OpenVPN 2.x provides a bunch of script hooks. Which ones are most useful for authorization?
--up, --down ... mostly used on the client side. Restoring network settings on vpn disconnect with a --down hook, for example. Not suitable.
--route-up ... we don't have the user common_name at this point. Not suitable.
--ipchange ... discouraged in server mode.
--auth-user-pass-verify ... authentication. Too early. The client is untrusted and doesn't have an assigned ip yet.
--tls-verify ... pre-authentication. Too early.
--client-connect, --client-disconnect... straight after authentication, before client-specific config is read. Good enough, if we're a bit careful (i.e. don't change ip address assignments in client-specific config files), and easy to understand triggering conditions. Has all the parameters we need.
--learn-address ... perhaps the architecturally correct place to put it. Somewhat harder to understand the triggering condition. Documented as "Run script or shell command cmd to validate client virtual addresses or routes."
I know, I know, I promised perl hacking here... next time.