In VPN Settings | Routing I have all 10 routes.
In User Management | Group Permissions, I have two groups - a "Default" and "Production" group.
- Production | Access Control: lists all 10 routes.
- Default | Access Control: only lists 4 routes.
permitting "production routes" for prod group?
-
yodakramer
- OpenVpn Newbie
- Posts: 2
- Joined: Thu Jul 09, 2020 4:48 pm
permitting "production routes" for prod group?
What's the right way to permit only some users in a group access to some routes? Or is the way I'm thinking of it correct?
In VPN Settings | Routing I have all 10 routes.
In User Management | Group Permissions, I have two groups - a "Default" and "Production" group.
In VPN Settings | Routing I have all 10 routes.
In User Management | Group Permissions, I have two groups - a "Default" and "Production" group.
-
novaflash
- OpenVPN Inc.
- Posts: 1055
- Joined: Fri Apr 13, 2012 8:43 pm
Re: permitting "production routes" for prod group?
Hello yodakramer,
Routes assigned in VPN Settings are for everyone. So for all users and all groups. That is not what you want. It may be best to set the routing option in VPN Settings to simply "no", so you start out with a situation where nobody has access to anything.
Then in Group Permissions or in User Permissions, or both, you can define subnets that certain groups and users have access to.
Your example of having all 10 subnets in the Production group, and only 4 subnets in the Default group, is fine. That's how it works. Then based on what group membership a user has, they inherit access to those subnets.
Routes assigned in VPN Settings are for everyone. So for all users and all groups. That is not what you want. It may be best to set the routing option in VPN Settings to simply "no", so you start out with a situation where nobody has access to anything.
Then in Group Permissions or in User Permissions, or both, you can define subnets that certain groups and users have access to.
Your example of having all 10 subnets in the Production group, and only 4 subnets in the Default group, is fine. That's how it works. Then based on what group membership a user has, they inherit access to those subnets.