routing over a vpn network (tinc)

I've got two networks using private ip blocks
192.168.1.0/24 and 192.168.0.0/24.

The nat is on network 192.168.254.0/24
From router a I can ping 192.168.254.1 and from router b I can ping
192.168.254.2. But from router a I can't ping 192.168.0.1 or any other
address in the 192.168.0.0/24 network. And the same from b, I can't
ping 192.168.1.1 or anything in the 192.168.1.0/24 network.

I've gone over the routeing tables over and over and can't see any
problems there. I don't think I need any of the advanced routing stuff
(I may be wrong). It doesn't seem that my iptables configuration
prevents packets from getting where they need to be so I think I am
missing something simple

Any ideas.
Is there more information to consider.

Clark

The two routers are setup like this:
Router A (192.168.1.0/24)

#ipconfig
vpn Link encap:Ethernet HWaddr 00:FF0:1B:1C:66
inet addr:192.168.254.2 Bcast:192.168.254.255 Mask:255.255.255.0
inet6 addr: fe80::2ff:d0ff:fe1b:1c66/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6432 errors:0 dropped:0 overruns:0 frame:0
TX packets:6201 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:2514291 (2.3 MiB) TX bytes:1165183 (1.1 MiB)

eth0 Link encap:Ethernet HWaddr 00:40:332:B1:16
inet addr:xx.xxx.xx.144 Bcast:255.255.255.255 Mask:255.255.248.0
inet6 addr: fe80::240:33ff:fed2:b116/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1840566 errors:0 dropped:48 overruns:0 frame:0
TX packets:137261 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:260679719 (248.6 MiB) TX bytes:12666278 (12.0 MiB)
Interrupt:3 Base address:0x7f00

eth1 Link encap:Ethernet HWaddr 00:07:95:FF:8B:2C
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::207:95ff:feff:8b2c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2686000 errors:0 dropped:0 overruns:0 frame:0
TX packets:2350171 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1749459536 (1.6 GiB) TX bytes:951750009 (907.6 MiB)
Interrupt:5 Base address:0xd000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:67579 errors:0 dropped:0 overruns:0 frame:0
TX packets:67579 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:14012214 (13.3 MiB) TX bytes:14012214 (13.3 MiB)

# iptables-save
# Generated by iptables-save v1.2.8 on Sat Aug 30 07:06:39 2003
*nat
:PREROUTING ACCEPT [29828:10374173]
:POSTROUTING ACCEPT [2056:213995]
:OUTPUT ACCEPT [3757:337440]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Aug 30 07:06:39 2003
# Generated by iptables-save v1.2.8 on Sat Aug 30 07:06:39 2003
*mangle
:PREROUTING ACCEPT [479813:295971745]
:INPUT ACCEPT [2140284:1747050100]
:FORWARD ACCEPT [169734:129748097]
:OUTPUT ACCEPT [360371:180304635]
:POSTROUTING ACCEPT [2304498:942555051]
COMMIT
# Completed on Sat Aug 30 07:06:39 2003
# Generated by iptables-save v1.2.8 on Sat Aug 30 07:06:39 2003
*filter
:INPUT ACCEPT [360209:192411181]
:FORWARD ACCEPT [91277:93385353]
:OUTPUT ACCEPT [360380:180305791]
-A INPUT -i eth0 -p tcp -m tcp --dport 79 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 705 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 32769 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 901 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 37 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 840 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 9 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 843 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 843 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 13 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 110 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 79 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 111 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 850 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 627 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 2809 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 953 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 666 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 445 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 32768 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 445 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 137 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 9 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 138 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 699 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 702 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 960 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 836 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 68 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 69 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 838 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 841 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 847 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 111 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 624 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 123 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p udp -m udp --dport 847 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.0.0/255.255.255.0 -j LOG
-A FORWARD -s 192.168.0.0/255.255.255.0 -j LOG
COMMIT
# Completed on Sat Aug 30 07:06:39 2003


Router B
# ifconfig
vpn Link encap:Ethernet HWaddr 00:FF:E4:FCB:08
inet addr:192.168.254.1 Bcast:192.168.254.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6362 errors:0 dropped:0 overruns:0 frame:0
TX packets:6711 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1159840 (1.1 MiB) TX bytes:2539153 (2.4 MiB)

eth0 Link encap:Ethernet HWaddr 00:05:5D:CF:1C:6D
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:13498396 errors:0 dropped:0 overruns:0 frame:0
TX packets:11723006 errors:3 dropped:0 overruns:0 carrier:6
collisions:5742144 txqueuelen:100
RX bytes:2401637781 (2.2 GiB) TX bytes:3190561402 (2.9 GiB)
Interrupt:10 Base address:0x2000

eth1 Link encap:Ethernet HWaddr 00:05:5D:CF:20:3E
inet addr:yyy.yy.yyy.254 Bcast:yyy.yy.yyy.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8792069 errors:0 dropped:0 overruns:0 frame:0
TX packets:4438177 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:2216349584 (2.0 GiB) TX bytes:808343263 (770.8 MiB)
Interrupt:11 Base address:0x4000

eth1:225 Link encap:Ethernet HWaddr 00:05:5D:CF:20:3E
inet addr:yyy.yy.yyy.225 Bcast:yyy.yy.yyy.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:11 Base address:0x4000

eth1:253 Link encap:Ethernet HWaddr 00:05:5D:CF:20:3E
inet addr:yyy.yy.yyy.253 Bcast:yyy.yy.yyy.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:11 Base address:0x4000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:15290709 errors:0 dropped:0 overruns:0 frame:0
TX packets:15290709 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1363158918 (1.2 GiB) TX bytes:1363158918 (1.2 GiB)

# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.191.191.0 192.168.0.220 255.255.255.0 UG 0 0 0 eth0
192.168.1.0 192.168.254.2 255.255.255.0 UG 0 0 0 vpn
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
yyy.yy.yyy.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.254.0 0.0.0.0 255.255.255.0 U 0 0 0 vpn
0.0.0.0 yyy.yy.yyy.1 0.0.0.0 UG 0 0 0 eth1

# iptables-save
# Generated by iptables-save v1.2.6a on Sat Aug 30 06:27:48 2003
*mangle
:PREROUTING ACCEPT [26525:3817063]
:INPUT ACCEPT [18181752:1854615422]
:FORWARD ACCEPT [13077333:7771031160]
:OUTPUT ACCEPT [12826:1870928]
:POSTROUTING ACCEPT [30857308:9429427029]
COMMIT
# Completed on Sat Aug 30 06:27:48 2003
# Generated by iptables-save v1.2.6a on Sat Aug 30 06:27:48 2003
*filter
:INPUT ACCEPT [17632:2252725]
:FORWARD ACCEPT [8895:1564442]
:OUTPUT ACCEPT [12598:1840741]
-A INPUT -s yyy.yy.yyy.69 -p tcp -m tcp --dport 5432 -j ACCEPT
-A INPUT -s 209.25.210.70 -p tcp -m tcp --dport 5432 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 5432 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5432 -j DROP
COMMIT
# Completed on Sat Aug 30 06:27:48 2003
# Generated by iptables-save v1.2.6a on Sat Aug 30 06:27:48 2003
*nat
:PREROUTING ACCEPT [9655:1116649]
:POSTROUTING ACCEPT [925:82046]
:OUTPUT ACCEPT [635:66834]
-A PREROUTING -d yyy.yy.yyy.254 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.2:80
-A PREROUTING -d yyy.yy.yyy.254 -p tcp -m tcp --dport 42 -j DNAT --to-destination 192.168.0.2:42
-A PREROUTING -d yyy.yy.yyy.254 -p udp -m udp --dport 42 -j DNAT --to-destination 192.168.0.2:42
-A PREROUTING -d yyy.yy.yyy.254 -p tcp -m tcp --dport 43 -j DNAT --to-destination 192.168.0.2:43
-A PREROUTING -d yyy.yy.yyy.254 -p udp -m udp --dport 43 -j DNAT --to-destination 192.168.0.2:43
-A PREROUTING -d yyy.yy.yyy.254 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.0.2:53
-A PREROUTING -d yyy.yy.yyy.254 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.0.2:53
-A PREROUTING -d yyy.yy.yyy.254 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.0.2:25
-A PREROUTING -d yyy.yy.yyy.254 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.0.2:110
-A PREROUTING -d yyy.yy.yyy.254 -p tcp -m tcp --dport 5631 -j DNAT --to-destination 192.168.0.49:5631
-A PREROUTING -d yyy.yy.yyy.254 -p udp -m udp --dport 5632 -j DNAT --to-destination 192.168.0.49:5632
-A PREROUTING -d yyy.yy.yyy.254 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 192.168.0.15:5900
-A PREROUTING -d yyy.yy.yyy.254 -p tcp -m tcp --dport 5432 -j DNAT --to-destination 192.168.0.17:5432
-A PREROUTING -d yyy.yy.yyy.253 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.17:80
-A PREROUTING -d yyy.yy.yyy.225 -p tcp -j DNAT --to-destination 192.168.254.2
-A PREROUTING -d yyy.yy.yyy.225 -p udp -j DNAT --to-destination 192.168.254.2
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.2 -p tcp -m tcp --dport 80 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.2 -p tcp -m tcp --dport 42 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.2 -p udp -m udp --dport 42 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.2 -p tcp -m tcp --dport 43 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.2 -p udp -m udp --dport 43 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.2 -p tcp -m tcp --dport 53 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.2 -p udp -m udp --dport 53 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.2 -p tcp -m tcp --dport 25 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.2 -p tcp -m tcp --dport 110 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.49 -p tcp -m tcp --dport 5631 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.49 -p udp -m udp --dport 5632 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.15 -p tcp -m tcp --dport 5900 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.17 -p tcp -m tcp --dport 5432 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.17 -p tcp -m tcp --dport 80 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -d 192.168.254.2 -p tcp -j SNAT --to-source 192.168.254.1
-A POSTROUTING -d 192.168.254.2 -p udp -j SNAT --to-source 192.168.254.1
COMMIT
# Completed on Sat Aug 30 06:27:48 2003