OPNsense MCP server

Provides Infrastructure as Code capabilities for OPNsense firewalls with declarative management of VLANs, firewall rules, DHCP configurations, DNS blocking, HAProxy load balancing, and network topology discovery through plan/apply workflows, automatic backups, and rollback capabilities.
Back to servers
Setup instructions
Provider
VinSpo
Release date
Jun 12, 2025
Stats
6 stars

The OPNSense MCP Server is a powerful tool that enables managing OPNsense firewalls using Infrastructure as Code (IaC) capabilities through the Model Context Protocol (MCP). This server allows you to programmatically control firewall rules, network configurations, and more with clear declarative definitions.

Prerequisites

Before installing the OPNSense MCP Server, ensure you have:

  • Node.js 18 or newer
  • An OPNsense firewall with API access enabled
  • Optional: Redis for caching
  • Optional: PostgreSQL for persistent cache

Installation

To install the OPNSense MCP Server:

# Clone the repository
git clone https://github.com/vespo92/OPNSenseMCP
cd opnsense-mcp

# Install dependencies
npm install

# Build the project
npm run build

# Copy and configure environment
cp .env.example .env
# Edit .env with your OPNsense credentials

Configuration

The server can be configured using environment variables or manual configuration.

Environment Variables

Create a .env file in the project root:

# Required
OPNSENSE_HOST=https://192.168.1.1  # or just 192.168.1.1:55443
OPNSENSE_API_KEY=your_api_key
OPNSENSE_API_SECRET=your_api_secret

# Optional
IAC_ENABLED=true
ENABLE_CACHE=false
REDIS_HOST=localhost
POSTGRES_HOST=localhost

Manual Configuration

If environment variables don't work for you, use the configure tool:

// Configure connection manually
await configure({
  host: "https://192.168.1.1",
  apiKey: "your_api_key",
  apiSecret: "your_api_secret",
  verifySsl: true
});

Transport Modes

The server supports two transport modes:

STDIO Mode (Default)

For direct integration with Claude Desktop:

npm start                  # or npm run start:stdio

SSE Mode

For HTTP-based integration with agents and containers:

npm run start:sse          # Starts on port 3000
npm run start:sse -- --port 8080  # Custom port

SSE Endpoints:

  • GET /sse - SSE connection endpoint
  • POST /messages - Message handling
  • GET /health - Health check

Quick Start

Start the MCP server:

npm start

Integration with Claude Desktop

Add to your Claude Desktop configuration file (claude_desktop_config.json):

{
  "mcpServers": {
    "opnsense": {
      "command": "node",
      "args": ["dist/index.js"],
      "cwd": "/path/to/opnsense-mcp",
      "env": {
        "OPNSENSE_HOST": "https://192.168.1.1:55443",
        "OPNSENSE_API_KEY": "your_api_key",
        "OPNSENSE_API_SECRET": "your_api_secret",
        "OPNSENSE_VERIFY_SSL": "true"
      }
    }
  }
}

Usage Examples

Managing VLANs

// Create a new VLAN for IoT devices
const vlan = {
  type: "opnsense:network:vlan",
  properties: {
    interface: "igc3",
    tag: 20,
    description: "IoT Network - Isolated"
  }
};

Firewall Rules

// Block all traffic from guest network to main LAN
const rule = {
  type: "opnsense:firewall:rule",
  properties: {
    action: "block",
    interface: "guest_vlan",
    source: "guest_vlan_subnet",
    destination: "lan_subnet",
    description: "Block guest to LAN"
  }
};

DNS Blocking

// Block social media sites
const blocklist = {
  type: "opnsense:dns:blocklist",
  properties: {
    domains: ["facebook.com", "twitter.com", "tiktok.com"],
    description: "Social media block",
    enabled: true
  }
};

