Avoid some hosts/networks to see each other

[Alessandro Briosi]

Hi all,
I need a suggestion or just to know if it's even possible to achieve the 
following.

There is a "central" vpn server which is my main network.
I have a few other gateways (customers) which should connect to this 
central server (there's a firewall on this machine too) which have 
behind the customer network.

Then I have a few single servers which still connect to my centralized 
VPN, with no network behind.

And then I have some road-warriors which connect mainly with the central 
VPN, but could also connect to other's gateways as well if necessary.
Communication should go through direct link if possible.

What I want to achieve is:
1. road-warriors should be able to access all the VPN connected 
hosts/networks.
2. Central network should be able to access all VPN connected 
hosts/networks
3. Gateways/hosts/networks outside this should not see each other.

Basically I'd like to decide who sees who in the VPN.
Mainly the requirement is on the networks, the single hosts/gateways are 
mainly in my control, so there should not be any security issue there.

At the beginning I though that not telling (copying remote hosts 
information) on the hosts would limit their access to that network, but 
that's not the case (routings are given to all hosts in the VPN).
Also the firewall is a no go, as it filters only traffic which passes 
from the "central" server. And would like to avoid to make all traffic 
go though this server.

What I'd like to achieve is to activate a VPN on the road-warriors and 
be able to work as I was in the central network (but avoid traffic to go 
through the central network).

I know I could probably setup multiple VPNs and configure each host to 
access the ones it wants, but then road-warriors would either have to 
activate each VPN or activate only the "central" one which would make 
all traffic pass by this node.

Let me know if it's not clear enough.

Thank you.
Alessandro