"This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
25.7, 25.10 Series / Re: OPNcentral: Provisioning Remote Logging / Syslog?
December 02, 2025, 12:58:03 PM #2
25.7, 25.10 Series / OPNcentral: Provisioning Remote Logging / Syslog?
December 02, 2025, 07:28:12 AM
Hi,
we're using OPNsense Business with OPNcentral and would like to centrally push Remote Logging / Syslog settings to multiple firewalls.
I can't find any provisioning option for this.
Is this currently possible or planned?
Thanks!
we're using OPNsense Business with OPNcentral and would like to centrally push Remote Logging / Syslog settings to multiple firewalls.
I can't find any provisioning option for this.
Is this currently possible or planned?
Thanks!
#3
German - Deutsch / Re: Berechtigungen Provisionierung via OPNcentral
October 28, 2025, 10:04:27 AM
Ist im Update 25.10_2 schon enthalten.
Zu finden unter Verwaltung- Host- Konfiguration - Allgemeine Einstellung - Den Haken bei Auto Login rausnehmen.
Zu finden unter Verwaltung- Host- Konfiguration - Allgemeine Einstellung - Den Haken bei Auto Login rausnehmen.
#4
German - Deutsch / Re: OPNCentral 25.10 BE – automatisches WebGUI-Login deaktivieren bzw. durch OpenID
October 23, 2025, 07:25:57 AM #5
German - Deutsch / Re: Berechtigungen Provisionierung via OPNcentral
October 23, 2025, 07:25:01 AM
Hallo,
Es ist derzeit nicht möglich. Kommt aber demnächst.
https://github.com/opnsense/core/issues/9305#issuecomment-3430605677
LG
Christian
Es ist derzeit nicht möglich. Kommt aber demnächst.
https://github.com/opnsense/core/issues/9305#issuecomment-3430605677
LG
Christian
#6
25.7, 25.10 Series / Re: OPNcentral – Disable automatic WebGUI login via API user / enforce OpenID login
October 22, 2025, 06:21:00 AM #7
25.7, 25.10 Series / OPNcentral – Disable automatic WebGUI login via API user / enforce OpenID login
October 21, 2025, 08:28:27 PM
Hello everyone,
we are using OPNsense Business 25.10 with the OPNcentral module enabled and would like to adjust the current login behavior when accessing managed hosts.
At the moment, when clicking on a host in OPNcentral, an automatic WebGUI login is performed using the API user credentials stored in OPNcentral.
We would like to disable this automatic login, so that instead the regular login dialog (OpenID Connect / Keycloak) appears.
The goal is to ensure that all administrative access is authenticated through our central Identity Provider and properly logged for auditing purposes.
OpenID integration already works reliably on the individual firewalls.
However, within OPNcentral we cannot find any option to disable the automatic login or switch to OpenID-based authentication.
So our questions are:
Is there any way (e.g. via a configctl opncentral.* parameter or configuration setting) to disable automatic WebGUI login via OPNcentral?
Alternatively, can OPNcentral be configured to always show the regular OpenID login when accessing a managed host?
Thanks in advance for any advice or workaround!
Christian
we are using OPNsense Business 25.10 with the OPNcentral module enabled and would like to adjust the current login behavior when accessing managed hosts.
At the moment, when clicking on a host in OPNcentral, an automatic WebGUI login is performed using the API user credentials stored in OPNcentral.
We would like to disable this automatic login, so that instead the regular login dialog (OpenID Connect / Keycloak) appears.
The goal is to ensure that all administrative access is authenticated through our central Identity Provider and properly logged for auditing purposes.
OpenID integration already works reliably on the individual firewalls.
However, within OPNcentral we cannot find any option to disable the automatic login or switch to OpenID-based authentication.
So our questions are:
Is there any way (e.g. via a configctl opncentral.* parameter or configuration setting) to disable automatic WebGUI login via OPNcentral?
Alternatively, can OPNcentral be configured to always show the regular OpenID login when accessing a managed host?
Thanks in advance for any advice or workaround!
