Syncing Users and WebGUI with OPNcentral breaks OPNcentral's own access

[amuckart]

I'm testing OPNcentral to manage office firewalls.

So far it has promise but is missing some really critical features to be usable across an enterprise fleet.

One thing I cannot get to work at all is syncing WebGUI config and user config without breaking OPNcentral's access to the firewall it is configuring. I'm not sure if I'm doing something wrong, or if OPNcentral just isn't intended to be used to sync those things.

The situation I have is that the managed firewalls have a hostname that is in our internal DNS and not resolveable over the Internet. They have Caddy set up to reverse proxy the management interface (with appropriate ACLs) and handle TLS certificates. There is a publicly resolveable domain set up in Caddy, and that is the URL set up for the firewall in OPNcentral.

Because OPNcentral connects to the managed firewalls on this public URL, which is different (by policy) from the hostname of the device, they need to have 'Alternate Hostnames' configured under System -> Settings -> Administration. Disabling the DNS Rebind Check is not an option.

The problem is that whenever the OPNcentral machine configures WebGUI it overwrites the Alternate Hostnames, which immediately breaks its ability to manage the firewall.

The only way around this seems to be to either not sync WebGUI settings at all, and risk having them drift; or to set every Alternate Hostname in OPNcentral and have it set all of them on all of the managed firewalls.

Neither option is great. Technically I could get around this by getting rid of Caddy and setting up a VPN between the OPNcentral instance and the managed firewalls, but that gets me into exactly the same situation where VPN configuration is one of the big things I want to be able to manage centrally. Given the issues I'm having here, I doubt that is actually possible.


The other issue I'm having is that every time I sync users and groups, OPNcentral deletes the API key for the user it is using to access the device, which immediately breaks the rest of the sync.

I don't know what I'm missing here, but I can't see a way to sync users and groups to my managed firewalls (which is one of our key requirements) without having the API key generated on teh OPNcentral box and therefore be the same across all of the managed firewalls, which is not an option for us.

Am I missing something here, or is OPNcentral really just for making exact clones of itself and not for actually manging firewalls that may have configuration differences?

This seems to come back to a couple of critical missing capabilities in OPNcentral - namely the ability to selectively apply things to different firewalls so you can e.g. sync users except the user bound to the API key OPNcentral is using; and the ability to have some kind of macro or variable expansion configured per managed device so you can do things like push different Alternate Hostnames, or have different domains in Caddy configuration, etc.

Are these things solveable, or am I expecting too much out of OPNcentral?

[AdSchellevis]

Hi,

We have thought about macro expansions at one time, but haven't managed to come up with something functional yet.
The flexibility of OPNsense also makes it difficult to come up with a pattern that "just works", but you never know, maybe in a future release.

The issue around the central API key not sticking around does sound like a bug from our end, an omission caused by the major redesign of the user manager. If you drop us an email at support@opnsense.com and refer this post, I'll see if I can send you a version to test before a new minor release is out.

Best regards,

Ad

[amuckart]

Thank you. I'll email you now.