[Unbound] OpenVPN-Interface not adding OpenVPN-Subnet to Internal Access List

[alpha197]

When adding an OpenVPN-Interface as "Listen Interface" for Unbound the (automatically generated) Internal Access List restricts to the interface adress with 32-metrics (e.g. 10.0.8.1/32). OpenVPN-Clients won´t get access to Unbound unless adding the OpenVPN subnet as a manual access list (eg. 10.0.8.1/24).

See screenshots from here:
https://forum.opnsense.org/index.php?topic=5764.0

[fichtner]

@alpha197 thank you, please ping me again when I'm being lazy 👍

[tokred]

@fichtner ping :)

Just stumbled over the same problem. VPN network is 10.99.0.0/24, but auto ACL was set for 10.0.0.0/24 (wrong, see below)

Best regards

[fichtner]

This thing has a couple of flaws... what are your access-control entries in /var/unbound/unbound.conf?

[tokred]

Just checked, my ACL entries in /var/unbound/access_lists.conf:

access-control: 127.0.0.1/32 allow
access-control: ::1 allow
access-control: 10.0.0.0/24 allow           ## = VLAN interface
access-control: 192.168.1.0/24 allow        ## = VLAN interface
access-control: 192.168.20.0/24 allow       ## = VLAN interface
access-control: 2xx.1xx.xx3.xx/30 allow     ## = WAN interface
# ovpn manual entry
access-control: 10.99.0.0/24 allow          ## had to be added manually

In my previous post, I falsely claimed an auto ACL for 10.0.0.0/24, but forgot that I have a VLAN interface on 10.0.0.1/24. Therefore, in my case the OpenVPN subnet was simply not covered by an automatism which should have added it to the ACL.

Best regards

[fichtner]

I'm not sure if we can derive this for OpenVPN clients at all, what does @mimugmail think?

[fichtner]

The feature was reworked, we will need to find a better way for OpenVPN if requested, but making it fully manual like IPsec is better for now. See #2472