Skip to main content

MCP server for the OPNsense REST API

Project description

OPNsense MCP Server

CI PyPI License: MIT Built with SpecKit

GitHub: https://github.com/tazendor/opnsense-mcp-server

A Python Model Context Protocol server that exposes the OPNsense REST API to AI clients such as Claude Desktop and Claude Code.

What it does

The server proxies 43 OPNsense API endpoints across eight domains as MCP tools, letting AI clients query and mutate firewall state through natural language.

Domain Tools Capabilities
System 3 Status, firmware check, config backup
Firewall 17 Rule and alias CRUD, NAT port forwards, apply
Interfaces 4 Interface list, config, ARP/NDP tables
DHCP 3 Lease list, settings, static mappings
Routes 5 Static route CRUD and apply
DNS 6 Unbound settings and host override CRUD
IDS 1 Ruleset list
Services 4 Start/stop/restart/status for core modules

Mutating operations follow OPNsense's staged-then-apply model: changes are staged by _add/_update/_delete tools and committed by the corresponding _apply tool.

Requirements

  • Python 3.12+
  • uv
  • OPNsense 26.1+ with API access enabled

Compatibility: Tested against OPNsense 26.1.10. The 26.x release series made breaking REST API changes — Kea replaced ISC DHCPv4 (kea/* paths), port-forward NAT moved to Destination NAT (firewall/d_nat/*), and the system status endpoint changed. Older releases are not supported.

Installation

pip install tazendor-opnsense-mcp

Or from source:

git clone https://github.com/tazendor/opnsense-mcp-server.git
cd opnsense-mcp-server
uv sync

Configuration

Environment variables

export OPNSENSE_URL="https://192.168.1.1"       # required; must be https://
export OPNSENSE_API_KEY="your-api-key"           # required
export OPNSENSE_API_SECRET="your-api-secret"     # required
export OPNSENSE_VERIFY_TLS="false"               # only for self-signed certs
export OPNSENSE_TRANSPORT="stdio"                # or "http"

Config file

Create ~/.config/opnsense-mcp/config.toml:

url = "https://192.168.1.1"
api_key = "your-api-key"
api_secret = "your-api-secret"
verify_tls = false   # omit or set true for valid certificates
transport = "stdio"  # or "http"

Environment variables override config file values.

Running

stdio (Claude Desktop / Claude Code)

uv run opnsense-mcp

Claude Desktop claude_desktop_config.json:

{
  "mcpServers": {
    "opnsense": {
      "command": "uv",
      "args": ["run", "--project", "/path/to/opnsense-mcp-server", "opnsense-mcp"],
      "env": {
        "OPNSENSE_URL": "https://192.168.1.1",
        "OPNSENSE_API_KEY": "...",
        "OPNSENSE_API_SECRET": "..."
      }
    }
  }
}

HTTP (remote clients)

OPNSENSE_TRANSPORT=http OPNSENSE_HTTP_PORT=8000 uv run opnsense-mcp

The server validates credentials against OPNsense on startup and exits with a non-zero status if it cannot connect or authenticate, so bad configuration is caught before any client connects.

Development

# Run unit and contract tests (no OPNsense instance needed)
uv run pytest -m "not integration"

# Run integration tests against a live instance
OPNSENSE_URL=https://... OPNSENSE_API_KEY=... OPNSENSE_API_SECRET=... \
  uv run pytest -m integration -v

# Quality gates
uv run ruff check src/ tests/
uv run ruff format --check src/ tests/
uv run mypy --strict src/

All unit and contract tests pass without a live OPNsense instance (pytest -m "not integration").

Security notes

  • HTTPS is enforced; the server refuses to start with an http:// URL.
  • Credentials are read from environment or config file and never logged.
  • Every API call is logged to stderr with method, path, status code, and outcome for auditability.
  • When OPNSENSE_VERIFY_TLS=false, a warning is printed at startup.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

tazendor_opnsense_mcp-0.2.1.tar.gz (134.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

tazendor_opnsense_mcp-0.2.1-py3-none-any.whl (15.7 kB view details)

Uploaded Python 3

File details

Details for the file tazendor_opnsense_mcp-0.2.1.tar.gz.

File metadata

  • Download URL: tazendor_opnsense_mcp-0.2.1.tar.gz
  • Upload date:
  • Size: 134.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.24 {"installer":{"name":"uv","version":"0.11.24","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}

File hashes

Hashes for tazendor_opnsense_mcp-0.2.1.tar.gz
Algorithm Hash digest
SHA256 3529ad229a14983157b7274e3d03545237f41e6582a05e935ff39bf0457b2fe8
MD5 870f4f3a640f54bf8885dbede07cc8b9
BLAKE2b-256 42e4e6fa2784db4ee6e55f95c669889045153a916861d3b48c80ece43504b9e3

See more details on using hashes here.

File details

Details for the file tazendor_opnsense_mcp-0.2.1-py3-none-any.whl.

File metadata

  • Download URL: tazendor_opnsense_mcp-0.2.1-py3-none-any.whl
  • Upload date:
  • Size: 15.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.24 {"installer":{"name":"uv","version":"0.11.24","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}

File hashes

Hashes for tazendor_opnsense_mcp-0.2.1-py3-none-any.whl
Algorithm Hash digest
SHA256 d65f7dcdb0fd962e4b921ae17a4a3a5a7b22f4aac8695385a7de553198165c16
MD5 a67542e10243a4d0b009306e59413da8
BLAKE2b-256 65889d650a13a7ad2f8e85b10d531307e6a539f9868bfd8358e40b78a87a5ba8

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page