OpenVPN Support Forum

Hi,

What's the purpose of the "Allow Access To groups" config settings? I imagined it was to be able to subdivide client access lists, but it doesn't seem to work like that, at least not for me

So I have
group1: group2: group3: Which I would expect to mean that clients in group3 will have access to both 10.0.0.0/24 and 10.0.1.0/24 over VPN

Is this not how it's supposed to work?

Hi chort,

"Allow Access To groups" means to that group's VPN IP netblock. The group must have an assigned pool. It does not mean to add that group's access rules to these access rules.

Did I understand your question correctly? If not please let us know.

regards, rob0

Hi rob0, thanks for your reply

Ok, so it's to let clients in different groups communicate with each other...?

I have an issue where I'm using puppet to automate building the groups, but since all the access rules are numbered, the only safe way to make sure the groups are consistent after you make a change to one of them, is to remove them all together and build them from scratch every time. And it's starting to take a long time, since there are multiple groups, with repeating subnets.

Is there any other way to structure the groups in a way so that you can re-use access rules without explicitly assigning them to each group?

Hello chort1,

Sorry, no, you can't reuse access rules. You can't nest groups.

You might be able to get away with something silly. Access Server should automatically repair any 'broken' numbered lists. For example if you have a list of rules numbered 0, 1, 2, 3, and you then remove 2, then the next reload of Access Server configuration will repair this list automatically and turn it into 0, 1, 2 (3 became 2). Using this you could remove items from the numbered list and Access Server will repair it. Similarly you can add a new one with a number like 999 and Access Server should repair it automatically at next reload. Although I have not personally tested this with the number 999 I believe it should work.

Kind regards,
Johan