core: Unbound is not binded to OpenVPN interface

Describe the bug Unbound is not binded to OpenVPN interface. Therefore OpenVPN clients are not able to resolve DNS names.

To Reproduce Steps to reproduce the behavior:

1. Set up at least one OpenVPN server
2. Add IP of OpenVPN interface (10.0.11.1) as DNS resolver for VPN clients in the settings
3. Set up Unbound to listen on OpenVPN interface
4. Connect with client and try to resolve any internal or external DNS name

Expected behavior VPN client should be able to resolve internal and external DNS names with Unbound. Worked with OPNsense 18.7.1_3-amd64.

Relevant log files /var/unbound/access_lists.conf

access-control: 127.0.0.1/8 allow
access-control: ::1/64 allow
access-control: 10.0.15.1/24 allow #Guest VLAN
access-control: fe80::feaa:14ff:fee2:bff1/64 allow
access-control: 10.0.1.1/24 allow #Managment VLAN
access-control: fe80::feaa:14ff:fee2:bff1/64 allow
access-control: 10.0.10.1/24 allow #Client VLAN
access-control: fe80::feaa:14ff:fee2:bff1/64 allow
access-control: 10.0.11.1/24 allow #OpenVPN
access-control: fe80::feaa:14ff:fee2:bff3/64 allow
#IPsec
access-control: 192.168.0.200/32 allow

/var/unbound/unbound.conf

##########################
# Unbound Configuration
##########################

##
# Server configuration
##
server:
chroot: /var/unbound
username: unbound
directory: /var/unbound
pidfile: /var/run/unbound.pid
root-hints: /root.hints
use-syslog: yes
port: 53
verbosity: 2
hide-identity: yes
hide-version: yes
harden-referral-path: no
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
do-daemonize: yes
module-config: "validator iterator"
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: yes
serve-expired: no
outgoing-num-tcp: 10
incoming-num-tcp: 10
num-queries-per-thread: 512
outgoing-range: 1024
infra-host-ttl: 900
infra-cache-numhosts: 10000
unwanted-reply-threshold: 0
jostle-timeout: 200
msg-cache-size: 4m
rrset-cache-size: 8m
num-threads: 4
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8

auto-trust-anchor-file: /var/unbound/root.key
prefetch: no
prefetch-key: yes

# Interface IP(s) to bind to
interface: 10.0.15.1
interface: fe80::feaa:14ff:fee2:bff1%re1_vlan15
interface: 10.0.1.1
interface: fe80::feaa:14ff:fee2:bff1%re1
interface: 10.0.10.1
interface: fe80::feaa:14ff:fee2:bff1%hn1_vlan10
interface: 127.0.0.1
interface: ::1
interface: fe80::1%lo0

# Outgoing interfaces to be used
outgoing-interface: 10.0.224.2


# DNS Rebinding
# For DNS Rebinding prevention
#
# All these addresses are either private or should not be routable in the global IPv4 or IPv6 internet.
#
# IPv4 Addresses
#
private-address: 0.0.0.0/8       # Broadcast address
private-address: 10.0.0.0/8
private-address: 100.64.0.0/10
private-address: 127.0.0.0/8     # Loopback Localhost
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 192.0.0.0/24    # IANA IPv4 special purpose net
private-address: 192.0.2.0/24    # Documentation network TEST-NET
private-address: 192.168.0.0/16
private-address: 198.18.0.0/15   # Used for testing inter-network communications
private-address: 198.51.100.0/24 # Documentation network TEST-NET-2
private-address: 203.0.113.0/24  # Documentation network TEST-NET-3
private-address: 233.252.0.0/24  # Documentation network MCAST-TEST-NET
#
# IPv6 Addresses
#
private-address: ::1/128         # Loopback Localhost
private-address: 2001:db8::/32   # Documentation network IPv6
private-address: fc00::/8        # Unique local address (ULA) part of "fc00::/7", not defined yet
private-address: fd00::/8        # Unique local address (ULA) part of "fc00::/7", "/48" prefix group
private-address: fe80::/10       # Link-local address (LLA)
# Set private domains in case authoritative name server returns a Private IP address
private-domain: "rncdn7.com"
domain-insecure: "rncdn7.com"


# Access lists
include: /var/unbound/access_lists.conf

# Static host entries
include: /var/unbound/host_entries.conf

# DHCP leases (if configured)
include: /var/unbound/dhcpleases.conf

# Domain overrides
include: /var/unbound/domainoverrides.conf



# Forwarding
forward-zone:
    name: "."
        forward-addr: 9.9.9.9
        forward-addr: 149.112.112.112


remote-control:
    control-enable: yes
    control-interface: 127.0.0.1
    control-port: 953
    server-key-file: /var/unbound/unbound_server.key
    server-cert-file: /var/unbound/unbound_server.pem
    control-key-file: /var/unbound/unbound_control.key
    control-cert-file: /var/unbound/unbound_control.pem

Additional context As you can see access_lists.conf contains the VPN interface 10.0.11.0/24, but not unbound.conf under the binded interfaces . The sockets list shows the same (no socket for 10.0.11.1:53). I’ve added a second VPN server to verify that’s not an problem with my main OpenVPN server. I’ve also reproduced the issue in a VM with OPNsense 19.1.4.

Environment OPNsense 19.1.4-amd64 Intel® Celeron® CPU J1900 @ 1.99GHz (4 cores) OnBoard Realtek 2 x Realtek GbE OnBoard LAN chips (10/100/1000 Mbit)