Christian
#8
German - Deutsch / Kurzanleitung: Keycloak-Integration mit OPNsense (OpenID Connect)
October 19, 2025, 02:25:21 PM
In Keycloak
Neuen Client vom Typ OpenID Connect anlegen
Client-Authentifizierung und Standard Flow aktivieren
Redirect-URI:
https://<fw-fqdn>[:<port>]/api/oidc/rp/finalize/<application-code>
(Port nur angeben, wenn er vom Standard 443 abweicht)
Post-Logout-Redirect-URI:
https://<fw-fqdn>[:<port>]/*
Web Origins:
https://<fw-fqdn>[:<port>]
Für mehrere Firewalls einfach weitere Redirect-URIs im selben Client ergänzen
Scopes: openid profile email
Mapper anlegen:
preferred_username → User Property username
email → User Property email
name → Full Name (oder firstName + lastName)
groups → Group Membership Mapper (Full path aus, Add to ID/Access/Userinfo an)
Client-ID und Client-Secret notieren
In OPNsense 25.10 BE
Menü: System → Zugriff → OpenID Connect → ,,+" neuen Provider anlegen
Application code: frei wählbar (z. B. opnsense-gui-admin)
Dienst: WebGui / Admin
Provider URL: https://<keycloak-host>/realms/<realm>
Client-ID / Client-Geheimnis: aus Keycloak
Authentifizierungsmethode: Use offered
User identification field: preferred_username oder email
Create user: aktivieren
Damit authentifiziert sich die OPNsense-Weboberfläche zentral über Keycloak (OpenID Connect).
Neuen Client vom Typ OpenID Connect anlegen
Client-Authentifizierung und Standard Flow aktivieren
Redirect-URI:
https://<fw-fqdn>[:<port>]/api/oidc/rp/finalize/<application-code>
(Port nur angeben, wenn er vom Standard 443 abweicht)
Post-Logout-Redirect-URI:
https://<fw-fqdn>[:<port>]/*
Web Origins:
https://<fw-fqdn>[:<port>]
Für mehrere Firewalls einfach weitere Redirect-URIs im selben Client ergänzen
Scopes: openid profile email
Mapper anlegen:
preferred_username → User Property username
email → User Property email
name → Full Name (oder firstName + lastName)
groups → Group Membership Mapper (Full path aus, Add to ID/Access/Userinfo an)
Client-ID und Client-Secret notieren
In OPNsense 25.10 BE
Menü: System → Zugriff → OpenID Connect → ,,+" neuen Provider anlegen
Application code: frei wählbar (z. B. opnsense-gui-admin)
Dienst: WebGui / Admin
Provider URL: https://<keycloak-host>/realms/<realm>
Client-ID / Client-Geheimnis: aus Keycloak
Authentifizierungsmethode: Use offered
User identification field: preferred_username oder email
Create user: aktivieren
Damit authentifiziert sich die OPNsense-Weboberfläche zentral über Keycloak (OpenID Connect).
#9
German - Deutsch / Re: OPNCentral 25.10 BE – automatisches WebGUI-Login deaktivieren bzw. durch OpenID
October 19, 2025, 01:43:18 PM
Bei uns läuft alles über keycloak.
Ich mache später einen neuen Post auf wo ich kurz beschreibe was bei mir drinnen steht.
Habe ein neuen Thread dafür angelegt. - Kurzanleitung: Keycloak-Integration mit OPNsense (OpenID Connect)
Ich mache später einen neuen Post auf wo ich kurz beschreibe was bei mir drinnen steht.
Habe ein neuen Thread dafür angelegt. - Kurzanleitung: Keycloak-Integration mit OPNsense (OpenID Connect)
#10
German - Deutsch / OPNCentral 25.10 BE – automatisches WebGUI-Login deaktivieren bzw. durch OpenID
October 19, 2025, 01:21:58 PM
Hallo zusammen,
wir setzen die OPNsense Business Edition 25.10 mit aktivem OPNCentral-Modul ein.
Beim Öffnen eines verwalteten Hosts erfolgt derzeit ein automatisches WebGUI-Login über den hinterlegten API-User.
Wir möchten dieses Verhalten abschalten und stattdessen die OpenID-Anmeldung verwenden, damit alle Zugriffe nachvollziehbar und über unseren zentralen Identity-Provider (Keycloak) protokolliert werden.
