Skip to content

Using a Docker NTP Server for Local Cameras Without Internet Access

Overview

This guide explains how to set up a local NTP (Network Time Protocol) server using Docker. This is useful for security cameras (e.g., TP-Link Tapo) that are not connected to the internet, ensuring they maintain the correct time without external servers.

Why This Is Needed

  1. Cameras Without Internet Access: If your cameras are blocked from the internet, they cannot sync time with online NTP servers.
  2. Preventing Timestamp Issues: Incorrect timestamps can cause problems in logs, video recordings, and motion detection features.
  3. Centralized Local Time Syncing: A local NTP server ensures all network devices maintain accurate time without relying on external sources.
  4. Security & Privacy: Prevents devices from contacting external NTP servers that may leak metadata about your network.

Step 1: Deploy a Docker-Based NTP Server

We will use cturra/ntp, a lightweight NTP server in a Docker container.

1.1 Run the NTP Server Container

Execute the following command on your Docker host:

docker run -d --name ntp-server \
  --restart unless-stopped \
  --net=host \
  --cap-add=SYS_TIME \
  cturra/ntp

Explanation of Flags:

  • --net=host β†’ Uses the host network stack for proper UDP time sync.
  • --cap-add=SYS_TIME β†’ Grants permission to adjust system time.
  • --restart unless-stopped β†’ Ensures the container restarts automatically.

1.2 Verify the NTP Server

Check if the NTP server is running:

docker logs ntp-server

Test the NTP server from a client device:

ntpq -p <Docker-Host-IP>

You should see a list of NTP peers and time offsets.

Step 2: Configure Cameras to Use the Local NTP Server

Many IP cameras allow setting a custom NTP server. If possible: 1. Log into your camera's admin interface. 2. Navigate to Time Settings. 3. Set the NTP server to your Docker host’s local IP address, e.g., 192.168.1.100.

If the camera does not allow manual NTP settings, proceed to Step 3.

Step 3: Redirect NTP Requests to the Local Server (If Camera Cannot Be Configured)

Some cameras hardcode external NTP servers. To ensure they sync time locally, redirect NTP traffic to your Docker NTP server.

3.1 Using pfSense (Firewall NAT Rule)

  1. Log into your pfSense Web Interface.
  2. Go to Firewall > NAT > Port Forward.
  3. Click Add to create a new rule:
  4. Interface: LAN
  5. Protocol: UDP
  6. Source: Any (or limit to your camera subnet)
  7. Destination Port: 123 (NTP)
  8. Redirect Target IP: 192.168.1.100 (Docker NTP server)
  9. Redirect Target Port: 123
  10. Save & Apply
  11. Now, any device trying to reach external NTP servers will be redirected to your local NTP server.

3.2 Alternative: Using IPTables on Linux Router

If using a Linux-based router, execute:

iptables -t nat -A PREROUTING -p udp --dport 123 -j DNAT --to-destination 192.168.1.100

This forces all NTP requests to go to the local Docker NTP server.

Step 4: Test Camera Time Synchronization

After setting up the NTP server and redirecting traffic: 1. Reboot the camera. 2. Check the timestamp on recordings to ensure it's accurate. 3. If needed, use tcpdump on your router to verify NTP traffic:

tcpdump -i any port 123

If the camera is correctly querying the local NTP server, the setup is successful.

Conclusion

This setup ensures that cameras without internet access maintain correct time using a local NTP server running in Docker. The method applies to pfSense and other firewall solutions, making it adaptable to various network setups. If your cameras do not allow manual NTP configuration, firewall redirection is the best approach.

By following this guide, you ensure that security cameras remain time-synchronized without exposing them to the internet.