Page MenuHomeVyOS Platform

Extend ocserv support to allow for per-group configs
Open, Requires assessmentPublicFEATURE REQUEST


We have adapted our Vyos to extend ocserv to look for group membership in RADIUS authentication, and then apply a group specific ocserv config (mainly around only allowing certain subnet access on a per group/user basis)

This was done by editing the base template files in our Vyos install.

We would like to make this a normal function, by submitting code to make this a configure command.

Essentially extend the supported commands, contribute the python scripts to implement the changes, and adapt the base files to support this.


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Config syntax change (migratable)
Issue type
Feature (new functionality)

Event Timeline

@SquirePug Can you share more details, which templates and parameters did you edit?

@SquirePug Can you share more details, which templates and parameters did you edit?


I am the dev working on behalf of the @SquirePug. For our particular installation the template that was edited was located at


And the addition I made was the following two lines hardcoded into the template.

config-per-group = /etc/ocserv/config-per-group
default-group-config = /etc/ocserv/defaults/group.conf

I wasn't able to configure this directory via the cli using any of the

set vpn openconnect ...

commands so I browsed the source in order to see how it was generating the open connect configuration file and found the various config functions in and the template functions said file referenced which lead me to searching for the ocserv_config.tmpl file. This config allows us to pass groups in our RADIUS response to ocserv and forward routes on a per group level.

I am interested in contributing new commands listed below to optionally enable/disable group based configs and configure the directory for the per group configs, and the default group file:

set vpn openconnect config-per-group-mode <enabled|disabled> (default disabled)
set vpn openconnect config-per-group-directory <directory>
set vpn openconnect default-group-config <file>

If I could get some feedback as to whether this would be a welcome addition I can start working on a PR sometime soon, and I'll post an overview on how I plan to implement said commands.


For this we create text files as the group-config includes (they contain route and other per group config directives, generally around security).

Should we default the location of these files to somewhere in /config/ocserv/group-configs ?

Is there a preference on how to handle these additional end admin user created text files?

From memory, only files in /config persist after an update/upgrade?