Access Server Admin Guide: User Permissions

About the Page

The User Management: User Permissions page is where you adjust all user configurations: you can modify users' local passwords, assign users to groups, grant or remove admin access, ban users from the server, and assign users to different authentication methods.

User Permissions

User Permissions provides you with a table to configure user permissions. To finalize any changes, click Save Settings and Update Running Server.


To enter a user, enter their username into the New Username text field on the last row in the table. Whenever you add a new user, click Save Settings and Update Running Server.


All configured groups from User Management: Group Permissions display in the drop-down menu. Assign each user to a group or leave without a default group. Users in a group inherit the group’s configuration, which includes admin access, auto-login, assigned IP addresses, access control, and client scripting.


Check Admin to grant login access to the Access Server Admin Web UI.

Allow Auto-login

Check Allow Auto-login to enable auto-login profiles. This client configuration enables connecting to the VPN without authenticating with a password. This is useful to connect Gateway Clients or machines that should always have a VPN connection.

Deny Access

Check Deny Access to revoke a user's privileges.


Check Delete to delete a user record. You can’t delete the unique admin user, openvpn.

More Settings

You can configure additional settings by clicking More Settings. Many of these settings are user-specific; therefore, these settings will take precedence over any global settings.

Configure user authentication method

You can assign users and groups to different authentication methods. You must configure and enable LDAP, RADIUS, SAML, or PAS-only methods to select them as the authentication method. If they are not configured, they are disabled for users.

For more information, refer to OpenVPN Access Server’s User Authentication System.

TOTP-based Multi-Factor Authentication

You can control TOTP-based MFA at the user level by enabling or disabling it here.

For more information, refer to TOTP Multi-factor Authentication.

Local Password

You can manage password options for each user set to local authentication. Enter the local password in the Password field for authentication when connecting to the Access Server or signing in to the Client Web UI. This password is for users authenticating with local authentication.

You can choose to allow password changes and enable password strength checking in the Client Web Server (CWS).

Allow password change from CWS:

  • Default = Inherit the group or global setting (defined in group permissions or CWS settings).
  • Yes = User can change their password after signing in to the CWS.
  • No = User can’t change their password, and an administrator must manage passwords.

Enable password strength checking in CWS:

  • Default = Inherit the group or global setting (defined in group permissions or CWS settings).
  • Yes = User passwords must meet these rules: must be at least eight characters and must contain a digit, an uppercase letter, and a symbol from !@#$%&’()+,-/[\]^_{|}~<>.
  • No = User can create any password of any length that they choose.

Select IP Addressing

You have two options for IP addressing: Static or Dynamic.

  1. Dynamic: Access Server dynamically assigns the user’s IP address from the subnets configured in VPN Settings
  2. Static: Access Server assigns the static IP address you define in the VPN Static IP Address field that displays when you select Use Static. Ensure the IP address is within the subnet defined in VPN Settings. For more details on properly defining static IP addresses for your users, refer to Assigning a static VPN client IP address to a user guide.

Access Control

  • Select addressing method: Set either network-address translation (NAT) or routing. 
  • Allow Access To these Networks: You can define the routing for a specific user's client and grant access to specific subnets. Doing so at the user level takes precedence over global settings.
  • Allow Access From: You can configure user access from server-side subnets and other VPN clients by checking the appropriate boxes.

VPN Gateway

You can configure a user account to act as a gateway for the VPN server, allowing VPN users to access local machines and services on the LAN of the VPN Gateway. Click Yes and enter the subnets the client serves as a gateway for in the Allow client to act as VPN gateway for these client-side subnets text field.

DMZ Settings

You can permit traffic from the Access Server to the client on a specific port using a specific service with DMZ settings. Click Yes and enter the ports in the DMZ IP Address text field.


User Management: User Permissions allows you to configure user-specific settings easily. It gives you control of which users have access to the web server, types of routing the individual clients use, user authentication, and much more.