OPN001 - OPNsense Authorization Failed

Agent error code #207001#OPN001 indicates that the agent authenticated with OPNsense successfully, but the API user lacks the privileges required to manage aliases. OPNsense returned HTTP 403 (Forbidden).

This error is distinct from authentication failures (#207000)#OPN000), which occur when the API key/secret pair is not accepted. Error #207001#OPN001 means the credentials are valid but cannot perform the operation.

Common causes include:

• The API user is not a member of a group with alias management privileges
• The group's privileges do not include both Firewall: Alias: Edit and Firewall: Aliases
• The privilege required to apply alias changes (named Firewall: Alias: Apply or similar depending on the OPNsense version) is missing
• OPNsense has been upgraded and the privilege names have changed but the group was not updated

Steps to Resolve

Verify Group Membership

1. Log into the OPNsense web UI
2. Navigate to System > Access > Users and open the API user
3. Confirm the user is a member of a group dedicated to API access (rather than the default admins group, which is fine but broad)

Verify Group Privileges

1. Navigate to System > Access > Groups and open the group the API user belongs to
2. Confirm the group has at least these privileges assigned:
   • Firewall: Alias: Edit
   • Firewall: Aliases
   • the privilege that controls applying alias changes (the Firewall: Alias: Apply entry, or the equivalent entry for your OPNsense version)
3. Save any changes

For the full list of privileges and the setup steps, see the OPNsense setup guide.

Retry the Operation

1. Trigger a fresh grant by logging in as a test user via the Knocknoc user portal
2. Confirm the user's IP now appears in the alias under Firewall > Diagnostics > Aliases
3. If the error persists, double-check that you saved the privilege changes and that the user is still in the modified group

Still Having Issues?

We can help you out, contact us at support@knocknoc.io.