Today I learned again, that sometimes the devil is in the details. We are running OpenVPN since years. We are running it in a way, that we differ between “normal users” and “power users”. While normal users are restricted to perform only the least needed within the VPN, power users (like NetOps) are granted a couple of more things. We are using the “client-config-dir” option for this. Basically a power user will have a special config file in that client-config-dir that assigns the different options to the user, once he connects.