There's no an internal networks to internal networks in the firewall, and if there was, it better be more specific to each specific internal network and how that network interacts with the others. Probably would be good to use some sort of template or profile system as well so you can port over firewall rules much more easily.
VPN systems are a whole 'nother cat. There are absolutely no firewall rules in eBox as of 1.4.3 to apply to VPN. There are very many missing features for VPN in eBox so it's surprising it works. To get clients from the VPN to talk to clients on the advertised networks, I didn't have to do anything but add those networks to the Advertised Networks area in VPN. You should 100% be able to access the eBox and should have near to no trouble accessing advertised networks.
The problem comes up when you're on the inside accessing VPN'd machines. VPN'd machines can do client-to-client connections, but internal-to-client connections require putting this information in your usr/share/ebox/stubs/openvpn/openvpn.conf.mas file.
</%args>
% foreach my $net (@nets) {
% my ($net, $netmask) = @{ $net };
push "route <% $net %> <% $netmask %>"
push "dhcp-option GATEWAY 192.168.0.1"
push "dhcp-option DNS 192.168.0.1"
push "dhcp-option WINS 192.168.0.1"
push "dhcp-option NBT 2"
push "dhcp-option DOMAIN WORKGROUP"
%}
</%def>
I dunno about the GATEWAY one. I just added it today to see if it might work because it allows you to ping the machine from the inside I believe. Also note that for Windows machines, if they're on the VPN, you have to explicitly configure firewall rules for that network.