 -p udp --dport 123 -j SNAT --to 192.168.1.2 One more question, how to make ip rule and ip route persistent?

    – Branislav Zlatkovic
    Jun 4 '16 at 13:36











  • to set routes you have to customize /etc/sysconfig/network-scripts/route-eth0 or whatever way appropriate to your system. The riles are not flushed during interface state transitions as far as I remember, so rc.local or other suitable place would be good.

    – Serge
    Jun 4 '16 at 14:30










Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f287627%2fhow-to-forward-ntp-traffic-to-default-gateway-instead-of-vpn-tunnel%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














Policy routing to rescue. At your RPi as root do the following:



# echo 100 direct >> /etc/iproute2/rt_tables
# ip rule add fwmark 123 table direct
# ip route add default via 192.168.1.1 dev eth0 table direct
# iptables -t mangle -A OUTPUT -p udp --dport 123 -j MARK --set-mark 123





share|improve this answer























  • Unfortunately this doesn't work either from Rpi or any device that has Rpi as a router. Running tcpdump on eth0 shows this for ntp requests made by Rpi: IP 10.125.14.6.56940 > 78.46.37.9.123: NTPv2, Reserved, length 12 IP 10.125.14.6.56940 > 78.46.37.9.123: NTPv2, Reserved, length 12

    – Branislav Zlatkovic
    Jun 4 '16 at 12:36












  • It should not do this for other devices as you did not mention that RPi should forward ntp traffic for others as well. To allow forwarding you should add the same rule to PREROUTING in a mangle table as well. Also, check that your ntp client is bound to eth0 at RPi

    – Serge
    Jun 4 '16 at 12:44











  • Adding the same rule to PREROUTING did the trick for others. For the ntpd on Rpi, the following rule did the trick: iptables -A POSTROUTING -t nat -o eth0 -p udp --dport 123 -j SNAT --to 192.168.1.2 One more question, how to make ip rule and ip route persistent?

    – Branislav Zlatkovic
    Jun 4 '16 at 13:36











  • to set routes you have to customize /etc/sysconfig/network-scripts/route-eth0 or whatever way appropriate to your system. The riles are not flushed during interface state transitions as far as I remember, so rc.local or other suitable place would be good.

    – Serge
    Jun 4 '16 at 14:30















0














Policy routing to rescue. At your RPi as root do the following:



# echo 100 direct >> /etc/iproute2/rt_tables
# ip rule add fwmark 123 table direct
# ip route add default via 192.168.1.1 dev eth0 table direct
# iptables -t mangle -A OUTPUT -p udp --dport 123 -j MARK --set-mark 123





share|improve this answer























  • Unfortunately this doesn't work either from Rpi or any device that has Rpi as a router. Running tcpdump on eth0 shows this for ntp requests made by Rpi: IP 10.125.14.6.56940 > 78.46.37.9.123: NTPv2, Reserved, length 12 IP 10.125.14.6.56940 > 78.46.37.9.123: NTPv2, Reserved, length 12

    – Branislav Zlatkovic
    Jun 4 '16 at 12:36












  • It should not do this for other devices as you did not mention that RPi should forward ntp traffic for others as well. To allow forwarding you should add the same rule to PREROUTING in a mangle table as well. Also, check that your ntp client is bound to eth0 at RPi

    – Serge
    Jun 4 '16 at 12:44











  • Adding the same rule to PREROUTING did the trick for others. For the ntpd on Rpi, the following rule did the trick: iptables -A POSTROUTING -t nat -o eth0 -p udp --dport 123 -j SNAT --to 192.168.1.2 One more question, how to make ip rule and ip route persistent?

    – Branislav Zlatkovic
    Jun 4 '16 at 13:36











  • to set routes you have to customize /etc/sysconfig/network-scripts/route-eth0 or whatever way appropriate to your system. The riles are not flushed during interface state transitions as far as I remember, so rc.local or other suitable place would be good.

    – Serge
    Jun 4 '16 at 14:30













0












0








0







Policy routing to rescue. At your RPi as root do the following:



# echo 100 direct >> /etc/iproute2/rt_tables
# ip rule add fwmark 123 table direct
# ip route add default via 192.168.1.1 dev eth0 table direct
# iptables -t mangle -A OUTPUT -p udp --dport 123 -j MARK --set-mark 123





share|improve this answer













Policy routing to rescue. At your RPi as root do the following:



# echo 100 direct >> /etc/iproute2/rt_tables
# ip rule add fwmark 123 table direct
# ip route add default via 192.168.1.1 dev eth0 table direct
# iptables -t mangle -A OUTPUT -p udp --dport 123 -j MARK --set-mark 123






share|improve this answer












share|improve this answer



share|improve this answer










answered Jun 4 '16 at 12:26









SergeSerge

5,73521326




5,73521326












  • Unfortunately this doesn't work either from Rpi or any device that has Rpi as a router. Running tcpdump on eth0 shows this for ntp requests made by Rpi: IP 10.125.14.6.56940 > 78.46.37.9.123: NTPv2, Reserved, length 12 IP 10.125.14.6.56940 > 78.46.37.9.123: NTPv2, Reserved, length 12

    – Branislav Zlatkovic
    Jun 4 '16 at 12:36












  • It should not do this for other devices as you did not mention that RPi should forward ntp traffic for others as well. To allow forwarding you should add the same rule to PREROUTING in a mangle table as well. Also, check that your ntp client is bound to eth0 at RPi

    – Serge
    Jun 4 '16 at 12:44











  • Adding the same rule to PREROUTING did the trick for others. For the ntpd on Rpi, the following rule did the trick: iptables -A POSTROUTING -t nat -o eth0 -p udp --dport 123 -j SNAT --to 192.168.1.2 One more question, how to make ip rule and ip route persistent?

