Automating OPNsense Configuration with opnsense-confgen

Automating OPNsense Configuration with opnsense-confgen

If you’re a network administrator or a security professional using OPNsense as your firewall and router solution, you know how important it is to have a well-configured system. Manually setting up the configuration can be time-consuming and error-prone. That’s where opnsense-confgen comes in. This Python package simplifies the process of generating OPNsense configuration files by leveraging Python’s ConfigParser library.

Scope and System Architecture

Opnsense-confgen takes a Python ConfigParser formatted INI file as input and generates a ready-to-use config.xml file for OPNsense. The generated configuration file can be used during the installation process by the OPNsense Importer. The package provides both a command-line interface and a class that can be imported into Python scripts and other applications. The output files can include the OPNsense configuration XML, a WireGuard client configuration file, a web console shortcut, and an ISO image containing the configuration.

Technology Stack

Opnsense-confgen is built using Python and relies on several libraries. The project uses the ConfigParser library for parsing the INI file and generating the OPNsense configuration. It also utilizes PyNaCl, the Python binding to the libsodium library, for generating and handling WireGuard keys. Additionally, it depends on pycdlib for creating the ISO image containing the configuration.

Generating a Minimal Working Configuration

With opnsense-confgen, you can easily generate a minimal working configuration with fully-configured interfaces. The INI file can include basic information like the hostname, domain, DNS server, WAN interface details, LAN interface details, and optional interfaces with or without DHCP configurations. Simply define the necessary sections and fields in the INI file, and opnsense-confgen will generate the corresponding OPNsense configuration XML.

Optional Features: WireGuard Bootstrap and API Key Bootstrap

Opnsense-confgen offers two optional features to enhance your configuration. The WireGuard bootstrap feature enables the automatic generation of a working WireGuard VPN interface. You can specify the WireGuard server port, server private key, server IP address, client IP address, and client public key in the INI file. Opnsense-confgen will generate the necessary configuration files for the server and client, making it easy to set up a secure VPN connection.

Another optional feature is the API key bootstrap. By providing an API section in the INI file with the API key and secret, opnsense-confgen will append the API key to the configuration for the root user. This allows you to immediately use the API key to make further configuration changes to the OPNsense instance.

Command Line Usage and Class Usage

Opnsense-confgen provides a command-line interface (CLI) that offers various options for generating the configuration. You can choose to write the example INI file, generate the XML OPNsense configuration file, create an ISO image containing the configuration, write a macOS shortcut file, delete existing output files, print the OPNsense console URL, or print the XML config for debugging.

The package also provides a class, oscg.core.GenerateConfigs, which can be used in Python scripts and applications. You can instantiate the class with a ConfigParser instance or a dictionary object that mimics the structure of the INI file. From there, you can access the generated OPNsense configuration XML, WireGuard configuration, and macOS shortcut.

Dependencies and Known Issues

Opnsense-confgen relies on two external libraries: PyNaCl and pycdlib. PyNaCl is a Python binding to the libsodium library, which is used for generating and handling WireGuard keys. Pycdlib is used for creating the ISO image containing the OPNsense configuration.

There is a known issue regarding the automatically created “WireGuard (Group)” interface that is normally part of the WireGuard plugin. During the OPNsense installation process, this interface gets removed. However, there is a simple workaround. After the installation is complete, log in to the OPNsense console, navigate to the Interfaces menu, select Assignments, and click Save. This will recreate the “WireGuard (Group)” interface.

Conclusion

Opnsense-confgen is a powerful tool that simplifies the process of generating OPNsense configurations. It offers a convenient way to automate the configuration process, saving time and reducing the chance of errors. With its optional features like WireGuard bootstrap and API key bootstrap, opnsense-confgen allows for even greater flexibility in configuring your OPNsense instance. Give it a try and enhance your OPNsense configuration workflow today.

References:
– opnsense-confgen GitHub repository: https://github.com/malwarology/opnsense-confgen
– OPNsense Documentation: https://docs.opnsense.org/manual/install.html#opnsense-importer

Tags: OPNsense, Configuration Generator, Python, ConfigParser, WireGuard, API Key, Automation