Right, after a fair amount of examination, it appears as if there is something strange going on with dns through the tunnel.
imagine the following scenario
Server A =
www.srva.com = 192.168.3.0/24 - 192.168.3.222
Server B =
www.srvb.com = 192.168.5.0/24 - 192.168.5.222
if a client 192.168.3.15 on server A side pings an ip address 192.168.5.220 on server B
ServerA-eth0 shows request going from 192.168.3.15 to 192.168.5.220
ServerA-tun0 shows request going from 192.168.3.15 to 192.168.5.220
ServerB-tun0 shows request going from 192.168.3.15 to pc-00220.srvb.com
ServerB-eth0 shows nothing because there is no pc-00220.srvb.com
if a client 192.168.5.220 on server B side pings an ip address 192.168.3.15 on server A
ServerB-eth0 shows request going from 192.168.5.220 to 192.168.3.15
ServerB-tun0 shows request going from 192.168.5.220 to 192.168.3.15
ServerA-tun0 shows request going from 192.168.5.220 to pc-00015.srva.com
ServerA-eth0 shows nothing because there is no pc-00015.srva.com
It appears to be a DNS problem from tunneling. I dont really know where to look from here, any pointers would be appreciated.
my server.conf file is
###########server.conf##################
# server.conf see
http://openvpn.net/howto.html# either use remote, or use mode server
## remote
remote XX.XX.XX.XXX
ifconfig 192.168.0.1 192.168.0.2
proto udp
port 1194
#optional what address to listen to
#local 213.4.3.1
dev tun
tls-server
dh dh1024.pem
ca ca.crt
cert server.crt
key server.key #should be kept secret
#secret static.key #you could do without certificates, please don't
comp-lzo # Enable compression on the VPN link.
user nobody
group nobody
daemon
keepalive 10 60
ping-timer-rem
up ./openvpn.up
persist-tun
persist-key
status-version 2
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 5
#client-to-client
#########################################
my server openvpn.up script
###########################
#!/bin/sh
#on server route network to the other side's tun-ip
#you should add this route in sme7 server-manager or it will dissappear
route add -net 192.168.60.0 netmask 255.255.255.0 gw 192.168.0.1
#let openvpn traffic in and out (not needed on sme due to service)
#iptables -A INPUT -p udp -s 1.2.3.4 --dport 1194 -j ACCEPT
#iptables -A OUTPUT -p udp -s 2.3.4.5 --sport 1194 -j ACCEPT
#traffic over the tunnel to the server itsself (only icmp for ping)
iptables -A INPUT -i tun+ -p icmp -j ACCEPT
iptables -A OUTPUT -o tun+ -p icmp -j ACCEPT
#allow a network over the tun devices
iptables -A FORWARD -i tun+ -j ACCEPT
logger "openvpn is up"
######################################
my client.conf file is
###########client.conf##################
#client.conf
#remote 58.6.124.108 1194
##either use "ifconfig" or use "client". When remote uses "server",
#client should use "client"
##only use ifconfig if server also uses "remote".
ifconfig 192.168.0.2 192.168.0.1
#client
proto udp
dev tun
tls-client
#ns-cert-type server #todo in cert make step
#remote-cert-tls server
dh dh1024.pem
ca ca.crt
cert client.crt
key client.key
comp-lzo
user nobody
group nobody
daemon
keepalive 10 60
ping-timer-rem
up ./openvpn.up
persist-tun
persist-key
status-version 2
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 6
#########################################
my client openvpn.up script is
###########################
#!/bin/sh
#on client route network to the other side's tun-ip
#you should add this route in severmanager as well or it will dissappear on sme7
route add -net 192.168.59.0 netmask 255.255.255.0 gw 192.168.0.2
#let openvpn traffic in and out
iptables -A INPUT -p udp --sport 1194 -j ACCEPT
iptables -A OUTPUT -p udp --dport 1194 -j ACCEPT
#traffic over the tunnel to the server itsself (only icmp for ping)
iptables -A INPUT -i tun+ -p icmp -j ACCEPT
iptables -A OUTPUT -o tun+ -p icmp -j ACCEPT
#allow a network over the tun devices
iptables -A FORWARD -i tun+ -j ACCEPT
logger "openvpn is up"
######################################
I am really starting to pull my hair out over this one, and starting to thing about investing some time with ipsec.... or at the pub.... or both!!