As I’ve posted about in other blogs, I use OPNsense as the firewall for my home network. It has an inbuilt method of backing up its configuration to the cloud, but I’d like to avoid that and back up locally. Unfortunately, there isn’t a plugin in the repository to have the firewall push a backup to a samba share, so I need to run code somewhere to pull the configuration from the firewall and store it on the storage server (where the backup policies will take care of it). I use Node-red for this, since I already have a lot of flows to pull data out of OPNsense to log in InfluxDB.

OPNsense Configuration

It has a fairly robust method of storing configuration in an XML file, so backing up the XML file alone is usually sufficient to restore the configuration in a disaster recovery scenario or after a bad update and total reinstall. In fact, you can migrate between hardware without too much trouble as well, although some of the interface configuration is specific to which Ethernet drivers are in use. It’s technically possible to have configuration outside of the XML file if you write custom options for Unbound or some other services, so if you use those custom config files, beware.

I quickly found a shell script which can do the backup on the OPNsense Forum, and it relies on the os-api-backup plugin (which exposes an API endpoint to download the whole configuration). See Here for the Shell Script. I will use the same os-api-backup plugin, but do the backup through Node Red instead.

Node-Red Samba File Access

To access the filesystem via Samba, I’m using the node-red-contrib-smb plugin. It seems to work adequately, although there are a lot of caveats to this (you must do \server\share with no subsequent paths, for example). It also doesn’t always work correctly without Windows-style paths, which must be escaped of course. So, beware of the frustration.

The Flow

Anyway, here’s my node-red flow to pull the backup from OPNsense’s API, write it to a file, read the contents of the directory it’s in for autobackup files, and trim the autobackups to keep the most recent only. It won’t touch other files in the folder.

As always, I recommend creating a new samba user on your NAS for this client, and give it permissions to only its backup folder. How you do that is up to you.

As always, my work is licensed CC-BY-SA unless otherwise specified. Link to the flow