Die OpenID-Anbindung funktioniert auf den einzelnen Firewalls bereits sehr zuverlässig.
In OPNCentral finde ich jedoch keine Option, das automatische Login zu deaktivieren oder auf OpenID umzuschalten.
Gibt es hierfür eine Einstellung oder einen configctl-Parameter, um das Verhalten zentral zu steuern?
Christian
wir setzen die OPNsense Business Edition 25.10 mit aktivem OPNCentral-Modul ein.
Beim Öffnen eines verwalteten Hosts erfolgt derzeit ein automatisches WebGUI-Login über den hinterlegten API-User.
Wir möchten dieses Verhalten abschalten und stattdessen die OpenID-Anmeldung verwenden, damit alle Zugriffe nachvollziehbar und über unseren zentralen Identity-Provider (Keycloak) protokolliert werden.
Die OpenID-Anbindung funktioniert auf den einzelnen Firewalls bereits sehr zuverlässig.
In OPNCentral finde ich jedoch keine Option, das automatische Login zu deaktivieren oder auf OpenID umzuschalten.
Gibt es hierfür eine Einstellung oder einen configctl-Parameter, um das Verhalten zentral zu steuern?
Christian
#11
25.7, 25.10 Series / Re: After update to 25.10: “opnsense-business” release type not available
October 17, 2025, 03:08:58 PM
I can confirm that. It's working again.
#12
25.7, 25.10 Series / Re: After update to 25.10: “opnsense-business” release type not available
October 17, 2025, 07:26:18 AM
I've found the root cause of the issue.
Both packages — os-sunnyvalley and os-sensei — contain a hardcoded repository configuration under
/usr/local/etc/pkg/repos/SunnyValley.conf
In that file, the repository URL still points to:
.../25.7/
After manually changing this to:
.../25.10/
everything works perfectly again.
The package manager loads correctly, all extensions are displayed, and Zenarmor can be installed and updated without any issues.
So the problem is simply that the Sunny Valley repository URL in these packages still references version 25.7 instead of 25.10.
I also reported this in my ticket to Sun Valley.
Both packages — os-sunnyvalley and os-sensei — contain a hardcoded repository configuration under
/usr/local/etc/pkg/repos/SunnyValley.conf
In that file, the repository URL still points to:
.../25.7/
After manually changing this to:
.../25.10/
everything works perfectly again.
The package manager loads correctly, all extensions are displayed, and Zenarmor can be installed and updated without any issues.
So the problem is simply that the Sunny Valley repository URL in these packages still references version 25.7 instead of 25.10.
I also reported this in my ticket to Sun Valley.
#13
25.7, 25.10 Series / Re: After update to 25.10: “opnsense-business” release type not available
October 16, 2025, 06:10:02 PM
Alright, then I'll open a ticket with Sunny Valley about this — after all, they're getting quite a bit of money every year for the Business subscriptions.
#14
25.7, 25.10 Series / Re: After update to 25.10: “opnsense-business” release type not available
October 16, 2025, 01:31:25 PM
Thanks Franco, that makes sense.
So the issue is caused by the invalid SSL certificates on Sunny Valley's Cloudflare backend, and the only fix will have to come from Sunny Valley themselves, right?
I'll keep the os-sunnyvalley repository disabled for now and wait until they correct the certificates and republish the repository.
Thanks again for clarifying!
So the issue is caused by the invalid SSL certificates on Sunny Valley's Cloudflare backend, and the only fix will have to come from Sunny Valley themselves, right?
I'll keep the os-sunnyvalley repository disabled for now and wait until they correct the certificates and republish the repository.
Thanks again for clarifying!
#15
25.7, 25.10 Series / Re: After update to 25.10: “opnsense-business” release type not available
October 16, 2025, 10:45:46 AM
Removing os-sunnyvalley immediately resolves the issue — all extensions are shown again.
However, this also removes the Zenarmor integration, which I still need for installation and updates.
So I assume we need to wait until Sunny Valley releases a 25.10 compatible version?
However, this also removes the Zenarmor integration, which I still need for installation and updates.
So I assume we need to wait until Sunny Valley releases a 25.10 compatible version?
