Being able to properly filter wasn't really possible until 2.0. You can do it in 1.2.3 but it's not ideal.

It's not missing. Assign users a static IP using Client-Specific Overrides (CSC). Setup firewall rules to block them from reaching things you don't want.

I doubt their program is compatible with FreeBSD/pf anyhow, and wouldn't be worth the trouble.

Thanks @jimp! I thought it was impossible to filter incoming VPN traffic natively. In fact, I'm still running on 1.2-RELEASE and this feature was added to 1.2.3-RC1. I'm planning an upgrade to 2.0-RC3 really soon. What's the upgrade path to 1.2 -> 2.0? I also heard 2.0-RELEASE was coming really soon!

I doubt their program is compatible with FreeBSD/pf anyhow, and wouldn't be worth the trouble.

First I've heard of it, but I'm not sure what it really offers that would be beneficial. We can already do user auth, tls, etc. Would probably be easier to extend our login code to blacklist repeated failed logins than add some other plugin.

One thing that is missing in OpenVPN is the user-based network accces. I would like some external users (ex. consultants) to log into the VPN and have access to some systems (not the whole LAN).

eurephia supports dynamic firewall updates per connection/session on Linux based router/firewall running OpenVPN. This means that each user account may have their own restricted access profile to the network, and you can control the network access with great granularity. This is achieved by using predefined iptables chains, which is activated after the user is authenticated

I cannot see a need to implement this, there are no differenes to the functionality now in 2.0 !?