I have a requirement where I need a number of clients to connnect to an VPN. The clients should only be able to connect to other clients on the VPN - no other traffic should pass over the VPN. In particular, no traffic should pass through the server to non-VPN endpoints.
Can I set up openVPN this way?
Even better would be to have two classes of clients (Actresses and Bishops, say). Only Actresses should be able to connect to Bishops. Bishops can't connect to Actresses or other Bishops, and Actresses shouldn't be able to connect to other Actresses.
Is this possible too?
Sure - give out addresses to each "class" of client from two separate DHCP ranges, and then create iptables rules to restrict traffic however you need.