I’m releasing two small perl scripts I wrote which provide the client-connect and client-disconnect scripts for OpenVPN such that you can dynamically create IPtables firewall rules based on LDAP group memberships. You push out routes to all your internal networks to the user then using IPtables only allow traffic to specific destinations and ports. This allows you to give out customized and limited VPN access, or VPN access based on roles.
Rules are looked up in an LDAP database using the common name of the certificate as the unqiueMember to a groupOfUniqeMembers. Details of how to install it are in the zip.
Currently it only supports TCP protocol. It could easily be extended to support other protocols.