Hi there, I have a question about the Firewall / OpenVPN connectivity and restricting users:

TL;DR - Is there a way to use the OpenVPN Group as a Firewall Rule trigger so I do not have to set up identical rules for several dozen VPN users?

Long Version:

We are in the process of replacing our older Untangle box (v9.4.2) with a new box running the latest stable Untangle (v11.2). As we go through our rack configuration and set things up, we noticed a big difference in the OpenVPN capabilities on v11 and it has an impact on our access control. We have three Address Pools configured that we use the Firewall to restrict access to resources, so if I create a VPN user in the "Full Access" pool, they get the entire internal network, but if I create a VPN user and assign them to the "Restricted Access" pool, the firewall rules will prevent them from accessing anything outside of the resources we have granted in those rules.

In v11, you can no longer create multiple address pools for OpenVPN, and the suggested method of restricting access is to have firewall rules that use the "Username" field of the VPN user to restrict access. This changes the number of rules I have to set up from 3-6 rules per Address Pool to 3-6 per VPN User, multiplied by 50 or so VPN users. It also makes managing those rules down the line more cumbersome as they must be toggled for each user, etc. instead of being able to toggle it on an entire group. We have external contractors that we frequently grant VPN access to some internal resources and I feel like this will become a nightmare to manage over time.

The v11 OpenVPN settings does have the concept of Groups, but that is only to establish DNS override and full/split tunnel configs for a group of VPN users. I am not seeing a way to use that Group in the Firewall settings to filter based on that instead of each individual user. I am not sure if I am just missing that option or if it does not exist, so I wanted to ask around and see if anyone else has found any way to manage VPN user access in groups instead of the extremely granular individual user method (which is still useful for overrides, but maintaining that as the ONLY way is painful).