ClearFoundation

I have searched for months trying to find enough info to get this working but I am now as far as I can go without help.

The scenario is simple 2 ClearOS boxes connected to each other with OpenVPN.

On both servers I can successfully fire up "openvpn -config /blah/blah/blah.ovpn" they connect and I know it's up because I can ping from "putty / the console" to the corresponding lans on the far end and if I check "netstat -rn" I see the routes that OpenVpn is pushing.

The Problem--
Computers on the respective lans cannot ping IPs on the corresponding far end. I have tried adding routes to eth1 (my lan) telling it "192.168.x.0/24 via 10.8.x.5 via tun1" and I don't understand why that doesn't fix it or why the route pushed by OpenVPN isn't enough. I have also tried other variations (changing the via and dev) of the route on all interfaces to no avail.


Much obliged to any and all who help!!

Where is 10.8.x.5? Is it the furthest OpenVPN point that your local LAN knows about - i.e. effectively the ClearOS box at the other end?

What is the route command you are using. I think it should be something like:I don't think you need to specify the interface (e.g. "dev tun1" or "dev tun0")

What is the output to "route -n"?

The 10.8.x.5 is the OpenVPN address for the "client" box as assigned by the other box.

As far as route command I was just adding routes manually in "/etc/sysconfig/networking-scripts/" and then cycling the interfaces.

I just tried adding the route as you suggested and got an affirmative "File exists" but unfortunately I still couldn't ping the far end from pc's in the "client" box's local lan. The strange part to me is that the "client" box itself can ping IPs on the the far end.

From ClearOS can you give the result of a "traceroute" to a far LAN IP?

192.168.36.24 = a device on the far end lan
10.36.0.1 = OpenVPN server on far end box


traceroute 192.168.36.24
traceroute to 192.168.36.24 (192.168.36.24), 30 hops max, 40 byte packets
1 10.36.0.1 (10.36.0.1) 11.761 ms 12.034 ms 12.967 ms
2 192.168.36.24 (192.168.36.24) 13.723 ms 2.447 ms 1.585 ms

If you're adding a route I believe it should have a gateway of 10.36.0.1 so something like:
What is the output of "route -n"?

Also you may want to check a "tracert 192.168.36.24" from one of your LAN PC's.

I get "SIOCADDRT: Network is unreachable"

I forgot to mention that I am also unable to hit IPs in the 10.36.0.0/24 (OpenVPN) range from the client box's lan either but I can from the client box's console.

... and the output to "route -n" and the LAN tracert?

Are you remembering that any for any addition you make to the local routing table you'll probably have to make something similar at the remote end?

Here is the route -n I forgot.

This one is with the tunnel down

Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
98.x.x.0 0.0.0.0 255.255.255.224 U 0 0 0 eth0
192.168.22.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
0.0.0.0 98.x.x.x 0.0.0.0 UG 0 0 0 eth0

This one is with the tunnel up

Destination Gateway Genmask Flags Metric Ref Use Iface
10.36.0.9 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
98.x.x.x 0.0.0.0 255.255.255.224 U 0 0 0 eth0
192.168.22.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.36.0 10.36.0.9 255.255.255.0 UG 0 0 0 tun1
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.36.0.0 10.36.0.9 255.255.255.0 UG 0 0 0 tun1
0.0.0.0 98.x.x.x 0.0.0.0 UG 0 0 0 eth0


Here is the tracert from a pc in the lan. It stops at the lan gateway

Tracing route to 192.168.36.24 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 98.X.X.X [192.168.22.1]
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.

I haven't tried to add routes to the far end b/c I didn't think they would be neeeded since it doesn't need routes for standalone OpenVPN clients and ultimately the far site is going to see everything as coming from the clients boxes IP and from what I can see the problem is getting out of the client's lan first. If it was timing out after hitting the OpenVPN gateway then I would think routes on the far end need added.

That said I clearly don't know how to accomplish my goal so let's throw out what I think and go with what you think

I'm puzzled. It looks like you already have a route to 192.168.36.0/24 via 10.36.0.9. I don't know the OpenVPN site-to-site set up and I can't fathom what it is not doing. Other people e.g. here have got it going successfully. You may want to post a help request into his thread.

The other thing I am wondering about is firewall rules. Do you have a default allow all out or block all out rule? Can you also give me the output of:Please put the output between [ code ] and [ /code ] tags (removing the spaces between the [ and ]).