Is the OpenVPN server the same as your router?
If this isn't the case, you have to set static routes to use the OpenVPN server to get to the VPN clients.
So, if the OpenVPN server has IP 192.168.1.100, and the OpenVPN clients are 192.168.50.0/24, then your router will need something like:
route add -net 192.168.50.0 netmask 255.255.255.0 gw 192.168.1.100
or whatever is the appropriate syntax.
Answering this completely is difficult without knowing the network topology you're trying to describe. Though I think I can say that in general it is possible to do what you're asking.
Consider the scenario below:
C1 -- R1 --(NAT)-- Internet --(NAT)-- R2 -- C2
Here, if there's a (properly configured) OpenVPN tunnel created between R1 and R2, then C1 can talk to C2 and vice-versa.
This scenario is more difficult to get correct:
C2 -- R1 --(NAT)-- Internet --(NAT)-- R2 -- C3
C1 / \ C4
Where C2 and C3 are the OpenVPN endpoints and C1 should use the VPN to get to C4. The first hurdle is to get the OpenVPN tunnel established between C2 and C3, probably using port forwawding from R1 & R2 of UDP 1190 to C2 & C3 respectively.
The next is to get C1 to use C2 as the way to get packets to C4. That involves configuring the routing table on C1 and C4. C1 sets the route to C4's network going VIA C2, and C4 sets the route to C1's network going VIA C3. Both of those routes should take precedence over the default. So perhaps on C1:
{route add 192.168.3.0 gw 192.168.2.2} and on C4: {route add 192.168.1.0 gw 192.168.3.2}. This is assuming that C2 and C3's addresses are 192.168.2.2 and 192.168.3.2 respectively, and that C1 and C4 are on the same network as C2 and C3 respectively.
Hopefully this is enough to answer your question and demonstrate that it's a lot easier to configure the VPN on the default gateway than it is to configure the VPN on a client, but there are use cases for both.
Edit: With this topology, and description of the problem, I believe there are routing issues on C1 and C2... C1's default route should point to the VPN address of C2 as the router. That will force C1 to use the VPN to get packets to C2, then C2 decides what to do with them.
In the case that C2 uses its own connection to the Internet, as you've shown, C2's default route should be to its own Internet connection.
If instead C2 doesn't really have its own path to the Internet and instead it goes through S, then S should be C2's default router.
Best Answer
it is possible to route a subnet that is accessible only via another openVPN client using ccd scripts
For example in your case, you would have to add on your AWS server configuration resembling this
Let's assume that 10.80.0.1 is the IP of your AWS VPN Gateway (The VPN address, not external IP), and 10.0.2.0/24 is the subnet that you wish to route via MacOS server
in file
/etc/openvpn/ccd/macos_vpn_commonnameiroute 10.0.2.0 255.255.255.0 push "route 10.0.2.0 255.255.255.0 10.80.0.1" route 10.0.2.0 255.255.255.0 10.80.0.1"You also need a line In your OpenVPN server main config file on the AWS server
client-config-dir /etc/openvpn/ccdWhat it does it tells OpenVPN server upon the
macos_vpn_commonnameclient connection, that the subnet 10.0.2.0 /24 is reachable via that client and enables routing via that tunnel. As far as I was testing there is no other way to do it, even manually routing the traffic via previously created tunnel will not work.That would cover routing the subnet through a MacOS server. If you need to redirect ALL traffic through it then let me know and I will try to help you further using iprule / iproute on the AWS OpenVPN server and
redirect-gatewaydirective, as I'm not sure if OpenVPN is prepared for such scenario with internal mechanisms.