diff --git a/doc/sample.config b/doc/sample.config
index 9a67787f..d3f7a39e 100644
--- a/doc/sample.config
+++ b/doc/sample.config
@@ -466,6 +466,13 @@ route = 192.168.0.0/255.255.0.0
 
 no-route = 192.168.5.0/255.255.255.0
 
+# If set, the script /usr/bin/ocserv-fw will be called to restrict
+# the user to its allowed routes and prevent him from accessing
+# any other routes. All the routes applied by ocserv can be reverted
+# using /usr/bin/ocserv-fw --removeall. This option can be set globally
+# or in the per-user configuration.
+#restrict-user-to-routes = true
+
 # When set to true, all client's iroutes are made visible to all
 # connecting clients except for the ones offering them. This option
 # only makes sense if config-per-user is set.