Supports Cloudflare integration for DNS-01 ACME challenges to facilitate automated certificate validation and renewal within the OPNsense environment.
Manages Let's Encrypt ACME accounts and certificates through the OPNsense ACME client, providing tools for registration, automated renewal, and status tracking.
Enables comprehensive management of OPNsense firewall infrastructure via its REST API, including tools for firewall rules, DNS overrides, DHCP mappings, system diagnostics, configuration backups, and service control.
mcp-opnsense
Slim OPNsense MCP Server for managing firewall infrastructure via the OPNsense REST API.
No SSH. No shell execution. API-only. 3 runtime dependencies.
Table of Contents
Features
62 tools across 8 domains:
DNS/Unbound (12) — Host overrides, forwards, blocklist, cache management
Firewall (8) — Rules, aliases, NAT, apply changes
Diagnostics (8) — ARP, routes, ping, traceroute, DNS lookup, firewall states/logs
Interfaces (3) — List, configuration, statistics (read-only)
DHCP (5) — Leases, static mappings (ISC DHCPv4 + Kea dual support)
System (7) — Info, backup (list/download/revert), certificate listing, service control
ACME/Let's Encrypt (14) — Accounts, challenges, certificates, renewal, settings
Firmware/Plugins (5) — Version info, plugin management
Quick Start
npm install
cp .env.example .env # Edit with your OPNsense API credentials
npm run build
node dist/index.js # stdio transport for MCPClaude Code Integration
Add to .mcp.json in your project root:
{
"mcpServers": {
"opnsense": {
"command": "node",
"args": ["/path/to/mcp-opnsense/dist/index.js"],
"env": {
"OPNSENSE_URL": "https://your-opnsense.example.com",
"OPNSENSE_API_KEY": "your-api-key",
"OPNSENSE_API_SECRET": "your-api-secret",
"OPNSENSE_VERIFY_SSL": "true"
}
}
}
}Environment Variables
Variable | Required | Default | Description |
| Yes | — | OPNsense base URL (e.g. |
| Yes | — | API key for authentication |
| Yes | — | API secret for authentication |
| No |
| Set to |
| No |
| Request timeout in milliseconds |
Available Tools (62)
DNS/Unbound (12 tools)
Tool | Description |
| List host overrides (A/AAAA/CNAME) |
| Add a host override record |
| Delete a host override by UUID |
| List DNS-over-TLS forwarding servers |
| Add a DNS forwarding server |
| Delete a DNS forward by UUID |
| List domain overrides (blocked domains) |
| Block a domain |
| Unblock a domain by UUID |
| Flush DNS cache and DNSBL data |
| Dump DNS cache for diagnostics |
| Apply DNS changes (reconfigure Unbound) |
Firewall (8 tools)
Tool | Description |
| List all firewall filter rules |
| Create a firewall rule |
| Update a firewall rule by UUID |
| Delete a firewall rule by UUID |
| Enable/disable a firewall rule |
| List firewall aliases (host, network, port, URL) |
| Create/update/delete aliases |
| Apply pending firewall changes |
Diagnostics (8 tools)
Tool | Description |
| Show ARP table (IP-to-MAC mappings) |
| Show routing table |
| Ping a host from OPNsense |
| Traceroute to a destination |
| Perform DNS lookup from OPNsense |
| List active firewall connection states |
| Retrieve recent firewall log entries |
| Get system status (CPU, memory, uptime, disk) |
Interfaces (3 tools, read-only)
Tool | Description |
| List all network interfaces with device mappings |
| Get detailed interface configuration |
| Get traffic statistics for all interfaces |
DHCP (5 tools)
Tool | Description |
| List all current DHCPv4 leases |
| Search leases by IP, MAC, or hostname |
| List static DHCP mappings (reservations) |
| Add a static DHCP mapping |
| Delete a static mapping by UUID |
System (7 tools)
Tool | Description |
| Get system status (hostname, versions, CPU, memory, uptime, disk) |
| List all configuration backups with timestamps and descriptions |
| Download configuration backup as XML (current or specific) |
| Revert to a previous configuration backup (destructive) |
| List all certificates in the trust store |
| List all services and their running status |
| Start, stop, or restart a service by name |
ACME/Let's Encrypt (14 tools)
Tool | Description |
| List ACME accounts (Let's Encrypt, ZeroSSL, etc.) |
| Register a new ACME account with a CA |
| Delete an ACME account by UUID |
| Trigger registration of an ACME account with its CA |
| List all challenge/validation methods |
| Add a DNS-01 challenge (Cloudflare, AWS, etc.) |
| Update an existing challenge configuration |
| Delete a challenge by UUID |
| List all ACME certificates and their status |
| Create a new certificate request |
| Delete an ACME certificate by UUID |
| Trigger immediate certificate renewal |
| Get or update ACME service settings |
| Apply pending ACME configuration changes |
Firmware/Plugins (5 tools)
Tool | Description |
| Get firmware version, architecture, update status |
| Check for available firmware upgrades |
| List all available and installed plugins |
| Install an OPNsense plugin package |
| Remove a plugin package (requires confirmation) |
Skills
Claude Code skills compose MCP tools into higher-level workflows. See .claude/skills/README.md for detailed documentation.
Skill | Slash Command | Description |
opnsense-service-health |
| Health dashboard — system status, services, firmware, interfaces |
opnsense-acme-renew |
| ACME certificate status check and renewal |
opnsense-backup |
| Configuration backup management — list, download, revert |
opnsense-live-test |
| Live integration test — read + safe writes with cleanup |
opnsense-diagnostics | — | Network connectivity diagnostics — ping, traceroute, DNS, ARP |
opnsense-dns-management | — | DNS record management — add, delete, apply, verify resolution |
opnsense-firewall-audit | — | Firewall security audit — permissive rules, disabled rules, patterns |
Known Limitations
Some OPNsense operations are not available via the REST API and require manual GUI access:
Web GUI SSL certificate assignment —
ssl-certrefcan only be changed via System > Settings > Administration in the web UI. See docs/manual-operations.md.Configuration upload/import — OPNsense has no API to upload configuration XML files. Use
opnsense_sys_backup_revertto revert to local backups, or upload via the web GUI.User/group management — Not exposed via REST API.
VPN configuration — Limited API coverage; most settings require the web UI.
Security
Transport: stdio only — no HTTP endpoints exposed
Authentication: OPNsense API key/secret via environment variables
SSL: Enabled by default, configurable for self-signed certs
No SSH: All operations use the OPNsense REST API exclusively
Input validation: Strict Zod schemas for all tool parameters
Destructive operations: Require explicit
confirm: trueparameterSee SECURITY.md for the full security policy
Development
npm test # Run unit tests (vitest)
npm run build # Compile TypeScript
npx tsc --noEmit # Type check onlySee CONTRIBUTING.md for contribution guidelines.
License
This project is dual-licensed:
Open Source: GNU Affero General Public License v3.0 (AGPL-3.0) — free for open-source and non-commercial use
Commercial: Available for proprietary integrations — see COMMERCIAL_LICENSE.md
If you use mcp-opnsense in a proprietary product or SaaS offering, a commercial license is required. Support development by sponsoring us on GitHub.
Resources
Looking for Admin?
Admins can modify the Dockerfile, update the server description, and track usage metrics. If you are the server author, to access the admin panel.