Access Controls
The Access Controls section allows you to define how users and groups interact with network resources, each other, and the internet. This includes access rules, subnet routing, DNS configuration, and client-to-client communication.
The section is divided into five tabs:
Group and User Access Rules
Global Access Rules
Intergroup Connectivity
Internet Access and DNS
InterClient Communication
📋 Group and User Access Rules
This tab provides fine-grained control over what resources specific users or groups can access.
You'll see an Access Rules table with the following columns, based on your Access Server version:
Access Server 3.0:
IP address or subnet | Attached to | Protocol | Port | Reachable via | Edit | Delete |
|---|---|---|---|---|---|---|
The destination address(es) | User or group | TCP, UDP, ICMP, etc. | Specified as needed | NAT or route | Edit button | Delete button |
Access Server 3.1:
Destination | Source | Protocol | Port | Reachable via | Edit | Delete |
|---|---|---|---|---|---|---|
The IP address, CIDR block, or domain name | User or group | TCP, UDP, ICMP, etc. | Specified as needed | NAT or route | Edit button | Delete button |
You can:
Filter by user or group rules, protocol, and type.
Search the table.
Reorder or hide table columns.
➕ New Access Rule
Click New Access Rule to create a new rule. You'll be prompted to:
Choose whether the rule applies to a User or a Group.
Select from existing users or groups.
Enter the IP address, CIDR block, or domain name (as of Access Server 3.1).
Select the Protocol and Port.
Choose NAT or Route as the reachability method.
Save the rule.
Tip
NAT is typically used for simplified routing and firewall traversal, while Route allows for more transparent access when routing is properly configured.
🌐 Global Access Rules
Use this tab to define subnets that are reachable by all VPN users, regardless of group or user-specific access rules. Global access rules apply uniformly across your deployment and support both NAT and Route access methods.
Domains
Define domain-based access rules that apply to all users.
You can specify fully qualified domain names or use wildcards (for example, *.openvpn.com) and choose whether traffic to those domains is reached via NAT or Route. Click Add new domain to include additional entries.
Domain rules are evaluated globally and are especially useful for controlling access to services that may resolve to changing IP addresses.
IP Addresses and Subnets
Define IP addresses or subnet ranges that are reachable by all users.
Here, you can add individual IP addresses or CIDR subnets and choose whether access is provided by NAT or Route. These rules are grouped separately from domain-based rules for clarity.
Global Subnet Routing Overrides
Define subnet exceptions that are always routed, regardless of other access rules.
This section allows you to force specific subnets to use routing instead of NAT, even if NAT is selected elsewhere. These overrides take precedence over global, group, and user-level access rules.
🔁 Intergroup Connectivity
This tab displays and manages all intergroup communication rules.
The Intergroup Connectivity table includes:
Group
Has access to (group or user)
Direction (one-way or two-way)
Edit and Delete buttons
You can:
Filter by direction.
Search the table.
Reorder or hide table columns.
➕ New Intergroup Rule
Click New Intergroup Rule to define communication between groups or a group and a user:
Initiate a connection from group: Select the source group.
To group/user: Choose the destination.
Optionally select Two-way connectivity.
Save the rule.
🌍 Internet Access and DNS
Configure how users connect to the internet and how DNS resolution is handled.
Internet Access
Control how client traffic is routed when connected to the VPN.
Internet Gateway: Choose between:
Full-Tunnel: All traffic goes through the VPN.
Split-Tunnel: Only specified traffic goes through the VPN.
DNS
Configure how DNS queries from VPN clients are resolved and routed.
DNS Server Proxy (Access Server 3.1 and newer): Control whether Access Server acts as an intermediary for DNS requests from clients. Choose between:
Auto: Access Server automatically determines whether it needs to proxy DNS requests. When domain-based access rules are in use, Access Server acts as a DNS proxy; otherwise, DNS queries are sent directly to the DNS servers specified below.
Always Proxy: Access Server always acts as a DNS proxy for all clients and forwards DNS queries to the DNS servers specified below.
Important
In Full-Tunnel mode, DNS servers are always pushed to clients to ensure secure DNS resolution and prevent DNS leaks.
Push DNS (Access Server 3.0): Toggle DNS pushing to clients (recommended for full tunnel setups).
DNS Servers: Specify the DNS servers used to resolve client queries. By default, Access Server 3.1 and newer detects and displays the DNS servers from the host system. Access Server 3.0 allowed selecting between autodetecting and custom.
Default Domain Suffix (optional): Specify a domain suffix to allow Windows clients to resolve short hostnames into fully qualified domain names (FQDNs).
DNS Resolution Zones (optional): Define split DNS behavior by routing specific domains through specified DNS servers.
Note
Some operating systems (like Windows) may only honor the first domain listed in split DNS configurations.
🧩 InterClient Communication
Control how connected VPN clients can interact with one another.
Global InterClient Communication: Choose one of the following policies:
Isolate all users: Blocks all client-to-client communication.
Allow user-to-user connections: Enables peer-to-peer communication.
Admins can access all users: Allows only admin users to initiate connections to other users.
Access to the internal gateway address: Toggle Allow client access to services on the VPN network to let clients access internal services hosted by the Access Server itself.