Messages

Ist im Update 25.10_2 schon enthalten.
Zu finden unter Verwaltung- Host- Konfiguration - Allgemeine Einstellung - Den Haken bei Auto Login rausnehmen.

https://github.com/opnsense/core/issues/9305#issuecomment-3430605677

Hallo,
Es ist derzeit nicht möglich. Kommt aber demnächst.

https://github.com/opnsense/core/issues/9305#issuecomment-3430605677

LG

Christian

Okay.

https://github.com/opnsense/core/issues/9305

Hello everyone,

we are using OPNsense Business 25.10 with the OPNcentral module enabled and would like to adjust the current login behavior when accessing managed hosts.

At the moment, when clicking on a host in OPNcentral, an automatic WebGUI login is performed using the API user credentials stored in OPNcentral.
We would like to disable this automatic login, so that instead the regular login dialog (OpenID Connect / Keycloak) appears.
The goal is to ensure that all administrative access is authenticated through our central Identity Provider and properly logged for auditing purposes.

OpenID integration already works reliably on the individual firewalls.
However, within OPNcentral we cannot find any option to disable the automatic login or switch to OpenID-based authentication.

So our questions are:

Is there any way (e.g. via a configctl opncentral.* parameter or configuration setting) to disable automatic WebGUI login via OPNcentral?

Alternatively, can OPNcentral be configured to always show the regular OpenID login when accessing a managed host?

Thanks in advance for any advice or workaround!
Christian

In Keycloak

Neuen Client vom Typ OpenID Connect anlegen

Client-Authentifizierung und Standard Flow aktivieren

Redirect-URI:
https://<fw-fqdn>[:<port>]/api/oidc/rp/finalize/<application-code>
(Port nur angeben, wenn er vom Standard 443 abweicht)

Post-Logout-Redirect-URI:
https://<fw-fqdn>[:<port>]/*

Web Origins:
https://<fw-fqdn>[:<port>]

Für mehrere Firewalls einfach weitere Redirect-URIs im selben Client ergänzen

Scopes: openid profile email

Mapper anlegen:

preferred_username → User Property username

email → User Property email

name → Full Name (oder firstName + lastName)

groups → Group Membership Mapper (Full path aus, Add to ID/Access/Userinfo an)

Client-ID und Client-Secret notieren

In OPNsense 25.10 BE

Menü: System → Zugriff → OpenID Connect → ,,+" neuen Provider anlegen

Application code: frei wählbar (z. B. opnsense-gui-admin)

Dienst: WebGui / Admin

Provider URL: https://<keycloak-host>/realms/<realm>

Client-ID / Client-Geheimnis: aus Keycloak

Authentifizierungsmethode: Use offered

User identification field: preferred_username oder email

Create user: aktivieren

Damit authentifiziert sich die OPNsense-Weboberfläche zentral über Keycloak (OpenID Connect).

Bei uns läuft alles über keycloak.

Ich mache später einen neuen Post auf wo ich kurz beschreibe was bei mir drinnen steht.

Habe ein neuen Thread dafür angelegt. - Kurzanleitung: Keycloak-Integration mit OPNsense (OpenID Connect)

Hallo zusammen,

wir setzen die OPNsense Business Edition 25.10 mit aktivem OPNCentral-Modul ein.
Beim Öffnen eines verwalteten Hosts erfolgt derzeit ein automatisches WebGUI-Login über den hinterlegten API-User.

Wir möchten dieses Verhalten abschalten und stattdessen die OpenID-Anmeldung verwenden, damit alle Zugriffe nachvollziehbar und über unseren zentralen Identity-Provider (Keycloak) protokolliert werden.

Die OpenID-Anbindung funktioniert auf den einzelnen Firewalls bereits sehr zuverlässig.
In OPNCentral finde ich jedoch keine Option, das automatische Login zu deaktivieren oder auf OpenID umzuschalten.

Gibt es hierfür eine Einstellung oder einen configctl-Parameter, um das Verhalten zentral zu steuern?

Christian

I can confirm that. It's working again.

I've found the root cause of the issue.

Both packages — os-sunnyvalley and os-sensei — contain a hardcoded repository configuration under
/usr/local/etc/pkg/repos/SunnyValley.conf

In that file, the repository URL still points to:

.../25.7/


After manually changing this to:

.../25.10/


everything works perfectly again.

The package manager loads correctly, all extensions are displayed, and Zenarmor can be installed and updated without any issues.

So the problem is simply that the Sunny Valley repository URL in these packages still references version 25.7 instead of 25.10.

I also reported this in my ticket to Sun Valley.

Alright, then I'll open a ticket with Sunny Valley about this — after all, they're getting quite a bit of money every year for the Business subscriptions.

Thanks Franco, that makes sense.
So the issue is caused by the invalid SSL certificates on Sunny Valley's Cloudflare backend, and the only fix will have to come from Sunny Valley themselves, right?

I'll keep the os-sunnyvalley repository disabled for now and wait until they correct the certificates and republish the repository.

Thanks again for clarifying!

Removing os-sunnyvalley immediately resolves the issue — all extensions are shown again.
However, this also removes the Zenarmor integration, which I still need for installation and updates.
So I assume we need to wait until Sunny Valley releases a 25.10 compatible version?

I ran a full Health Audit — it completed successfully and no errors or inconsistencies were found.

However, the issue remains:
All extensions are still marked as "orphaned", and no additional packages are listed besides the ones already installed.

Code Select Expand

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 25.10 (amd64) at Thu Oct 16 09:30:15 CEST 2025
Strict TLS 1.3 and CRL checking is enabled.
>>> Root file system: zroot/ROOT/default
>>> Check installed kernel version
Version 25.7.5 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 25.7.5 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
SunnyValley (Priority: 7)
OPNsense (Priority: 11)
>>> Check installed plugins
os-OPNBEcore 1.6
os-OPNcentral 1.11_2
os-acme-client 4.10
os-apcupsd 1.2_3
os-cpu-microcode-intel 1.1
os-ddclient 1.27_4
os-dmidecode 1.2
os-hw-probe 1.0_1
os-netbird 1.1
os-nginx 1.35_2
os-sensei 2.1
os-sensei-agent 2.1
os-sensei-updater 1.18
os-smart 2.4
os-sunnyvalley 1.5
os-tftp 1.0
os-zabbix7-agent 1.17
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense-business" at 25.10 has 68 dependencies to check.
Checking packages: ..................................................................... done
***DONE***

After updating my OPNsense Business Edition from version 25.4 to 25.10, no packages are available anymore under
System → Firmware → Extensions.
The following error is shown:

The release type "opnsense-business" is not available in this repository.


Additionally, all installed extensions show up as "orphaned", even though they were updated successfully.
Running the usual update commands via shell shows that the repositories themselves are reachable, but the business release type seems to be missing:

root@fw:~ # pkg update
Updating OPNsense repository catalogue...
Fetching meta.conf: 100%    163 B   0.2kB/s    00:01   
Fetching packagesite.pkg: 100%  256 KiB 262.0kB/s    00:01   
Processing entries: 100%
OPNsense repository update completed. 911 packages processed.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.

root@fw:~ # opnsense-update
Nothing to do.

Environment:

OPNsense Business Edition 25.10

Previous version: 25.4

Default Business repository enabled
No manual changes to repository or mirror configuration

Expected behavior:

Business repository should be automatically recognized after the update
Installed extensions should not appear as "orphaned"
Package and plugin management should continue to function normally

Actual behavior:

Error: "The release type 'opnsense-business' is not available in this repository."
All extensions appear as orphaned
No new plugins or packages can be loaded