OPNsense
Deciso / OPNsensenetwork4 credentials1 default credential
Default root Login
opnsense / default-root
OPNsense default console/web credentials for fresh installations are used to complete initial setup and should be changed immediately.
Default credentials
root:opnsenseLocation
OPNsense web GUI, console, SSH, and API-capable plugins/conf/config.xmlsystem users and hashed passwords
configuration backups and diagnostics bundles
Local User Password Hash
opnsense / local-user-password
OPNsense local users authenticate to the web GUI, console/SSH, captive portal, VPN, and package/plugin services.
Looks like
pattern<user>.*?<name>[^<]+</name>.*?<password>[^<]+</password>Location
/conf/config.xmluser manager entries, groups, privileges, and password hashes
web GUI, SSH/console, VPN, captive portal, and pluginspassword managers and firewall backup vaults
system, auth, web GUI, VPN, and captive portal logs
API Key and Secret
opnsense / api-key-secret
OPNsense supports API keys/secrets for automation and plugin APIs. The key and secret together authorize API operations for the associated user privileges.
Location
AuthorizationBasic authentication using API key and secret
/conf/config.xmlAPI key metadata and user association
OPNSENSE_API_KEY, OPNSENSE_API_SECRETCI/CD variables and network automation vaults
Terraform/Ansible scripts and monitoring configs
API and web GUI access logs
VPN, SNMP, LDAP, RADIUS, and Certificate Secrets
opnsense / vpn-snmp-ldap-radius-secrets
OPNsense config backups include VPN keys/PSKs, SNMP communities, LDAP bind passwords, RADIUS shared secrets, certificates/private keys, PPP credentials, and plugin secrets.
Looks like
pattern-----BEGIN (RSA |EC |OPENVPN |ENCRYPTED |)PRIVATE KEY-----Location
/conf/config.xmlVPN, certificate, SNMP, auth server, gateway, package, and plugin secrets
configuration backup vaults and certificate stores
configuration backups, diagnostics, and VPN client exports
firewall automation repositories
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.