Nick Howitt wrote:Do an "iptables -nvL"

i got it. thanks

You need more info to see what is going on. Do an "iptables -nvL". Copy the results from the terminal and paste between "code" tags (the piece of paper icon with a <> on it).

when i disabling ssh port 22 i cannot access clearos by ssh. but in iptables i saw 4 rules "allow all" - how does it works???

You see that from time to time with different networking operations. I've no idea how normal it is and cannot investigate on any 5.x system.

when i restarting ovpn on clearos i saw this...
is it normal? what does it means?

Have a look at the OpenVPN parameter "client-to-client" but I don't know if it works between different instances of OpenVPN. Also note for routing, you need routes in both directions. You are showing the routes in the Mikrotik, but do the devices in the 10.10.x.0/24 subnets have routes back to 10.9.0.0/24?

Nick Howitt wrote:
I guess what you now need is lots of routes in the Mikrotik config to force traffic to 10.10.x.0/24 via 10.9.0.1. Similarly in the other tunnels you may need a route to force traffic to 10.9.0.0/24 via 10.8.0.1. You could "push" these routes from the server or hardcode them into the clients.

routerOS received routes from clearOS when connecting to openvpn - on screenshot.

i'm having difficulties with understanding how to route traffic between 10.8.0.0 and 10.9.0.0 subnets

can different protocols (tcp & udp) be the troubling point? maybe clearOS cannot route packets from udp to tcp and back? or the openvpn itself...

Different instances of OpenVPN must have different subnets or OpenVPN will not know which interface to route the traffic out to.

I guess what you now need is lots of routes in the Mikrotik config to force traffic to 10.10.x.0/24 via 10.9.0.1. Similarly in the other tunnels you may need a route to force traffic to 10.9.0.0/24 via 10.8.0.1. You could "push" these routes from the server or hardcode them into the clients.

Nick Howitt wrote:
Note that the ifconfig-pool-persist and status parameters should be different with each conf file. Also note that your OpenVPN is old and I don't know how compatible it is with current clients.

yes they are different.but something still wrong. see screenshots - why there aren't routes for 10.9.0.0 subnet? aren't those settings must form them like similar settings form routes for 10.8.0.0 subnet?

do i really need to setup different subnet on different openvpn instances (tcp & udp) ? because routing to both subnets brings me some headache

Note that the ifconfig-pool-persist and status parameters should be different with each conf file. Also note that your OpenVPN is old and I don't know how compatible it is with current clients.

Nick Howitt wrote:
Have you opened the incoming firewall to tcp:1194?

of cause. but i did it through web-interface then suddenly found in iptables much more rules some of which causing troubles like dropping all incoming tcp SYN packets... epic default settings i think ))

Please note that ClearOS 5.2 is antique and should not be used in production. It has not had any updates for years and should be considered as insecure. It certainly has not been patched for Spectre or the recent SSH vulnerability.

may be actually that is the case...

now i successfully established tcp ovpn tunnel but i still cannot ping any host behind it continuing to dig through RTFM and other logs--smoking procedures

Have you opened the incoming firewall to tcp:1194?

Please note that ClearOS 5.2 is antique and should not be used in production. It has not had any updates for years and should be considered as insecure. It certainly has not been patched for Spectre or the recent SSH vulnerability.

Messages aren't disappearing. As a new user they are automatically moderated for the first few posts. Your posts should now appear immediately.

my messages here strangely disappering...

Nick Howitt wrote:
I've deleted your posts to the other thread.

yes, thanks. i was a bit lost in this forum at first.

AFAIK the OpenVPN tcp config should be running automatically. What version of ClearOS are you running? What does "ls /etc/openvpn/*.conf" show?

clearOS enterprise 5.2
/etc/openvpn/clients.conf /etc/openvpn/server.conf
i've added server.conf just yet. in it i've changed "proto udp" to "proto tcp" and 10.8.0.0 to 10.9.0.0
when i manually starting openvpn with server.conf - i've seen the correct SYN ACK on routerOS. but tunnel doesn't forming. now going to dig logs for some clues.

thanks for answer. i may be in need for further help anytime soon...

I've deleted your posts to the other thread.

AFAIK the OpenVPN tcp config should be running automatically. What version of ClearOS are you running? What does "ls /etc/openvpn/*.conf" show?