satopenpli

I've got multiple network sites at different physical locations, each using separate /44 public IPv6, announced over BGP. Each site is P2P connected over Wireguard tunnels and dynamically routed using Bird.
As it stands, OpenWebif of OpenPLI boxes running at these sites is only accessible from the same network, trying to access it from another site gives "403.6 IP address rejected" error, even though actual connection is allowed in site firewall, trusted and VPN encrypted.

Anyway, I see OpenWebif is trying to play poor men's firewall role, limiting connections from same subnet, or using some silly algorithm when "Enable access from VPNs" is checked.

But it's not something end user device should do, OpenWebif has no idea of underlying network topology to police incoming connections. Any attempt to run such heuristics on end user box is a feels-good bandaid, it can't work reliably and only gives a false sense of security.

Any way to disable this check?

Looking for a STB running OpenPLI with a mainline kernel, does such a beast exist?

No vendor board-support-package junk with ancient kernels and million of patches slapped on, but 100% linux mainline supported box.

Or am I dreaming?