fix: allow private access to vhost targets on public gateways

core/src/net/vhost.rs

@@ -734,19 +734,11 @@ where
         };
 
         let src = tcp.peer_addr.ip();
-        // Private: source is in a known subnet or is a private IP (e.g. VPN on a different VLAN)
+        let dst = tcp.local_addr.ip();
-        let is_public =
-            !ip_info.subnets.iter().any(|s| s.contains(&src)) && !is_private_ip(src);
 
-        if is_public {
         self.public.contains(&gw.id)
-        } else {
+            || (self.private.contains(&dst)
-            // Private: accept if connection arrived on an interface with a matching IP
+                && (ip_info.subnets.iter().any(|s| s.contains(&src)) || is_private_ip(src)))
-            ip_info
-                .subnets
-                .iter()
-                .any(|s| self.private.contains(&s.addr()))
-        }
     }
     fn acme(&self) -> Option<&AcmeProvider> {
         self.acme.as_ref()