permitting "production routes" for prod group?

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
yodakramer
OpenVpn Newbie
Posts: 2
Joined: Thu Jul 09, 2020 4:48 pm

permitting "production routes" for prod group?

Post by yodakramer » Thu Jul 09, 2020 4:54 pm

What's the right way to permit only some users in a group access to some routes? Or is the way I'm thinking of it correct?

In VPN Settings | Routing I have all 10 routes.

In User Management | Group Permissions, I have two groups - a "Default" and "Production" group.
  • Production | Access Control: lists all 10 routes.
  • Default | Access Control: only lists 4 routes.

User avatar
novaflash
OpenVPN Inc.
Posts: 1073
Joined: Fri Apr 13, 2012 8:43 pm

Re: permitting "production routes" for prod group?

Post by novaflash » Thu Jul 16, 2020 7:54 pm

Hello yodakramer,

Routes assigned in VPN Settings are for everyone. So for all users and all groups. That is not what you want. It may be best to set the routing option in VPN Settings to simply "no", so you start out with a situation where nobody has access to anything.

Then in Group Permissions or in User Permissions, or both, you can define subnets that certain groups and users have access to.

Your example of having all 10 subnets in the Production group, and only 4 subnets in the Default group, is fine. That's how it works. Then based on what group membership a user has, they inherit access to those subnets.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.

Post Reply