Given your current configuration, when a host is connected 10.4.0.0/24 network. If you use the IP in the 10.4.0.0/24 range to communicate between the hosts then it should cross the tunnel. Your server will most likely have the address 10.4.0.1. From a client you should be able to ping 10.4.0.1 while running a capture on the tun interface and see the ICMP cross the tunnel.
If you want all the communication between the hosts to cross the tunnel, then you probably need to use the private IPs in the VPN subnet to communicate between the hosts.
To make this easier you may want to adjust your VPN configuration to assign static IPs.
To push static addresses you would modify your server config like this.
OpenVPN server config.
#server 10.4.0.0 255.255.255.0
mode server
tls-server
push "topology net30"
ifconfig 10.4.0.1 10.4.0.2
ifconfig-pool 10.4.0.192 10.4.0.251
route 10.4.0.0 255.255.255.0
push "route 10.4.0.1"
# setup a per client config. Clients are defined by the CN value in the cert.
client-config-dir /etc/openvpn/ccd
/etc/openvpn/ccd/client1.example.org
ifconfig-push 10.4.0.5 10.4.0.6
push "route 10.4.0.0 255.255.255.0"
/etc/openvpn/ccd/client2.example.org
ifconfig-push 10.4.0.9 10.4.0.10
push "route 10.4.0.0 255.255.255.0"
/etc/openvpn/ccd/client3.example.org
ifconfig-push 10.4.0.13 10.4.0.14
push "route 10.4.0.0 255.255.255.0"
I am not very familiar with EC2. How are they addressed? Specifically is each host on a different subnet, or are they all on the same subnet. If they are on a different subnet like this.
Web server 192.168.25.5/30
Mysql server 192.168.25.17/30
Then you could easily push a route from your OpenVPN server so that all traffic destined for one of those networks will use the vpn.
push "route 192.168.25.4/30"
push "route 192.168.25.16/30"
If the non-vpn interfaces of your hosts are all on the same subnet this won't work though. Since they will will be directly connected.
First, DON'T capitulate. He is not only an idiot but DANGEROUSLY wrong. In fact, releasing this information would violate the PCI standard (which is what I'm assuming the audit is for since it's a payment processor) along with every other standard out there and just plain common sense. It would also expose your company to all sorts of liabilities.
The next thing I would do is send an email to your boss saying he needs to get corporate counsel involved to determine the legal exposure the company would be facing by proceeding with this action.
This last bit is up to you, but I would contact VISA with this information and get his PCI auditor status pulled.
Best Answer
Assuming the following network settings:
Your public IP: 192.168.1.1
Your private network: 192.168.50.0/24
Remote public IP: 192.168.2.1
Remote private network: 192.168.51.0/24
1) Install StrongSwan using "sudo apt-get install strongswan"
2) Set up a secret key using "sudo vim /etc/ipsec.secrets":
192.168.1.1 192.168.2.1: PSK "secret_password"
3) Configure the routes using "sudo vim /etc/ipsec.conf":
conn partner
left=192.168.1.1
right=192.168.2.1
authby=secret
ike=3des-sha1-modp1024
esp=3des-sha1
pfs=yes
auto=start
conn local_to_partner
leftsubnet=192.168.1.1/32
rightsubnet=192.168.51.0/24
also=partner
conn partner_to_local
leftsubnet=192.168.50.0/24
rightsubnet=192.168.2.1/32
also=partner