"This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
#2
25.7, 25.10 Series / OPNcentral – Disable automatic WebGUI login via API user / enforce OpenID login
October 21, 2025, 08:28:27 PM
Hello everyone,
we are using OPNsense Business 25.10 with the OPNcentral module enabled and would like to adjust the current login behavior when accessing managed hosts.
At the moment, when clicking on a host in OPNcentral, an automatic WebGUI login is performed using the API user credentials stored in OPNcentral.
We would like to disable this automatic login, so that instead the regular login dialog (OpenID Connect / Keycloak) appears.
The goal is to ensure that all administrative access is authenticated through our central Identity Provider and properly logged for auditing purposes.
OpenID integration already works reliably on the individual firewalls.
However, within OPNcentral we cannot find any option to disable the automatic login or switch to OpenID-based authentication.
So our questions are:
Is there any way (e.g. via a configctl opncentral.* parameter or configuration setting) to disable automatic WebGUI login via OPNcentral?
Alternatively, can OPNcentral be configured to always show the regular OpenID login when accessing a managed host?
Thanks in advance for any advice or workaround!
Christian
we are using OPNsense Business 25.10 with the OPNcentral module enabled and would like to adjust the current login behavior when accessing managed hosts.
At the moment, when clicking on a host in OPNcentral, an automatic WebGUI login is performed using the API user credentials stored in OPNcentral.
We would like to disable this automatic login, so that instead the regular login dialog (OpenID Connect / Keycloak) appears.
The goal is to ensure that all administrative access is authenticated through our central Identity Provider and properly logged for auditing purposes.
OpenID integration already works reliably on the individual firewalls.
However, within OPNcentral we cannot find any option to disable the automatic login or switch to OpenID-based authentication.
So our questions are:
Is there any way (e.g. via a configctl opncentral.* parameter or configuration setting) to disable automatic WebGUI login via OPNcentral?
Alternatively, can OPNcentral be configured to always show the regular OpenID login when accessing a managed host?
Thanks in advance for any advice or workaround!
Christian
#3
German - Deutsch / Kurzanleitung: Keycloak-Integration mit OPNsense (OpenID Connect)
October 19, 2025, 02:25:21 PM
In Keycloak
Neuen Client vom Typ OpenID Connect anlegen
Client-Authentifizierung und Standard Flow aktivieren
Redirect-URI:
https://<fw-fqdn>[:<port>]/api/oidc/rp/finalize/<application-code>
(Port nur angeben, wenn er vom Standard 443 abweicht)
Post-Logout-Redirect-URI:
https://<fw-fqdn>[:<port>]/*
Web Origins:
https://<fw-fqdn>[:<port>]
Für mehrere Firewalls einfach weitere Redirect-URIs im selben Client ergänzen
Scopes: openid profile email
Mapper anlegen:
preferred_username → User Property username
email → User Property email
name → Full Name (oder firstName + lastName)
groups → Group Membership Mapper (Full path aus, Add to ID/Access/Userinfo an)
Client-ID und Client-Secret notieren
In OPNsense 25.10 BE
Menü: System → Zugriff → OpenID Connect → ,,+" neuen Provider anlegen
Application code: frei wählbar (z. B. opnsense-gui-admin)
Dienst: WebGui / Admin
Provider URL: https://<keycloak-host>/realms/<realm>
Client-ID / Client-Geheimnis: aus Keycloak
Authentifizierungsmethode: Use offered
User identification field: preferred_username oder email
Create user: aktivieren
Damit authentifiziert sich die OPNsense-Weboberfläche zentral über Keycloak (OpenID Connect).
Neuen Client vom Typ OpenID Connect anlegen
Client-Authentifizierung und Standard Flow aktivieren
Redirect-URI:
https://<fw-fqdn>[:<port>]/api/oidc/rp/finalize/<application-code>
(Port nur angeben, wenn er vom Standard 443 abweicht)
Post-Logout-Redirect-URI:
https://<fw-fqdn>[:<port>]/*
Web Origins:
https://<fw-fqdn>[:<port>]
Für mehrere Firewalls einfach weitere Redirect-URIs im selben Client ergänzen
Scopes: openid profile email
Mapper anlegen:
preferred_username → User Property username
email → User Property email
name → Full Name (oder firstName + lastName)
groups → Group Membership Mapper (Full path aus, Add to ID/Access/Userinfo an)
Client-ID und Client-Secret notieren
In OPNsense 25.10 BE
Menü: System → Zugriff → OpenID Connect → ,,+" neuen Provider anlegen
Application code: frei wählbar (z. B. opnsense-gui-admin)
Dienst: WebGui / Admin
Provider URL: https://<keycloak-host>/realms/<realm>
Client-ID / Client-Geheimnis: aus Keycloak
Authentifizierungsmethode: Use offered
User identification field: preferred_username oder email
Create user: aktivieren
Damit authentifiziert sich die OPNsense-Weboberfläche zentral über Keycloak (OpenID Connect).
