Managing OPNsense upgrades with a stateful SSH script + Claude MCP server

[builderall]

I've been working on tools to make OPNsense upgrades more reliable and recently wrote up the experience:

I gave Claude access to my OPNsense firewall — here's what happened

Two tools in one project:

A stateful Python upgrade script that runs over SSH — handles the pkg ABI mismatch after base/kernel upgrades and auto-resumes after reboots
A Claude MCP server that connects Claude Code to the OPNsense REST API for conversational firewall management
Tested on a live 26.1.2 → 26.1.3 upgrade this week, with two bugs found and fixed mid-session.

Code: https://github.com/builderall/opnsense-upgrade

Happy to answer questions or take feedback.

[meyergru]

Well, I am nearly lost for words...

conversational firewall management

I mean, really? I can imagine my future self referring you back to this when things will have gone awry and saying "Entirely avoidable.".

Not to insult you, but you must be one of the guys who turn on the AI auto-pilot in your car and then read a book during the ride.

P.S.: I never saw that purported upgrade problem happening since starting to use OpnSense back in 2023 (and counting).

[builderall]

Fair skepticism — giving an AI write access to a firewall does sound alarming on the surface.

A few clarifications:

The MCP server connects via a restricted API key scoped only to firmware and diagnostics endpoints. It cannot touch firewall rules, VPN, DHCP, or any other config.
Write tools require explicit confirmation — Claude asks before running any update, upgrade, or reboot. It's more like a structured CLI than an autopilot.
OPNSENSE_READ_ONLY=true disables all write tools entirely if you only want monitoring.
Every API call is logged under System > Log Files > Audit.
As for the upgrade problem — glad you haven't hit it. It typically surfaces during major version upgrades (branch changes), not minor updates. The pkg ABI mismatch after a base/kernel upgrade is a known issue, just not one everyone encounters.

The SSH script exists precisely for people who want zero AI involvement and full control — it's a standalone Python script with no external dependencies.

Thank you for your comments.

[OPNenthu]

I can imagine my future self referring you back to this when things will have gone awry and saying "Entirely avoidable.".

I'll be the one telling everyone "I told you so" when we finally run out of hydrocarbons that we can economically extract, if something else doesn't happen first. ☢️

[nero355]

A stateful Python upgrade script

As someone who hopes that the world will be 'Python Free' at some point _{(...and I don't mean the snake...)} I will kindly pass and even more so because a 'Machine Learning Chatbot' influenced the whole thing!