MCP server for OPNsense firewall management — system, services, DHCP, DNS, firewall, NAT
Project description
mcp-opnsense
MCP server for OPNsense firewall management. Exposes 16 tools for system status, services, DHCP, DNS overrides, firewall rules, and NAT port forwards via the OPNsense REST API.
Quick Start
With uvx (recommended):
OPNSENSE_HOST=https://192.168.1.1 \
OPNSENSE_API_KEY=yourkey \
OPNSENSE_API_SECRET=yoursecret \
uvx mcp-opnsense
With Docker:
docker run -i \
-e OPNSENSE_HOST=https://10.0.0.1 \
-e OPNSENSE_API_KEY=yourkey \
-e OPNSENSE_API_SECRET=yoursecret \
ghcr.io/aaronckj/mcp-opnsense:latest
Add to Claude Code:
claude mcp add opnsense -s user \
-e OPNSENSE_HOST=https://10.0.0.1 \
-e OPNSENSE_API_KEY=yourkey \
-- uvx mcp-opnsense
Then set OPNSENSE_API_SECRET in your Claude Code MCP settings.
Creating API Credentials
In OPNsense: System → User Manager → Users → edit a user → API keys → Add key. Copy the key and secret (the secret is only shown once).
Configuration
| Variable | Required | Default | Description |
|---|---|---|---|
OPNSENSE_API_KEY |
Yes | — | API key from OPNsense user manager |
OPNSENSE_API_SECRET |
Yes | — | API secret from OPNsense user manager |
OPNSENSE_HOST |
No | https://192.168.1.1 |
OPNsense host URL |
OPNSENSE_TIMEOUT |
No | 30 |
HTTP timeout in seconds |
OPNSENSE_VERIFY_SSL |
No | false |
Set to true if using a trusted certificate |
Tools
| Tool | Description |
|---|---|
system_status |
CPU, memory, uptime, firmware version |
get_gateways |
WAN gateway status and packet loss |
list_interfaces |
All interfaces with IPs and link state |
list_services |
All services and running status |
restart_service |
Restart a named service |
apply_changes |
Apply pending firewall changes |
list_dhcp_leases |
Active and static DHCP leases |
add_static_lease |
Add a static DHCP mapping |
list_dns_overrides |
Unbound host overrides |
add_dns_override |
Add a host override (auto-reconfigures) |
delete_dns_override |
Remove a host override by UUID (auto-reconfigures) |
list_firewall_rules |
All firewall filter rules |
add_firewall_rule |
Add a rule (auto-applies) |
delete_firewall_rule |
Delete a rule by UUID (auto-applies) |
list_port_forwards |
NAT port forward rules |
add_port_forward |
Add a port forward (auto-applies) |
Development
git clone https://github.com/aaronckj/mcp-opnsense
cd mcp-opnsense
uv sync --extra dev
uv run pytest -v
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file mcp_opnsense-0.1.0.tar.gz.
File metadata
- Download URL: mcp_opnsense-0.1.0.tar.gz
- Upload date:
- Size: 7.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
fa743a840f8b24ac59919bb9181b8481e3d9b29eb30357bee92d923a5caf9410
|
|
| MD5 |
55e303305a32a18b83f53152118cbaae
|
|
| BLAKE2b-256 |
1463a9752ad6b5b70c48de8b8a81ec81a0c041e9a59e36035c33e46d8c31fde9
|
Provenance
The following attestation bundles were made for mcp_opnsense-0.1.0.tar.gz:
Publisher:
publish.yml on aaronckj/mcp-opnsense
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
mcp_opnsense-0.1.0.tar.gz -
Subject digest:
fa743a840f8b24ac59919bb9181b8481e3d9b29eb30357bee92d923a5caf9410 - Sigstore transparency entry: 1462524781
- Sigstore integration time:
-
Permalink:
aaronckj/mcp-opnsense@6e1aeb27eb29998611366aca436dde5a185cd73a -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/aaronckj
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@6e1aeb27eb29998611366aca436dde5a185cd73a -
Trigger Event:
push
-
Statement type:
File details
Details for the file mcp_opnsense-0.1.0-py3-none-any.whl.
File metadata
- Download URL: mcp_opnsense-0.1.0-py3-none-any.whl
- Upload date:
- Size: 4.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2af058a1a4ca3b4eeac0266a132cbda6870cc4c85bbf562d756d0017396c2569
|
|
| MD5 |
977b166073e1f24525c62219f56ce8ec
|
|
| BLAKE2b-256 |
d293986cea11aba0f30756f2a88f17b65312d680e852f97c5c8925d9da5dfa3a
|
Provenance
The following attestation bundles were made for mcp_opnsense-0.1.0-py3-none-any.whl:
Publisher:
publish.yml on aaronckj/mcp-opnsense
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
mcp_opnsense-0.1.0-py3-none-any.whl -
Subject digest:
2af058a1a4ca3b4eeac0266a132cbda6870cc4c85bbf562d756d0017396c2569 - Sigstore transparency entry: 1462524953
- Sigstore integration time:
-
Permalink:
aaronckj/mcp-opnsense@6e1aeb27eb29998611366aca436dde5a185cd73a -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/aaronckj
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@6e1aeb27eb29998611366aca436dde5a185cd73a -
Trigger Event:
push
-
Statement type:
