I'm trying to set up a hub-and-spoke network architecture for my organization. The hub project has been successfully connected to our on-prem network via HA VPN, but the spoke project connection is tripping me up. From Google's documentation (https://cloud.google.com/architecture/deploy-hub-spoke-vpc-network-topology) we have two options: VPC peering or VPN tunnels. Our projects are deployed using the same local 10. subnets for VMs, which means VPC peering won't work due to overlap. I ultimately want spoke traffic bound for our on-prem networks to pass through the hub only, but allow all other traffic out to the internet.

I successfully set up VPN tunnels from the hub to two test spokes, but when I look at the advertised routes on the spoke, I'm not seeing the routes from our on-prem network (which I do see on the hub). Am I missing something to allow transfer of these routes or is there another way to do this?

on-prem <----HA VPN (w/ BGP)----> hub project <-----HA VPN (w/BGP)----> spoke project
   ^                                   ^                                     ^
advertising routes               receiving routes                only receiving hub routes