Manual Config Backup
The configuration file for opnSense is stored in /conf/config.xml. To back up this file, simply use scp to copy it. The directory /conf/backup contains all of the configurations back to the first one you did, so if you want that, grab that entire directory (plus /conf/config.xml).
On our servers, we have nightly backup runs, so we created a special ssh key and put it in the .ssh/authorized_keys file on the firewall, then our process can rsync the configuration (I just grab the whole /conf directory). This is inherently insecure as anyone with cli access to the server “owns” the router, so I create a special user for only this purpose, then create an ssh key for them. You could be a bit more secure by using the “allow root login for command only” but I'm not going to cover that here.
NOTE: you must manually install rsync if you want to do this. The full procedure is:
su specialuser # on client machine, as special user ssh-keygen -t rsa -b 4096 # leave password blank (just press enter) cat ~/.ssh/id_rsa.pub # ssh to router ssh root@router vi ~/.ssh/authorized_keys # copy/paste the key you cat'd earlier, then save the file chmod 700 ~/.ssh/authorized_keys exit # following should log in without asking for password ssh root@router # install rsync pkg install rsync exit
Now, you can simply create a script on your server which will grab the config. It only has one line
rsync -av --delete router:/conf /home/routerbackups/router/
Setting a cron job to run occasionally means you'll always have a copy of your router configuration someplace else!