Some hosts accessible, others, not so much

[pmonday]

Yes, another OpenVPN newbie. I've set up a CentOS 6 server with OpenVPN 2.1.1. It's set up as a tunnel to allow clients access to the host machine, and a network that the host machine is also a head-node for (a cluster). There are a few other devices on the network as well. The head-node with OpenVPN eth0 / eth1:

eth0 - to network - 10.10.10.10 (network is 10.10.10.0 / 255.255.255.0)
eth1 - to internet - 192.168.1.220 (network is 192.168.1.0 / 255.255.255.0), this is then forwarded through my home router to the internet where I can attach to it via a different IP address

In a nutshell, I can ping all systems EXCEPT the gateway in the network. I can ssh to all CentOS systems, but no appliances (even if I can ping the appliances). I can open web browsers to some appliances but not all.

I'm curious if this is a simple gateway configuration issue. Does my OpenVPN server also have to be a gateway for devices that require a gateway in order to have a valid configuration? Or, can my gateway (that is not the VPN server) setup routes to handle this? I sort of assume this is because those particular devices can't find a valid route back and I can't go in and modify the routes as they are appliance?

A few more details:

I am using Tunnelblick from my Mac to reach 192.168.1.220, I can connect and talk to the head node via it's eth1 interface:
ssh x@10.10.10.10 connects

I can also talk to any of my CentOS systems on the network
ssh x@10.10.10.20 connects

I can ping "just about" anything on the network, here is a pdu:

Paul-Mondays-iMac:~ pmonday$ ping 10.10.10.105
PING 10.10.10.105 (10.10.10.105): 56 data bytes
64 bytes from 10.10.10.105: icmp_seq=0 ttl=254 time=9.534 ms
64 bytes from 10.10.10.105: icmp_seq=1 ttl=254 time=5.998 ms

I can also ping other infrastructure, but curiously, not the gateway at 10.10.10.251, this is an older CentOS machine, perhaps I have an issue with it's setup:
Paul-Mondays-iMac:~ pmonday$ ping 10.10.10.251
PING 10.10.10.251 (10.10.10.251): 56 data bytes
Request timeout for icmp_seq 0

Back to 10.10.10.105 though, I cannot ssh into the PDU nor hit the Web interface, or several other "appliances" on the network, like one of our switch management ports.

Here are the server routing entries:
[root@pg73-v0 openvpn]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0
...
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
...

And ifconfig:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:1784 errors:0 dropped:0 overruns:0 frame:0
TX packets:1261 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:121487 (118.6 KiB) TX bytes:633767 (618.9 KiB)

When I look at a log from a note, if my Mac's VPN address is 10.8.0.6, the secure log gives it as the address:
Accepted publickey for x from 10.8.0.6 port 55488 ssh2

So far so good.

Here is the server.conf
port 1194

proto udp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/pg73-v0.crt
key /etc/openvpn/easy-rsa/2.0/keys/pg73-v0.key # This file should be kept secret

dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

route 10.10.10.0 255.255.255.0
push "route 10.10.10.0 255.255.255.0"

keepalive 10 120
comp-lzo

persist-key
persist-tun

status /var/log/openvpn-status.log

log /var/log/openvpn.log
log-append /var/log/openvpn.log

verb 3

[maikcat]

hi there,

cluster?...just curious what components are you using? drbd/heartbeat?

how many nics your server has? only 2?

please post the output of:
ifconfig
netstat -nr
iptables -L -t nat -v
iptables -L -v
sestatus

and yes you MUST configure routing on your network accordingly so that
you can access the vpn subnet..

Michael.