Page 1 of 1

Applying Subnet Access - Making Sense of Global/Group/Individual ACL's

Posted: Mon Jan 09, 2017 7:02 pm
by tex_wrex
So I have an instance of OpenVPN 2.1.4 running, and everything works from an authentication standpoint.

I have several groups of users that need to have different network ranges applied to them. Some are to single hosts, some to the entire network range.

My basic question: Is this a least permissive system?

Scenario:
I go into VPN Settings and apply the range 10.8.0.0/16 as the default accessible subnet.

I then go to a User Group and apply a subset of that network range. Say 10.8.8.8/32. When I connect as a user in that group, they get the route 10.8.0.0/16 applied, meaning the group restrictions do not work.

Is this by design, or am I missing something?

Thanks in advance!!