Trouble setting up OpenVPN TLS connection between office and home workstations
Do I need to install any OpenVPN software in the routers or stations to make it work?
No, only the devices which terminate the OpenVPN tunnel (routers 2&4) need to care about it.
Do I need to open any ports to connect between these two devices?
OpenVPN uses standard UDP with the default port 1194 on the server side (though you can choose any other), so the server must be reachable on that port – allowed through firewalls, "port-forwarded", etc.
Clients, on the other hand, don't need any ports being explicitly "open" – they will just rely on firewalls remembering the connection state and allowing response packets back in (like they do for all other UDP-based protocols). The client-side OpenVPN configuration will most likely need to have keepalive
enabled, as idle UDP streams tend to be forgotten by firewalls very quickly.
Do I need both routers or could I create a VPN using only one router as a server and the workstations themselves as clients?
Yes, the workstations could be VPN clients; this is probably the most common way of using OpenVPN (with individual user accounts).
The server-side configuration would actually be slightly simpler. With a site-to-site VPN, the OpenVPN server needs an iroute
telling it that a specific client has a whole 192.168.2.0/24 network behind it. With host-based VPN, each client only handles traffic for itself, and the server knows that without being told.
Is there a that the station 6 could be in domain (DNS server connected to router 3) if it's connected to router 4)
If you mean an Active Directory domain, your stations will remain "in domain" as long as they have IP connectivity to a domain controller, regardless of how far away it is. The often repeated "Line of sight" doesn't mean that the DC has to be on the same subnet (that was only needed for NetBIOS-based WinNT4 domains), it only means the DC has to remain reachable via TCP and UDP, and that's what your VPN is for.
Similarly, you can use literally any DNS servers that you have IP connectivity to – the router only offers some "standard" servers as part of the DHCP lease (often, itself), but doesn't enforce that only those servers must be used.
(Also, being "in a domain" doesn't strictly require hosts to always use that domain's DNS servers... it's fine if requests go through a proxy resolver such as Unbound or dnsmasq, as long as it knows where to forward queries for that specific domain. So it's perfectly possible to have a DNS resolver that can handle requests for all internal domains, whether AD or non-AD.)
If I finally can create this VPN, will station 5 be able to see any traffic from router 3? And in the same way, would station 6 be able to see any traffic or data from router 1?
No, at least not easily. Those routers don't have the correct route towards the VPN, and although one could be manually added, it is likely that the firewall of routers 2/4 will discard the packets as coming "from WAN" by default.
(And even if routes were added, due to IP address conflicts the stations might also have trouble responding and the replies would stay in the "local" 192.168.1.x network instead of travelling back to the "remote" 192.168.1.x, unless some fancy NAT was done to disambiguate the two.)