Backing up OPNsense to Nextcloud

Configure OPNsense to backup to a Nextcloud server on the LAN

Backing up OPNsense to Nextcloud

I came across OPNsense last year while trying to find a more robust replacement for my ASUS RT-AC68U running Merlin’s modified firmware. I wanted to learn new things, specifically how to setup and configure VLANs and decided to throw OPNsense on an older ThinkCentre and play around with it. One thing I discovered is the ability to backup your configuration to a Nextcloud server and I was sold! I’ve been running my own Nextcloud server now for a few months and really appreciated the ability to easily backup my configuration to my local server.

Configuring OPNsense to backup to Nextcloud is fairly straightforward. Head on over to System > Configuration > Backups and you’ll see an option to configure Nextcloud at the bottom:

However, this is when things came to a screeching halt. I kept running into an issue where the settings would save but for some reason the remote backup would fail:

I made sure to create a new app password in Nextcloud for this purpose and verified that the directory name was already created in case this was causing the issue (this doesn’t matter as OPNsense will create the directory if needed). I jumped over to the system logs and found this rather unhelpful entry:

config[58594] Cannot get real username

Since my Nextcloud server is on the LAN behind an Nginx reverse proxy and I was using my FQDN to access it, I remembered that DNS reflection had to be enabled. I was pretty confident this wasn’t the issue because I had no problems accessing my Nextcloud server from my LAN using my domain. Sure enough, I had reflection already enabled:

Overrides with Unbound DNS

As it turns out, OPNsense was trying to reach my Nextcloud server but since the domain was pointed back at my WAN IP, OPNsense could not find the server. I’m not quite sure why that is. I assumed that when DNS resolved it would’ve went back through my firewall rules and port forwards and found it’s way to the local machine. This is not the case though. What needs to be done instead is to create an override in the DNS server to resolve a local IP rather than my public WAN IP:

After saving my changes, I went back over to the Backup page and tried it again. Success!