diff --git a/src/etc/inc/plugins.inc.d/unbound.inc b/src/etc/inc/plugins.inc.d/unbound.inc index 549f82b33..1e68dadb1 100644 --- a/src/etc/inc/plugins.inc.d/unbound.inc +++ b/src/etc/inc/plugins.inc.d/unbound.inc @@ -694,7 +694,24 @@ function unbound_acls_subnets() global $config; if (!empty($config['unbound']['active_interface'])) { - $active_interfaces = array_flip(explode(",", $config['unbound']['active_interface'])); + $active_interfaces = array_flip(explode(',', $config['unbound']['active_interface'])); + + /* in case of OpenVPN interface we need to correct the subnet */ + foreach (array('server', 'client') as $mode) { + foreach (config_read_array('openvpn', "openvpn-{$mode}") as $id => $setting) { + $ovpn = 'ovpn' . substr($mode, 0, 1) . $setting['vpnid']; + if (!array_key_exists($ovpn, $active_interfaces)) { + continue; + } + $active_interfaces[$ovpn] = []; + if (!empty($setting['tunnel_network'])) { + $active_interfaces[$ovpn]['net4'] = explode('/', $setting['tunnel_network'])[1]; + } + if (!empty($setting['tunnel_networkv6'])) { + $active_interfaces[$ovpn]['net6'] = explode('/', $setting['tunnel_networkv6'])[1]; + } + } + } } else { $active_interfaces = get_configured_interface_with_descr(); } @@ -702,8 +719,13 @@ function unbound_acls_subnets() /* add our networks for active interfaces including localhost */ $subnets = array('127.0.0.1/8', '::1/64'); - foreach (array_keys($active_interfaces) as $ubif) { + foreach ($active_interfaces as $ubif => $ubextra) { foreach (legacy_getall_interface_addresses(get_real_interface($ubif)) as $subnet) { + if (!empty($ubextra['net4']) && is_subnetv4($subnet)) { + $subnet = explode('/', $subnet)[0] . $ubextra['net4']; + } elseif (!empty($ubextra['net6']) && is_subnetv6($subnet)) { + $subnet = explode('/', $subnet)[0] . $ubextra['net6']; + } $subnets[] = $subnet; } }