I have a fairly simple network setup as seen in the attached image. The network is spread across two more or less similar data centers which are connected via a static OpenVPN tunnel. Both the VPN servers and the gateways are running BIRD OSPF, configured as the backbone area 0.
Each "client" consists of an OpenVPN client and a number of hosts behind it that all belong to a common /64 block. The OpenVPN client opens two connections (primary and backup) to one of the DCs. What I need is that all the client hosts can talk to any application server in either DC and vice versa, but no "client" should have any knowledge of any other "clients". My initial though was to put OSPF running also on the OpenVPN clients and have them advertise their /64 blocks that way, but that would mean all the clients would see all the other clients.
What I want to do is prevent the "inter-client" communications preferably at the routing level, both from a security standpoint and also to prevent any excess network traffic since some of the clients may be behind very slow links. So essentially the clients only see the DC networks and the DCs can see all of the client networks. Can this somehow be done with BIRD's filtering capabilities (and if so, how?), or should I perhaps be looking into some other routing protocols?
Note: I asked this question on Network Engineering where they directed me to ask this question here, and also told me to look into BGP as a possible solution. However I have zero experience with BGP and briefly looking into it, it seems rather complex to setup.