OPNSense Control Center

Solution to centrally manage OPNSense firewalls.

The idea is to create a hub that communicates to multiple firewalls and let you manage them using their Rest-HTTP-APIs.

The API interaction will mainly be done using Ansible.

Status updates may be fetched using plain Python3.

---

Development

Feel free to..

• start a discussion
• file issues
• contribute by creating pull-requests

Web Development

PLEASE: The project currently is lacking Web-Frontend experience.

If you are interested to contribute some of your time => reach out to contact+opnsense@oxl.at

DEVELOPMENT IN PROGRESS!

This project is currently still in its planning-phase.

It might be stale until our Linux Server-Manager is in an usable state.

---

Main parts

• OPNSense Ansible Collection

• Some Ansible WebUI

• Some Logserver

• System-Stats via Prometheus & Grafana

• Config and information versioning using git (with WebUI)

• Config management using Web IDE/Editor

• OAuth Proxy if you want to use you IDP

• custom WebUI to

  • manage configuration

• management service

  • checking firewalls for config changes => history using VCS
    • pulling xml-config
    • relevant filesystem config-directories
    • ansible-playbooks in 'check-mode'
  • alerting rules if changes are found

---

Services

Services use docker-compose to manage docker containers.

.
├── nginx.service  # web proxy, handles authentication
└── docker.service
    ├── opn-cc-ansible.service
    │   └── semaphoreui/semaphore
    ├── opn-cc-ide.service  # Web-IDE/Editor
    │   └── codercom/code-server
    ├── opn-cc-log.service  # log server
    │   ├── graylog/graylog
    │   ├── mongo
    │   └── opensearchproject/opensearch
    └── opn-cc-vcs.service  # version control system
        └── gogs/gogs

---

Thoughts

• CC WebUI routing should allow easy switching between components

  • maybe use iframe for sub-components with small component-navigation on-top

• Connection to CC

  • active - target has static IP that can be reached by CC
  • passive - target needs to start a vpn-tunnel (wireguard) for the management connection; CC needs to have a static IP
    • vpn would also be good to have to enable us to use 'unencrypted' data-transfers like out-of-the-box syslog log-forwarding
  • optional: CC should have a client-network that allows proxied access to firewall webUI, ssh and so on (useful if passive connection is used)

• Switches for..

  • Centralized logging
    • insert syslog forwarding

• Dashboard/Box overview

  • have history settings for those stats/infos
  • switches for different types
  • like opnsense widgets
    • firmware version
    • response time/latency
    • hardware
    • online status (ping, tcp check on webUI and optional any custom port)
    • service status
    • resources (cpu, ram, disk, ...)
    • diagnostics api results
    • gateway status