In reply to gav:
> You can't really route all traffic from bob to 8.2.1.1 via the VPN as that would break the VPN connection itself. You could try and just change the routing table metric with something like
> route add -net 8.2.1.0 netmask 255.255.255.0 metric 0 dev vpn0
Did try that, but might have made a mistake so will re-visit.
> This will make it preferable to go through vpn0 for 8.2.1.X addresses, so it should try that first. You might already have a similar route in the table anyway configured by the VPN though - check with "route" (no arguments).
> This assumes that bob is a linux PC - is it linux, mac or windows?
Linux servers, openvpn on macs generally at end user.
> Other options include tunnelling SSH via "dave", or configuring a second IP address for "john" that's only accessible via the VPN. You could use iptables on bob to drop all packets going to 8.2.1.1 on port 23 via eth0 and see if that forces it to go over vpn0.
Port 23 is dropping already so that doesn't work unfortunately.
Thanks for your help!