#4
German - Deutsch / Re: OPNCentral 25.10 BE – automatisches WebGUI-Login deaktivieren bzw. durch OpenID
October 19, 2025, 01:43:18 PM
Bei uns läuft alles über keycloak.
Ich mache später einen neuen Post auf wo ich kurz beschreibe was bei mir drinnen steht.
Habe ein neuen Thread dafür angelegt. - Kurzanleitung: Keycloak-Integration mit OPNsense (OpenID Connect)
Ich mache später einen neuen Post auf wo ich kurz beschreibe was bei mir drinnen steht.
Habe ein neuen Thread dafür angelegt. - Kurzanleitung: Keycloak-Integration mit OPNsense (OpenID Connect)
#5
German - Deutsch / OPNCentral 25.10 BE – automatisches WebGUI-Login deaktivieren bzw. durch OpenID
October 19, 2025, 01:21:58 PM
Hallo zusammen,
wir setzen die OPNsense Business Edition 25.10 mit aktivem OPNCentral-Modul ein.
Beim Öffnen eines verwalteten Hosts erfolgt derzeit ein automatisches WebGUI-Login über den hinterlegten API-User.
Wir möchten dieses Verhalten abschalten und stattdessen die OpenID-Anmeldung verwenden, damit alle Zugriffe nachvollziehbar und über unseren zentralen Identity-Provider (Keycloak) protokolliert werden.
Die OpenID-Anbindung funktioniert auf den einzelnen Firewalls bereits sehr zuverlässig.
In OPNCentral finde ich jedoch keine Option, das automatische Login zu deaktivieren oder auf OpenID umzuschalten.
Gibt es hierfür eine Einstellung oder einen configctl-Parameter, um das Verhalten zentral zu steuern?
Christian
wir setzen die OPNsense Business Edition 25.10 mit aktivem OPNCentral-Modul ein.
Beim Öffnen eines verwalteten Hosts erfolgt derzeit ein automatisches WebGUI-Login über den hinterlegten API-User.
Wir möchten dieses Verhalten abschalten und stattdessen die OpenID-Anmeldung verwenden, damit alle Zugriffe nachvollziehbar und über unseren zentralen Identity-Provider (Keycloak) protokolliert werden.
Die OpenID-Anbindung funktioniert auf den einzelnen Firewalls bereits sehr zuverlässig.
In OPNCentral finde ich jedoch keine Option, das automatische Login zu deaktivieren oder auf OpenID umzuschalten.
Gibt es hierfür eine Einstellung oder einen configctl-Parameter, um das Verhalten zentral zu steuern?
Christian
#6
25.7, 25.10 Series / Re: After update to 25.10: “opnsense-business” release type not available
October 17, 2025, 03:08:58 PM
I can confirm that. It's working again.
#7
25.7, 25.10 Series / Re: After update to 25.10: “opnsense-business” release type not available
October 17, 2025, 07:26:18 AM
I've found the root cause of the issue.
Both packages — os-sunnyvalley and os-sensei — contain a hardcoded repository configuration under
/usr/local/etc/pkg/repos/SunnyValley.conf
In that file, the repository URL still points to:
.../25.7/
After manually changing this to:
.../25.10/
everything works perfectly again.
The package manager loads correctly, all extensions are displayed, and Zenarmor can be installed and updated without any issues.
So the problem is simply that the Sunny Valley repository URL in these packages still references version 25.7 instead of 25.10.
I also reported this in my ticket to Sun Valley.
Both packages — os-sunnyvalley and os-sensei — contain a hardcoded repository configuration under
/usr/local/etc/pkg/repos/SunnyValley.conf
In that file, the repository URL still points to:
.../25.7/
After manually changing this to:
.../25.10/
everything works perfectly again.
The package manager loads correctly, all extensions are displayed, and Zenarmor can be installed and updated without any issues.
So the problem is simply that the Sunny Valley repository URL in these packages still references version 25.7 instead of 25.10.
I also reported this in my ticket to Sun Valley.
#8
25.7, 25.10 Series / Re: After update to 25.10: “opnsense-business” release type not available
October 16, 2025, 06:10:02 PM
Alright, then I'll open a ticket with Sunny Valley about this — after all, they're getting quite a bit of money every year for the Business subscriptions.
#9
25.7, 25.10 Series / Re: After update to 25.10: “opnsense-business” release type not available
October 16, 2025, 01:31:25 PM
Thanks Franco, that makes sense.
So the issue is caused by the invalid SSL certificates on Sunny Valley's Cloudflare backend, and the only fix will have to come from Sunny Valley themselves, right?
