VPN tunnel IP is 172.16.4.2, how can I reverse shell to my local machine, from a box on an attached subnet?
A tunnel has two ends not just 172.16.4.2. If that's your IP on that net interface/link and you want to connect to it from the other side, then you can just connect to it as long as this interface is routed to on the other end and is not blocked by some firewalls etc. Of course, you need an SSH listening on this interface.
Answers to questions in the comment below:
-
The arrow shows a p2p connection with two ends. The first one is local. It looks like a loop to itself, but may still work despite this misconfiguration (or lack of configuration), as it's a p2p and the destination IP is not so important. (See What is the “destination address” for a TAP/TUN device? on SO.)
-
An interface is not a connection. Interfaces can be connected and then there's a connection. A tunnel is somewhat abstract. It suggests going through something (like another pair of interfaces). So the base (VPN) connection carries the second.
-
Ethernet connection is not an interface. You can have an ethernet interface and connect two ethernet interfaces.
-
To squeeze your mind a little more, a VPN can also emulate a switch not a router. See Should I use tap or tun for openvpn?.