NTP and Redsocks

ymaia · June 15, 2018, 3:13am

Hello,

I was able to successfully configure redsocks. The device connects to the dashboard and my application is running fine behind a 100% restrictive firewall (just the redsocks SOCKS port is allowed).

Just one problem: NTP is not syncing anymore.
I’m only using the stock config for this (no NTP servers specified on config.json).

As I understand it, NTP syncronization is not going thru the proxy. Is there a way to make sure all NTP requests flow within the tunnel?

Thanks!

lucianbuzzo · June 15, 2018, 11:26am

It would be good to get some more information about whats going on.
Can you access the hostOS and run the commands journalctl -u resin-proxy-config and journalctl -u redsocks, then post the output here?

ymaia · June 15, 2018, 1:05pm

I wonder if this has something to do with on how SOCKS and UDP works.
Even DNS request have to be made over TCP in order to get around this particular limitation.

@lucianbuzzo here is the output from both commands:

journalctl -u resin-proxy-config
– No entries –

journalctl -u redsocks
(contains a huge amount of entries like the ones below. No errors as far as I can see. Some information redacted):
Jun 15 04:08:35 d8exxxx redsocks[687]: [10.33.146.101:47086->52.86.xxx.xxx:443]: accepted
Jun 15 04:08:36 d8exxxx redsocks[687]: [10.33.146.101:47086->52.86.xxx.xxx:443]: connection closed

As i’ve mentioned, everything works, except for NTP.
I was really hoping to make that service run thru the tunnel in order to simplify deployment at our costumer premises.

Thanks!

chrischabot · June 15, 2018, 1:57pm

Hi @ymaia – Yeah you’ve already hit the nail on the head, redsocks can only redirects TCP over it’s SSH connection, and NTP relies on UDP (as tcp is far less accurate for timing sensitive things)

You could write a script that uses something like http://www.vervest.org/htp/ to get the date/time and then set the system clock using hwclock, ie: hwclock --set --date="2012-04-19 16:45:05" --localtime

ymaia · June 15, 2018, 2:20pm

Thanks @chrischabot
Can you please clarify what happens to that UDP traffic? Is it still forwarded to the default gateway while redsocks is enabled?
I can request the costumer to open up the firewall to an NTP server on the internet. Will this work right away or is it necessary for me to include that server on the redsocks exclusion file (no_proxy) as well?

chrischabot · June 15, 2018, 2:26pm

@ymaia Typically the default redsocks configuration would only route TCP traffic, and DNS using dnsu2t – so if they open UDP port 123 to allow incoming and outgoing NTP UDP packets, you should be all good.

If that doesn’t work check the firewall rules on the device using iptables -L and see if there’s any additional routing being done on UDP

Topic		Replies	Views
Redsocks proxy not working Project help network	21	4332	January 4, 2021
NTP Sync not Syncing? Product support	4	1142	September 20, 2017
Proxy configuration works but internet only working on host not in containers Product support	10	1368	April 13, 2018
Use custom NTP server(s) Product support hostos	12	2852	September 10, 2018
NTP Synchronization Product support	9	1164	July 9, 2018

NTP and Redsocks

Related topics