I'll keep the os-sunnyvalley repository disabled for now and wait until they correct the certificates and republish the repository.
Thanks again for clarifying!
So the issue is caused by the invalid SSL certificates on Sunny Valley's Cloudflare backend, and the only fix will have to come from Sunny Valley themselves, right?
I'll keep the os-sunnyvalley repository disabled for now and wait until they correct the certificates and republish the repository.
Thanks again for clarifying!
#10
25.7, 25.10 Series / Re: After update to 25.10: “opnsense-business” release type not available
October 16, 2025, 10:45:46 AM
Removing os-sunnyvalley immediately resolves the issue — all extensions are shown again.
However, this also removes the Zenarmor integration, which I still need for installation and updates.
So I assume we need to wait until Sunny Valley releases a 25.10 compatible version?
However, this also removes the Zenarmor integration, which I still need for installation and updates.
So I assume we need to wait until Sunny Valley releases a 25.10 compatible version?
#11
25.7, 25.10 Series / Re: After update to 25.10: “opnsense-business” release type not available
October 16, 2025, 09:37:40 AM
I ran a full Health Audit — it completed successfully and no errors or inconsistencies were found.
However, the issue remains:
All extensions are still marked as "orphaned", and no additional packages are listed besides the ones already installed.
However, the issue remains:
All extensions are still marked as "orphaned", and no additional packages are listed besides the ones already installed.
Code Select
***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 25.10 (amd64) at Thu Oct 16 09:30:15 CEST 2025
Strict TLS 1.3 and CRL checking is enabled.
>>> Root file system: zroot/ROOT/default
>>> Check installed kernel version
Version 25.7.5 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 25.7.5 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
SunnyValley (Priority: 7)
OPNsense (Priority: 11)
>>> Check installed plugins
os-OPNBEcore 1.6
os-OPNcentral 1.11_2
os-acme-client 4.10
os-apcupsd 1.2_3
os-cpu-microcode-intel 1.1
os-ddclient 1.27_4
os-dmidecode 1.2
os-hw-probe 1.0_1
os-netbird 1.1
os-nginx 1.35_2
os-sensei 2.1
os-sensei-agent 2.1
os-sensei-updater 1.18
os-smart 2.4
os-sunnyvalley 1.5
os-tftp 1.0
os-zabbix7-agent 1.17
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense-business" at 25.10 has 68 dependencies to check.
Checking packages: ..................................................................... done
***DONE***
#12
25.7, 25.10 Series / After update to 25.10: “opnsense-business” release type not available
October 16, 2025, 07:38:03 AM
After updating my OPNsense Business Edition from version 25.4 to 25.10, no packages are available anymore under
System → Firmware → Extensions.
The following error is shown:
The release type "opnsense-business" is not available in this repository.
Additionally, all installed extensions show up as "orphaned", even though they were updated successfully.
Running the usual update commands via shell shows that the repositories themselves are reachable, but the business release type seems to be missing:
root@fw:~ # pkg update
Updating OPNsense repository catalogue...
Fetching meta.conf: 100% 163 B 0.2kB/s 00:01
Fetching packagesite.pkg: 100% 256 KiB 262.0kB/s 00:01
Processing entries: 100%
OPNsense repository update completed. 911 packages processed.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
root@fw:~ # opnsense-update
Nothing to do.
Environment:
OPNsense Business Edition 25.10
Previous version: 25.4
Default Business repository enabled
No manual changes to repository or mirror configuration
Expected behavior:
Business repository should be automatically recognized after the update
Installed extensions should not appear as "orphaned"
Package and plugin management should continue to function normally
Actual behavior:
Error: "The release type 'opnsense-business' is not available in this repository."
All extensions appear as orphaned
No new plugins or packages can be loaded
System → Firmware → Extensions.
The following error is shown:
The release type "opnsense-business" is not available in this repository.
Additionally, all installed extensions show up as "orphaned", even though they were updated successfully.
Running the usual update commands via shell shows that the repositories themselves are reachable, but the business release type seems to be missing:
root@fw:~ # pkg update
Updating OPNsense repository catalogue...
Fetching meta.conf: 100% 163 B 0.2kB/s 00:01
Fetching packagesite.pkg: 100% 256 KiB 262.0kB/s 00:01
Processing entries: 100%
OPNsense repository update completed. 911 packages processed.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
root@fw:~ # opnsense-update
Nothing to do.
Environment:
OPNsense Business Edition 25.10
Previous version: 25.4
Default Business repository enabled
No manual changes to repository or mirror configuration
Expected behavior:
Business repository should be automatically recognized after the update
Installed extensions should not appear as "orphaned"
Package and plugin management should continue to function normally
Actual behavior:
Error: "The release type 'opnsense-business' is not available in this repository."
All extensions appear as orphaned
No new plugins or packages can be loaded
#13
Virtual private networks / Re: OpenVPN Site to Site - Client MultiWAN no gateway group selection possible
February 12, 2021, 10:46:21 AM
Hello,
Interesting. I have the same configuration. I would be interested in the answer as well. Every now and then the policy routing is referred to. But so far I have not found any instructions or the decisive tip on the Internet or here in the forum. What definitely does not work is to use a gateway group as interface. This used to work with IPSEC but was abandoned in favor of policy based routing. Unfortunately, there is also very little information on how this should work now. As already written in the German forum, even the floating rules do not seem to work anymore. I.e. the tunnel is built up one level lower. Since also the binding to Localhost with a floating rule does not help.
regards
Christian
The scenario we are talking about here:
VPN LAN Outlet
| _________|________
| WAN1| | WAN2
| Internet
V |
| WAN1
Datacenter
|
LAN
Interesting. I have the same configuration. I would be interested in the answer as well. Every now and then the policy routing is referred to. But so far I have not found any instructions or the decisive tip on the Internet or here in the forum. What definitely does not work is to use a gateway group as interface. This used to work with IPSEC but was abandoned in favor of policy based routing. Unfortunately, there is also very little information on how this should work now. As already written in the German forum, even the floating rules do not seem to work anymore. I.e. the tunnel is built up one level lower. Since also the binding to Localhost with a floating rule does not help.
regards
Christian
The scenario we are talking about here:
VPN LAN Outlet
| _________|________
| WAN1| | WAN2
| Internet
V |
| WAN1
Datacenter
|
LAN
#14
German - Deutsch / Multiwan-Gatewaygruppe-Openvpn
February 11, 2021, 08:10:36 PM
Hallo Zusammen,
Folgendes einfaches Szenario:
VPN LAN Aussenstelle
| _________|________
| WAN1| | WAN2
| Internet
V |
| WAN1
RZ
LAN
WAN1 ist z.B. das Defaultgateway . Der VPN soll als Client (peer-to-peer) von der Aussenstelle das RZ/WAN1 ansprechen.
Dies soll er aber nicht über das Defaultgateway sondern über eine Gatewaygruppe tun. In dieser Gatewaygruppe ist WAN2-Tier 1 und WAN1-Tier2
Jetzt habe ich gelesen, das man dazu den OpenVPN Client an den localhost binden soll. Das funktioniert auch vom Grundsatz her.
all udp WAN1:62389 (127.0.0.1:11120) -> RZ/WAN1:11120
Natürlich geht er dann erst einmal über das Defaulgateway. Wie bekomme ich nun den Tunnel dazu, das er über die Gatewaygruppe geht? Eine schwebende Regel mit dem Interface Localhost sowie dem Port oder auch der Zieladresse funktioniert nicht. Scheinbar ist die Ausführung der Regel zu spät und der Tunnel steht zu diesen Zeitpunkt schon. Wie kann ich das Problem nun lösen?
lg
Christian
Folgendes einfaches Szenario:
VPN LAN Aussenstelle
| _________|________
| WAN1| | WAN2
| Internet
V |
| WAN1
RZ
LAN
WAN1 ist z.B. das Defaultgateway . Der VPN soll als Client (peer-to-peer) von der Aussenstelle das RZ/WAN1 ansprechen.
Dies soll er aber nicht über das Defaultgateway sondern über eine Gatewaygruppe tun. In dieser Gatewaygruppe ist WAN2-Tier 1 und WAN1-Tier2
Jetzt habe ich gelesen, das man dazu den OpenVPN Client an den localhost binden soll. Das funktioniert auch vom Grundsatz her.
all udp WAN1:62389 (127.0.0.1:11120) -> RZ/WAN1:11120
Natürlich geht er dann erst einmal über das Defaulgateway. Wie bekomme ich nun den Tunnel dazu, das er über die Gatewaygruppe geht? Eine schwebende Regel mit dem Interface Localhost sowie dem Port oder auch der Zieladresse funktioniert nicht. Scheinbar ist die Ausführung der Regel zu spät und der Tunnel steht zu diesen Zeitpunkt schon. Wie kann ich das Problem nun lösen?
lg
Christian
#15
17.7 Legacy Series / Re: [SOLVED] [Suricata] Suricata dropping traffic with IPS.
November 08, 2017, 04:11:17 PM
Same thing with us, I'm afraid. No problem without ips. With ips massive problems. No matter which driver. (tested virtio and e1000). I'm at a loss, too. It works in front of all with pfsense. Been wanting to replace our big pfsense for a long time. Doesn't make any real sense without ips.
Regards
Christian
Gesendet von meinem Redmi Note 4 mit Tapatalk
Regards
Christian
Gesendet von meinem Redmi Note 4 mit Tapatalk
