Now I have more hosts on the same L2 network but different IP range let's say 10.128.0.0/16. They cannot be reached by the VPN client, there is no routing. Could a Client 'hack' his config so he talks with a 10.128.0.0/16 subnet address while being connected to the 10.10.0.4 OpenVPN server?
Yes, I am the admin and I can change all configs but this is more of a theoretical question. Cause if I create VPN accounts for my tenants I don't want them to reach the 10.128.0.0/16 network.
Cheers,
FYI this is my OpenVPN Client config (confidential data removed):
client
proto tcp-client
remote *.*.*.* *public port*
route-nopull
route 10.10.0.0 255.255.0.0
dhcp-option DNS 10.10.10.10
dhcp-option DOMAIN mgmt.lab
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_coUWOVLqgrOqJrPm name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
<ca>
-----BEGIN CERTIFICATE-----
*****
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
*****
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
*****
-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
*****
-----END OpenVPN Static key V1-----
</tls-crypt>