Group Permissions not working as expected

[el_tigro]

I'm using the Openvpn Access server appliance (version 2.1.3) on AWS.

I set "Should VPN clients have access to private subnets" to "No".

I created a group called "admin" and added the following to the Access Control section:
10.0.0.15/32
10.0.0.159/32
10.0.0.163/32
10.0.0.236/32

I then created a user "user" and set its group to "admin".
I have not added anything to access controls for this user.

After connecting to the vpn I expected the routing table to contain entries based on the group ACL but there were none (Only the default gateway route is created).

I then added "10.0.0.0/32" to the ACL of "user" and updated the running server and "user" automatically reconnects to the vpn with the routing table containing all the entries from the group ACL.

Note: It seems that any entry added to the "user" ACL (could have used any ip instead of 10.0.0.0/32) triggers the group ACL to be applied.

On a related note, switching a user's group and updating the server doesn't always trigger a reconnect for the user (even though the ACL for each group is different).

Is this a bug?

[akinnard]

I am seeing the same issue. Any updates on this?

[novaflash]

I assume the group 'admin' has the admin flag set on it. Does the user assigned to the group admin have the admin flag set as well? I am guessing it does not. Try adding it and test again.

[akinnard]

I did that and it did not work. The user is able to login to the admin site just fine, but can't access any of the servers.

[tex_wrex]

Did you ever find a solution?

I am facing a similar issue where the networks set at the group permissions level are not overriding the defaults...

[novaflash]

> I am facing a similar issue where the networks set at the group permissions level are not overriding the defaults...

It's not supposed to. Access is additive. Subnet access set under VPN Settings will be accessible to all users and all groups. Subnet access set under group permissions will be accessible to all users in those groups, and includes access to the global setting under VPN Settings. Subnet access set in user permissions will be accessible to those users, and if they are in a group the group subnets will be accessible too, and if a global setting is set under VPN settings, access to those subnets is possible as well.

Putting an admin user in a non-admin group can mess things up a bit though, so don't do that.

[MCDefense]

Hello All,

I ran into this issue as well. I fixed it by adding the subnet I want that user to be able to access in the user 'Access Control' sections and putting the subnet in the field 'Allow Access To' these networks.