Define servers for synchronization in /etc/ntp.conf:

server 0.rhel.pool.ntp.org
server 1.rhel.pool.ntp.org
server 2.rhel.pool.ntp.org
server time.nist.gov
server     # local clock
fudge stratum 10<
NTP clients reject servers with high stratum values:
	$ ntpdate -q ntp.domain.com
server x.x.x.x, stratum 16, offset 0.0035, delay 0.042
ntpdate[2]: no server suitable for synchronization found<
After restart the NTP server reports a maximum stratum of 16. Then after a while, it sets its stratum to that of local clock plus one. That is, we can boost reported stratum by assigning, say 5 in the fudge statement above. After a long while, when synchronization is settled, the server will set its stratum to that of the best synchronization source plus one. Since we use time.nist.gov, the stratum will be 2, and clients should finally accept us.

Let in our internal network:

restrict mask nomodify notrap<

Run on boot:

chkconfig ntpd on
service ntpd restart<

Check synchronization:

ntpq -p
ntpq -c rv
ntpdc -c sysstats<

Set clients to synchronize to our server via /etc/ntp.conf:

Using vpn address for ntp server has a drawback that clients will not be able to start synchronization before openvpn comes up. We can safely use external address.