Complete Network Setup Example

// Deploy a complete guest network with isolation
const guestNetwork = {
  name: "guest-network-setup",
  resources: [
    {
      type: "opnsense:network:vlan",
      id: "guest-vlan",
      properties: {
        interface: "igc3",
        tag: 10,
        description: "Guest WiFi Network"
      }
    },
    {
      type: "opnsense:firewall:rule",
      id: "guest-internet",
      properties: {
        action: "pass",
        interface: "guest_vlan",
        source: "guest_vlan_subnet",
        destination: "any",
        description: "Allow guest internet"
      }
    },
    {
      type: "opnsense:firewall:rule",
      id: "block-guest-lan",
      properties: {
        action: "block",
        interface: "guest_vlan",
        source: "guest_vlan_subnet",
        destination: "lan_subnet",
        description: "Isolate guest from LAN"
      }
    }
  ]
};

Using with Claude Desktop

Once configured in Claude Desktop, you can ask Claude to:

  • "Create a new VLAN for my smart home devices"
  • "Show me all devices on my guest network"
  • "Block pornhub.com on my network"
  • "Set up a Minecraft server VLAN with proper firewall rules"
  • "Find Kyle's laptop on the network"
  • "Create a backup of my firewall configuration"

Troubleshooting

Common Issues

Connection refused errors

  • Ensure OPNsense API is enabled (System > Settings > Administration > API)
  • Check firewall rules allow API access from your host
  • Verify SSL settings match your configuration

Authentication failures

  • API key and secret must be base64 encoded in OPNsense
  • Ensure no trailing spaces in credentials
  • Check user has appropriate permissions

VLAN creation fails

  • Verify the physical interface exists and is not in use
  • Check VLAN tag is within valid range (1-4094)
  • Ensure interface supports VLAN tagging

Build errors

  • Run npm ci for clean dependency installation
  • Ensure Node.js 18+ is installed
  • Check TypeScript version matches requirements

How to install this MCP server

For Claude Code

To add this MCP server to Claude Code, run this command in your terminal:

claude mcp add-json "opnsense" '{"command":"node","args":["dist/index.js"],"cwd":"/path/to/opnsense-mcp"}'

See the official Claude Code MCP documentation for more details.

For Cursor

There are two ways to add an MCP server to Cursor. The most common way is to add the server globally in the ~/.cursor/mcp.json file so that it is available in all of your projects.

If you only need the server in a single project, you can add it to the project instead by creating or adding it to the .cursor/mcp.json file.

Adding an MCP server to Cursor globally

To add a global MCP server go to Cursor Settings > Tools & Integrations and click "New MCP Server".

When you click that button the ~/.cursor/mcp.json file will be opened and you can add your server like this:

{
    "mcpServers": {
        "opnsense": {
            "command": "node",
            "args": [
                "dist/index.js"
            ],
            "cwd": "/path/to/opnsense-mcp"
        }
    }
}

Adding an MCP server to a project

To add an MCP server to a project you can create a new .cursor/mcp.json file or add it to the existing one. This will look exactly the same as the global MCP server example above.

How to use the MCP server

Once the server is installed, you might need to head back to Settings > MCP and click the refresh button.

The Cursor agent will then be able to see the available tools the added MCP server has available and will call them when it needs to.

You can also explicitly ask the agent to use the tool by mentioning the tool name and describing what the function does.

For Claude Desktop

To add this MCP server to Claude Desktop:

1. Find your configuration file:

  • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
  • Windows: %APPDATA%\Claude\claude_desktop_config.json
  • Linux: ~/.config/Claude/claude_desktop_config.json

2. Add this to your configuration file:

{
    "mcpServers": {
        "opnsense": {
            "command": "node",
            "args": [
                "dist/index.js"
            ],
            "cwd": "/path/to/opnsense-mcp"
        }
    }
}

3. Restart Claude Desktop for the changes to take effect

Want to 10x your AI skills?

Get a free account and learn to code + market your apps using AI (with or without vibes!).

Nah, maybe later