    – Branislav Zlatkovic
    Jun 4 '16 at 13:36











  • to set routes you have to customize /etc/sysconfig/network-scripts/route-eth0 or whatever way appropriate to your system. The riles are not flushed during interface state transitions as far as I remember, so rc.local or other suitable place would be good.

    – Serge
    Jun 4 '16 at 14:30

















  • Unfortunately this doesn't work either from Rpi or any device that has Rpi as a router. Running tcpdump on eth0 shows this for ntp requests made by Rpi: IP 10.125.14.6.56940 > 78.46.37.9.123: NTPv2, Reserved, length 12 IP 10.125.14.6.56940 > 78.46.37.9.123: NTPv2, Reserved, length 12

    – Branislav Zlatkovic
    Jun 4 '16 at 12:36












  • It should not do this for other devices as you did not mention that RPi should forward ntp traffic for others as well. To allow forwarding you should add the same rule to PREROUTING in a mangle table as well. Also, check that your ntp client is bound to eth0 at RPi

    – Serge
    Jun 4 '16 at 12:44











  • Adding the same rule to PREROUTING did the trick for others. For the ntpd on Rpi, the following rule did the trick: iptables -A POSTROUTING -t nat -o eth0 -p udp --dport 123 -j SNAT --to 192.168.1.2 One more question, how to make ip rule and ip route persistent?

    – Branislav Zlatkovic
    Jun 4 '16 at 13:36











  • to set routes you have to customize /etc/sysconfig/network-scripts/route-eth0 or whatever way appropriate to your system. The riles are not flushed during interface state transitions as far as I remember, so rc.local or other suitable place would be good.

    – Serge
    Jun 4 '16 at 14:30
















Unfortunately this doesn't work either from Rpi or any device that has Rpi as a router. Running tcpdump on eth0 shows this for ntp requests made by Rpi: IP 10.125.14.6.56940 > 78.46.37.9.123: NTPv2, Reserved, length 12 IP 10.125.14.6.56940 > 78.46.37.9.123: NTPv2, Reserved, length 12

– Branislav Zlatkovic
Jun 4 '16 at 12:36






Unfortunately this doesn't work either from Rpi or any device that has Rpi as a router. Running tcpdump on eth0 shows this for ntp requests made by Rpi: IP 10.125.14.6.56940 > 78.46.37.9.123: NTPv2, Reserved, length 12 IP 10.125.14.6.56940 > 78.46.37.9.123: NTPv2, Reserved, length 12

– Branislav Zlatkovic
Jun 4 '16 at 12:36














It should not do this for other devices as you did not mention that RPi should forward ntp traffic for others as well. To allow forwarding you should add the same rule to PREROUTING in a mangle table as well. Also, check that your ntp client is bound to eth0 at RPi

– Serge
Jun 4 '16 at 12:44





It should not do this for other devices as you did not mention that RPi should forward ntp traffic for others as well. To allow forwarding you should add the same rule to PREROUTING in a mangle table as well. Also, check that your ntp client is bound to eth0 at RPi

– Serge
Jun 4 '16 at 12:44













Adding the same rule to PREROUTING did the trick for others. For the ntpd on Rpi, the following rule did the trick: iptables -A POSTROUTING -t nat -o eth0 -p udp --dport 123 -j SNAT --to 192.168.1.2 One more question, how to make ip rule and ip route persistent?

– Branislav Zlatkovic
Jun 4 '16 at 13:36





Adding the same rule to PREROUTING did the trick for others. For the ntpd on Rpi, the following rule did the trick: iptables -A POSTROUTING -t nat -o eth0 -p udp --dport 123 -j SNAT --to 192.168.1.2 One more question, how to make ip rule and ip route persistent?

– Branislav Zlatkovic
Jun 4 '16 at 13:36













to set routes you have to customize /etc/sysconfig/network-scripts/route-eth0 or whatever way appropriate to your system. The riles are not flushed during interface state transitions as far as I remember, so rc.local or other suitable place would be good.

– Serge
Jun 4 '16 at 14:30





to set routes you have to customize /etc/sysconfig/network-scripts/route-eth0 or whatever way appropriate to your system. The riles are not flushed during interface state transitions as far as I remember, so rc.local or other suitable place would be good.

– Serge
Jun 4 '16 at 14:30

















draft saved

draft discarded
















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f287627%2fhow-to-forward-ntp-traffic-to-default-gateway-instead-of-vpn-tunnel%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown






Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?