First the OpenVPN client should somehow “know” how to reach the BLUE subnet (custom route) or should not know how to reach it, but all traffic is managed from routing part of NethServer (Route all traffic througt VPN). Both options are viable but might not be suitable for your case. Before taking any of these options, take note of the routing table OpenVPN is providing to the client.
Then NethServer should know if it’s allowed to let OpenVPN clients communicate with BLUE zone. And things here become a bit trickier.
Source: Firewall — NethServer 7 Final
Firewall policies allow inter-zone traffic accordingly to this schema:
GREEN -> BLUE -> ORANGE -> RED
Traffic is allowed from left to right, blocked from right to left.
OpenVPN clients and subnets are… “another zone”.
Source: VPN — NethServer 7 Final
By default, the network traffic between VPNs is blocked by the firewall.
And there’s some reasoning behind this. Therefore, prior to allow communication “blind” between both subnets… take some time to tinker some rules and keep them tight.
Also remember that OpenVPN user can be binded to a specific OpenVPN subnet address.