Nested groups with access rules

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
chort1
OpenVPN User
Posts: 27
Joined: Tue Mar 01, 2022 12:24 pm

Nested groups with access rules

Post by chort1 » Wed May 11, 2022 10:54 pm

Hi,

What's the purpose of the "Allow Access To groups" config settings? I imagined it was to be able to subdivide client access lists, but it doesn't seem to work like that, at least not for me

So I have
group1:

Code: Select all

"access_to.0": "+ROUTE:10.0.0.0/24"
group2:

Code: Select all

"access_to.0": "+ROUTE:10.0.1.0/24"
group3:

Code: Select all

"access_to.0": "+GROUP:group1"
"access_to.1": "+GROUP:group2"
Which I would expect to mean that clients in group3 will have access to both 10.0.0.0/24 and 10.0.1.0/24 over VPN

Is this not how it's supposed to work?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: Nested groups with access rules

Post by openvpn_inc » Fri May 13, 2022 4:16 pm

Hi chort,

"Allow Access To groups" means to that group's VPN IP netblock. The group must have an assigned pool. It does not mean to add that group's access rules to these access rules.

Did I understand your question correctly? If not please let us know.

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

chort1
OpenVPN User
Posts: 27
Joined: Tue Mar 01, 2022 12:24 pm

Re: Nested groups with access rules

Post by chort1 » Mon May 16, 2022 8:06 am

Hi rob0, thanks for your reply

Ok, so it's to let clients in different groups communicate with each other...?

I have an issue where I'm using puppet to automate building the groups, but since all the access rules are numbered, the only safe way to make sure the groups are consistent after you make a change to one of them, is to remove them all together and build them from scratch every time. And it's starting to take a long time, since there are multiple groups, with repeating subnets.

Is there any other way to structure the groups in a way so that you can re-use access rules without explicitly assigning them to each group?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: Nested groups with access rules

Post by openvpn_inc » Tue May 31, 2022 10:51 am

Hello chort1,

Sorry, no, you can't reuse access rules. You can't nest groups.

You might be able to get away with something silly. Access Server should automatically repair any 'broken' numbered lists. For example if you have a list of rules numbered 0, 1, 2, 3, and you then remove 2, then the next reload of Access Server configuration will repair this list automatically and turn it into 0, 1, 2 (3 became 2). Using this you could remove items from the numbered list and Access Server will repair it. Similarly you can add a new one with a number like 999 and Access Server should repair it automatically at next reload. Although I have not personally tested this with the number 999 I believe it should work.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply