From 8bc1616baf3aa5b7ba676175fcfa49e6e75f2f69 Mon Sep 17 00:00:00 2001
From: Tobias <5389669+botboe@users.noreply.github.com>
Date: Wed, 14 Apr 2021 11:44:03 +0200
Subject: [PATCH] New Plugin "RadSecProxy" (#1894)

---
 net/radsecproxy/Makefile                      |   8 +
 net/radsecproxy/pkg-descr                     |   5 +
 .../src/etc/inc/plugins.inc.d/radsecproxy.inc |  73 +++
 net/radsecproxy/src/etc/rc.d/os-radsecproxy   |  46 ++
 .../RadSecProxy/Api/ClientsController.php     |  67 +++
 .../RadSecProxy/Api/GeneralController.php     |  33 ++
 .../RadSecProxy/Api/RealmsController.php      |  63 +++
 .../RadSecProxy/Api/RewritesController.php    |  67 +++
 .../RadSecProxy/Api/ServersController.php     |  67 +++
 .../RadSecProxy/Api/ServiceController.php     |  40 ++
 .../RadSecProxy/Api/TlsController.php         |  67 +++
 .../RadSecProxy/ClientsController.php         |  36 ++
 .../RadSecProxy/GeneralController.php         |  34 ++
 .../OPNsense/RadSecProxy/IndexController.php  |  34 ++
 .../OPNsense/RadSecProxy/RealmsController.php |  34 ++
 .../RadSecProxy/RewritesController.php        |  36 ++
 .../RadSecProxy/ServersController.php         |  34 ++
 .../OPNsense/RadSecProxy/TlsController.php    |  34 ++
 .../RadSecProxy/forms/dialogClient.xml        |  96 ++++
 .../RadSecProxy/forms/dialogRealm.xml         |  71 +++
 .../RadSecProxy/forms/dialogRewrite.xml       | 101 ++++
 .../RadSecProxy/forms/dialogServer.xml        | 102 ++++
 .../OPNsense/RadSecProxy/forms/dialogTls.xml  |  68 +++
 .../OPNsense/RadSecProxy/forms/general.xml    | 121 +++++
 .../models/OPNsense/RadSecProxy/Menu/Menu.xml |  12 +
 .../OPNsense/RadSecProxy/RadSecProxy.php      |  31 ++
 .../OPNsense/RadSecProxy/RadSecProxy.xml      | 514 ++++++++++++++++++
 .../views/OPNsense/RadSecProxy/clients.volt   |  56 ++
 .../views/OPNsense/RadSecProxy/general.volt   |  31 ++
 .../views/OPNsense/RadSecProxy/realms.volt    |  54 ++
 .../views/OPNsense/RadSecProxy/rewrites.volt  |  54 ++
 .../views/OPNsense/RadSecProxy/servers.volt   |  56 ++
 .../app/views/OPNsense/RadSecProxy/tls.volt   |  55 ++
 .../OPNsense/RadSecProxy/generate_certs.php   | 105 ++++
 .../scripts/OPNsense/RadSecProxy/setup.sh     |  18 +
 .../conf/actions.d/actions_radsecproxy.conf   |  35 ++
 .../templates/OPNsense/RadSecProxy/+TARGETS   |   2 +
 .../OPNsense/RadSecProxy/radsecproxy.conf     | 240 ++++++++
 .../templates/OPNsense/RadSecProxy/rc.conf.d  |   7 +
 39 files changed, 2607 insertions(+)
 create mode 100644 net/radsecproxy/Makefile
 create mode 100644 net/radsecproxy/pkg-descr
 create mode 100644 net/radsecproxy/src/etc/inc/plugins.inc.d/radsecproxy.inc
 create mode 100755 net/radsecproxy/src/etc/rc.d/os-radsecproxy
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/ClientsController.php
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/GeneralController.php
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/RealmsController.php
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/RewritesController.php
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/ServersController.php
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/ServiceController.php
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/TlsController.php
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/ClientsController.php
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/GeneralController.php
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/IndexController.php
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/RealmsController.php
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/RewritesController.php
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/ServersController.php
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/TlsController.php
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogClient.xml
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogRealm.xml
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogRewrite.xml
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogServer.xml
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogTls.xml
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/general.xml
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/Menu/Menu.xml
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/RadSecProxy.php
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/RadSecProxy.xml
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/clients.volt
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/general.volt
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/realms.volt
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/rewrites.volt
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/servers.volt
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/tls.volt
 create mode 100755 net/radsecproxy/src/opnsense/scripts/OPNsense/RadSecProxy/generate_certs.php
 create mode 100755 net/radsecproxy/src/opnsense/scripts/OPNsense/RadSecProxy/setup.sh
 create mode 100644 net/radsecproxy/src/opnsense/service/conf/actions.d/actions_radsecproxy.conf
 create mode 100644 net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/+TARGETS
 create mode 100644 net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/radsecproxy.conf
 create mode 100644 net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/rc.conf.d

diff --git a/net/radsecproxy/Makefile b/net/radsecproxy/Makefile
new file mode 100644
index 000000000..c27c40120
--- /dev/null
+++ b/net/radsecproxy/Makefile
@@ -0,0 +1,8 @@
+PLUGIN_NAME=		radsecproxy
+PLUGIN_VERSION=	0.1
+PLUGIN_COMMENT=	RADIUS proxy provides both RADIUS UDP and TCP/TLS (RadSec) transport
+PLUGIN_DEPENDS=	radsecproxy
+PLUGIN_MAINTAINER=	tobias@boehnert.dev
+PLUGIN_DEVEL=		yes
+
+.include "../../Mk/plugins.mk"
diff --git a/net/radsecproxy/pkg-descr b/net/radsecproxy/pkg-descr
new file mode 100644
index 000000000..ef872b8a7
--- /dev/null
+++ b/net/radsecproxy/pkg-descr
@@ -0,0 +1,5 @@
+A generic RADIUS proxy that in addition to usual RADIUS UDP
+transport, also supports TLS (RadSec), as well as RADIUS
+over TCP and DTLS. The aim is for the proxy to have
+sufficient features to be flexible, while at the same time
+to be small, efficient and easy to configure.
diff --git a/net/radsecproxy/src/etc/inc/plugins.inc.d/radsecproxy.inc b/net/radsecproxy/src/etc/inc/plugins.inc.d/radsecproxy.inc
new file mode 100644
index 000000000..57e873477
--- /dev/null
+++ b/net/radsecproxy/src/etc/inc/plugins.inc.d/radsecproxy.inc
@@ -0,0 +1,73 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+function radsecproxy_enabled()
+{
+    $model = new \OPNsense\RadSecProxy\RadSecProxy();
+    if ((string)$model->general->enabled == '1') {
+        return true;
+    }
+
+    return false;
+}
+
+function radsecproxy_syslog()
+{
+    // $syslogconf = array();
+
+    // $syslogconf['radsecproxy'] = array(
+    //     'local' => '/var/log/radsecproxy.log',
+    //     'facility' => array('radsecproxy'),
+    //     'remote' => 'relayd',
+    // );
+
+    // return $syslogconf;
+
+    $logfacilities = array();
+    $logfacilities['radsecproxy'] = array(
+        'facility' => array('LOG_DAEMON'),
+    );
+    return $logfacilities;
+
+}
+
+
+function radsecproxy_services()
+{
+    $services = array();
+
+    if (radsecproxy_enabled()) {
+        $services[] = array(
+            'description' => gettext('Radius Secure Proxy'),
+            'configd' => array(
+                'restart' => array('radsecproxy restart'),
+                'start' => array('radsecproxy start'),
+                'stop' => array('radsecproxy stop'),
+            ),
+            'name' => 'radsecproxy',
+            'pidfile' => '/var/run/radsecproxy/radsecproxy.pid'
+        );
+    }
+    return $services;
+}
diff --git a/net/radsecproxy/src/etc/rc.d/os-radsecproxy b/net/radsecproxy/src/etc/rc.d/os-radsecproxy
new file mode 100755
index 000000000..4faca1f6b
--- /dev/null
+++ b/net/radsecproxy/src/etc/rc.d/os-radsecproxy
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+# PROVIDE: radsecproxy
+# REQUIRE: LOGIN
+# KEYWORD: shutdown
+
+# Add the following line to /etc/rc.conf.local or /etc/rc.conf
+# to enable this service:
+#
+# radsecproxy_enable (bool): Set to NO by default.
+#               Set it to YES to enable radsecproxy.
+
+. /etc/rc.subr
+
+name="radsecproxy"
+rcvar=radsecproxy_enable
+
+: ${radsecproxy_enable:="NO"}
+: ${radsecproxy_user:="root"}
+: ${radsecproxy_group:="wheel"}
+: ${radsecproxy_pidfile:="/var/run/radsecproxy.pid"}
+
+user=${radsecproxy_user}
+group=${radsecproxy_group}
+pidfile=${radsecproxy_pidfile}
+required_files=/usr/local/etc/radsecproxy.conf
+
+command="/usr/local/sbin/${name}"
+command_args="-c /usr/local/etc/radsecproxy.conf -i ${pidfile}"
+
+start_precmd="radsecproxy_prestart"
+stop_postcmd="radsecproxy_poststop"
+
+radsecproxy_prestart() 
+{
+	mkdir -p $(dirname $pidfile)
+	chown ${user}:${group} $(dirname $pidfile)
+}
+
+radsecproxy_poststop() 
+{
+	rm -f ${pidfile}
+}
+
+load_rc_config $name
+run_rc_command "$1"
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/ClientsController.php b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/ClientsController.php
new file mode 100644
index 000000000..a256a8765
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/ClientsController.php
@@ -0,0 +1,67 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\RadSecProxy\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class ClientsController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'radsecproxy';
+    protected static $internalModelClass = 'OPNsense\RadSecProxy\RadSecProxy';
+
+    public function searchItemAction()
+    {
+        return $this->searchBase(
+            "clients.client",
+            array('enabled', 'description', 'host', 'identifier', 'type'),
+            "name"
+        );
+    }
+
+    public function setItemAction($uuid)
+    {
+        return $this->setBase("client", "clients.client", $uuid);
+    }
+
+    public function addItemAction()
+    {
+        return $this->addBase("client", "clients.client");
+    }
+
+    public function getItemAction($uuid = null)
+    {
+        return $this->getBase("client", "clients.client", $uuid);
+    }
+
+    public function delItemAction($uuid)
+    {
+        return $this->delBase("clients.client", $uuid);
+    }
+
+    public function toggleItemAction($uuid, $enabled = null)
+    {
+        return $this->toggleBase("clients.client", $uuid, $enabled);
+    }
+}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/GeneralController.php b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/GeneralController.php
new file mode 100644
index 000000000..786df74eb
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/GeneralController.php
@@ -0,0 +1,33 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\RadSecProxy\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class GeneralController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'radsecproxy';
+    protected static $internalModelClass = 'OPNsense\RadSecProxy\RadSecProxy';
+}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/RealmsController.php b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/RealmsController.php
new file mode 100644
index 000000000..4c33d0ae2
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/RealmsController.php
@@ -0,0 +1,63 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\RadSecProxy\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class RealmsController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'radsecproxy';
+    protected static $internalModelClass = 'OPNsense\RadSecProxy\RadSecProxy';
+
+    public function searchItemAction()
+    {
+        return $this->searchBase("realms.realm", array('enabled', 'description', 'realm'), "description");
+    }
+
+    public function setItemAction($uuid)
+    {
+        return $this->setBase("realm", "realms.realm", $uuid);
+    }
+
+    public function addItemAction()
+    {
+        return $this->addBase("realm", "realms.realm");
+    }
+
+    public function getItemAction($uuid = null)
+    {
+        return $this->getBase("realm", "realms.realm", $uuid);
+    }
+
+    public function delItemAction($uuid)
+    {
+        return $this->delBase("realms.realm", $uuid);
+    }
+
+    public function toggleItemAction($uuid, $enabled = null)
+    {
+        return $this->toggleBase("realms.realm", $uuid, $enabled);
+    }
+}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/RewritesController.php b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/RewritesController.php
new file mode 100644
index 000000000..c1fb95d92
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/RewritesController.php
@@ -0,0 +1,67 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\RadSecProxy\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class RewritesController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'radsecproxy';
+    protected static $internalModelClass = 'OPNsense\RadSecProxy\RadSecProxy';
+
+    public function searchItemAction()
+    {
+        return $this->searchBase(
+            "rewrites.rewrite",
+            array('enabled', 'name', 'description'),
+            "name"
+        );
+    }
+
+    public function setItemAction($uuid)
+    {
+        return $this->setBase("rewrite", "rewrites.rewrite", $uuid);
+    }
+
+    public function addItemAction()
+    {
+        return $this->addBase("rewrite", "rewrites.rewrite");
+    }
+
+    public function getItemAction($uuid = null)
+    {
+        return $this->getBase("rewrite", "rewrites.rewrite", $uuid);
+    }
+
+    public function delItemAction($uuid)
+    {
+        return $this->delBase("rewrites.rewrite", $uuid);
+    }
+
+    public function toggleItemAction($uuid, $enabled = null)
+    {
+        return $this->toggleBase("rewrites.rewrite", $uuid, $enabled);
+    }
+}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/ServersController.php b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/ServersController.php
new file mode 100644
index 000000000..55394aa5e
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/ServersController.php
@@ -0,0 +1,67 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\RadSecProxy\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class ServersController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'radsecproxy';
+    protected static $internalModelClass = 'OPNsense\RadSecProxy\RadSecProxy';
+
+    public function searchItemAction()
+    {
+        return $this->searchBase(
+            "servers.server",
+            array('description', 'host', 'type', 'identifier', 'tlsConfig'),
+            "name"
+        );
+    }
+
+    public function setItemAction($uuid)
+    {
+        return $this->setBase("server", "servers.server", $uuid);
+    }
+
+    public function addItemAction()
+    {
+        return $this->addBase("server", "servers.server");
+    }
+
+    public function getItemAction($uuid = null)
+    {
+        return $this->getBase("server", "servers.server", $uuid);
+    }
+
+    public function delItemAction($uuid)
+    {
+        return $this->delBase("servers.server", $uuid);
+    }
+
+    public function toggleItemAction($uuid, $enabled = null)
+    {
+        return $this->toggleBase("servers.server", $uuid, $enabled);
+    }
+}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/ServiceController.php b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/ServiceController.php
new file mode 100644
index 000000000..2aebebd84
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/ServiceController.php
@@ -0,0 +1,40 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\RadSecProxy\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+use OPNsense\Core\Backend;
+
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    protected static $internalServiceClass = '\OPNsense\RadSecProxy\RadSecProxy';
+    protected static $internalServiceTemplate = 'OPNsense/RadSecProxy';
+    protected static $internalServiceEnabled = 'general.enabled';
+    protected static $internalServiceName = 'radsecproxy';
+    protected function reconfigureForceRestart()
+    {
+        return 0;
+    }
+}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/TlsController.php b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/TlsController.php
new file mode 100644
index 000000000..0c9dddee1
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/TlsController.php
@@ -0,0 +1,67 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\RadSecProxy\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class TlsController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'radsecproxy';
+    protected static $internalModelClass = 'OPNsense\RadSecProxy\RadSecProxy';
+
+    public function searchItemAction()
+    {
+        return $this->searchBase(
+            "tlsConfigs.tlsConfig",
+            array('description', 'name', 'caCertificateRefId', 'proxyCertificateRefId'),
+            "name"
+        );
+    }
+
+    public function setItemAction($uuid)
+    {
+        return $this->setBase("tlsConfig", "tlsConfigs.tlsConfig", $uuid);
+    }
+
+    public function addItemAction()
+    {
+        return $this->addBase("tlsConfig", "tlsConfigs.tlsConfig");
+    }
+
+    public function getItemAction($uuid = null)
+    {
+        return $this->getBase("tlsConfig", "tlsConfigs.tlsConfig", $uuid);
+    }
+
+    public function delItemAction($uuid)
+    {
+        return $this->delBase("tlsConfigs.tlsConfig", $uuid);
+    }
+
+    public function toggleItemAction($uuid, $enabled = null)
+    {
+        return $this->toggleBase("tlsConfigs.tlsConfig", $uuid, $enabled);
+    }
+}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/ClientsController.php b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/ClientsController.php
new file mode 100644
index 000000000..91e92ce29
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/ClientsController.php
@@ -0,0 +1,36 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\RadSecProxy;
+
+class ClientsController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        //$this->view->generalForm = $this->getForm("clients");
+        // pick the template to serve to our users.
+        $this->view->pick('OPNsense/RadSecProxy/clients');
+        $this->view->formDialogClient = $this->getForm("dialogClient");
+    }
+}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/GeneralController.php b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/GeneralController.php
new file mode 100644
index 000000000..5c17d3cd8
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/GeneralController.php
@@ -0,0 +1,34 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\RadSecProxy;
+
+class GeneralController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->generalForm = $this->getForm("general");
+        $this->view->pick('OPNsense/RadSecProxy/general');
+    }
+}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/IndexController.php b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/IndexController.php
new file mode 100644
index 000000000..3596535ac
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/IndexController.php
@@ -0,0 +1,34 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\RadSecProxy;
+
+class IndexController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->basicForm = $this->getForm("basic");
+        $this->view->pick('OPNsense/RadSecProxy/index');
+    }
+}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/RealmsController.php b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/RealmsController.php
new file mode 100644
index 000000000..d227bbac1
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/RealmsController.php
@@ -0,0 +1,34 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\RadSecProxy;
+
+class RealmsController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->pick('OPNsense/RadSecProxy/realms');
+        $this->view->formDialogRealm = $this->getForm("dialogRealm");
+    }
+}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/RewritesController.php b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/RewritesController.php
new file mode 100644
index 000000000..92869405e
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/RewritesController.php
@@ -0,0 +1,36 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\RadSecProxy;
+
+class RewritesController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        //$this->view->generalForm = $this->getForm("clients");
+        // pick the template to serve to our users.
+        $this->view->pick('OPNsense/RadSecProxy/rewrites');
+        $this->view->formDialogRewrite = $this->getForm("dialogRewrite");
+    }
+}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/ServersController.php b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/ServersController.php
new file mode 100644
index 000000000..98186c101
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/ServersController.php
@@ -0,0 +1,34 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\RadSecProxy;
+
+class ServersController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->pick('OPNsense/RadSecProxy/servers');
+        $this->view->formDialogServer = $this->getForm("dialogServer");
+    }
+}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/TlsController.php b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/TlsController.php
new file mode 100644
index 000000000..146157e55
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/TlsController.php
@@ -0,0 +1,34 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\RadSecProxy;
+
+class TlsController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->pick('OPNsense/RadSecProxy/tls');
+        $this->view->formDialogTls = $this->getForm("dialogTls");
+    }
+}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogClient.xml b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogClient.xml
new file mode 100644
index 000000000..127ff5768
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogClient.xml
@@ -0,0 +1,96 @@
+<form>
+
+    <field>
+        <type>section_title</type>
+        <label>General</label>
+    </field>
+
+    <field>
+        <id>client.enabled</id>
+        <label>Enable Client</label>
+        <type>checkbox</type>
+        <help>Allow connections from this client</help>
+    </field>
+
+    <field>
+        <id>client.identifier</id>
+        <label>Unique identifier</label>
+        <type>text</type>
+        <help>Unique identifier for this client</help>
+    </field>
+
+    <field>
+        <id>client.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help>Short description of this client</help>
+    </field>
+    
+    <field>
+        <id>client.host</id>
+        <label>IP / Net</label>
+        <type>text</type>
+        <help>The client's IP or net</help>
+    </field>
+    
+    <field>
+        <id>client.type</id>
+        <label>Type</label>
+        <type>dropdown</type>
+        <help>Choose the type of client. Default Radius-clients use UDP.</help>
+    </field>
+
+    <field>
+        <id>client.secret</id>
+        <label>Secret</label>
+        <type>text</type>
+        <help>The shared RADIUS key with this client. This option is optional for TLS/DTLS and if omitted will default to "radsec". (Note that using a secret other than "radsec" for TLS is a violation of the standard (RFC 6614) and that the proposed standard for DTLS stipulates that the secret must be "radius/dtls".)</help>
+    </field>
+
+    <field>
+        <type>section_title</type>
+        <label>Advanced settings</label>
+        <advanced>true</advanced>
+    </field>
+
+    <field>
+        <id>client.tlsConfig</id>
+        <label>TLS-Config</label>
+        <advanced>true</advanced>
+        <type>dropdown</type>
+        <help>For a TLS/DTLS client you may also specify the tls option. The option value must be the name of a previously defined TLS block. If this option is not specified, the TLS block with the name defaultClient or default will be used if defined (in that order). If the specified TLS block name does not exist, or the option is not specified and none of the defaults exist, the proxy will exit with an error.</help>
+    </field>
+
+    <field>
+        <id>client.certificateNameCheck</id>
+        <label>Certificate-Name-Check</label>
+        <advanced>true</advanced>        
+        <type>dropdown</type>
+        <help>For a TLS/DTLS server, disable the default behaviour of matching CN or SubjectAltName against the specified hostname or IP address.</help>
+    </field>
+
+    <field>
+        <id>client.matchCertificateAttribute</id>
+        <label>Match Certificate-Attribute</label>
+        <advanced>true</advanced>        
+        <type>text</type>
+        <help>Perform additional validation of certificate attributes (CN | SubjectAltName:URI | SubjectAltName:DNS). Currently matching of CN and SubjectAltName types URI DNS and IP is supported.</help>
+    </field>
+
+    <field>
+        <id>client.rewriteIn</id>
+        <label>Rewrite incoming requests</label>
+        <advanced>true</advanced>
+        <type>dropdown</type>
+        <help><![CDATA[Apply the operations in the specified rewrite block on incoming (request) or outgoing (response) messages from this client. Rewriting incoming messages is done before, outgoing after other processing. If the <b>RewriteIn</b> is not configured, the rewrite blocks <b>defaultClient</b> or <b>default</b> will be applied if defined. No default blocks are applied for <b>RewriteOut</b>.]]></help>
+    </field>
+
+    <field>
+        <id>client.rewriteOut</id>
+        <label>Rewrite outgoing requests</label>
+        <advanced>true</advanced>
+        <type>dropdown</type>
+        <help><![CDATA[Apply the operations in the specified rewrite block on incoming (request) or outgoing (response) messages from this client. Rewriting incoming messages is done before, outgoing after other processing. If the <b>RewriteIn</b> is not configured, the rewrite blocks <b>defaultClient</b> or <b>default</b> will be applied if defined. No default blocks are applied for <b>RewriteOut</b>.]]></help>
+    </field>
+
+</form>
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogRealm.xml b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogRealm.xml
new file mode 100644
index 000000000..6c270fed7
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogRealm.xml
@@ -0,0 +1,71 @@
+<form>
+
+    <field>
+        <type>section_title</type>
+        <label>General</label>
+    </field>
+
+    <field>
+        <id>realm.enabled</id>
+        <label>Enable Realm</label>
+        <type>checkbox</type>
+        <help>Enable this realm</help>
+    </field>
+    
+    <field>
+        <id>realm.realm</id>
+        <label>Realm</label>
+        <type>text</type>
+        <help>* | realm | /regex/</help>
+    </field>
+
+    <field>
+        <id>realm.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help>Short description to identify this realm and its target</help>
+    </field>
+    
+    <field>
+        <type>section_title</type>
+        <label>Authentication</label>
+    </field>
+
+    <field>
+        <id>realm.server</id>
+        <label>Server</label>
+        <type>select_multiple</type>
+        <sortable>true</sortable>
+        <style>tokenize</style>
+        <help>If not configured, the proxy will deny all Access-Requests for this realm.</help>
+    </field>
+
+    <field>
+        <id>realm.replyMessage</id>
+        <label>Reply-Message</label>
+        <type>text</type>
+        <help><![CDATA[Specify a message to be sent back to the client if a Access-Request is denied because no <b>server</b> is configured.]]></help>
+    </field>
+    
+    <field>
+        <type>section_title</type>
+        <label>Accounting</label>
+    </field>
+
+    <field>
+        <id>realm.accountingServer</id>
+        <label>Accounting-Server</label>
+        <type>select_multiple</type>
+        <sortable>true</sortable>
+        <style>tokenize</style>
+        <help>If not configured, the proxy will silently ignore all Accounting-Requests for this realm.</help>
+    </field>
+
+    <field>
+        <id>realm.accountingResponse</id>
+        <label>Accounting-Response</label>
+        <type>dropdown</type>
+        <help><![CDATA[Enable sending Accounting-Response instead of ignoring Accounting-Requests when no <b>accoutingServer</b> is configured.]]></help>
+    </field>
+
+</form>
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogRewrite.xml b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogRewrite.xml
new file mode 100644
index 000000000..ca8ef6092
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogRewrite.xml
@@ -0,0 +1,101 @@
+<form>
+
+    <field>
+        <id>rewrite.enabled</id>
+        <label>Enable rewrite-rule</label>
+        <type>checkbox</type>
+        <help>Use this rule</help>
+    </field>
+
+    <field>
+        <id>rewrite.name</id>
+        <label>Name</label>
+        <type>text</type>
+        <help>Unique name for this rule</help>
+    </field>
+
+    <field>
+        <id>rewrite.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help>Short description of this rule</help>
+    </field>
+
+    <field>
+        <id>rewrite.addAttributes</id>
+        <label>Add attribute(s)</label>
+        <type>textbox</type>
+        <help><![CDATA[<i>attribute:value</i>, one per line<br/>Add an attribute to the radius message and set it to value. The attribute must be specified using the numerical attribute id. The value can either be numerical, a string, or a hex value. If the value starts with a number, it is interpreted as a 32bit unsigned integer. Use the ’ character at the start of the value to force string interpretation. When using hex value, it is recommended to also lead with ’ to avoid unintended numeric interpretation. See the CONFIGURATION SYNTAX section for further details.]]></help>
+    </field>
+
+    <field>
+        <id>rewrite.addVendorAttributes</id>
+        <label>Add vendor-attribute(s)</label>
+        <type>textbox</type>
+        <help><![CDATA[<i>vendor:subattribute:value</i>, one per line<br/>Add a vendor attribute to the radius message, specified by vendor and subattribute. Both vendor and subattribute must be specified as numerical values. The format of value is the same as for addAttribute above.]]></help>
+    </field>
+
+    <field>
+        <id>rewrite.supplementAttributes</id>
+        <label>Add supplement-attribute(s)</label>
+        <type>textbox</type>
+        <help><![CDATA[<i>attribute:value</i>, one per line<br/>Add an attribute to the radius message and set it to value, only if the attribute is not yet present on the message. The format of value is the same as for addAttribute above.]]></help>
+    </field>
+
+    <field>
+        <id>rewrite.supplementVendorAttributes</id>
+        <label>Add supplement-vendor-attribute(s)</label>
+        <type>textbox</type>
+        <help><![CDATA[<i>vendor:subattribute:value</i>, one per line<br/>Add a vendor attribute to the radius message only if the subattribute of this vendor is not yet present on the message. The format of is the same as for addVendorAttribute above.]]></help>
+    </field>
+
+    <field>
+        <id>rewrite.modifyAttributes</id>
+        <label>Modify attribute(s)</label>
+        <type>textbox</type>
+        <help><![CDATA[<i>attribute:/regex/replace/</i>, one per line<br/>Modify the given attribute using the regex replace pattern. As above, attribute must be specified by a numerical value. Example usage: modifyAttribute 1:/^(.*)@local$/\1@example.com/]]></help>
+    </field>
+
+    <field>
+        <id>rewrite.modifyVendorAttributes</id>
+        <label>Modify vendor-attribute(s)</label>
+        <type>textbox</type>
+        <help><![CDATA[<i>vendor:subattribute:/regex/replace/</i>, one per line<br/>Modify the given subattribute of given vendor using the regex replace pattern. Other than the added vendor, the same syntax as for ModifyAttribute applies.]]></help>
+    </field>
+
+    <field>
+        <id>rewrite.removeAttributes</id>
+        <label>Remove attribute(s)</label>
+        <type>textbox</type>
+        <help><![CDATA[<i>attribute</i>, one per line<br/>Remove all attributes with the given id.]]></help>
+    </field>
+
+    <field>
+        <id>rewrite.removeVendorAttributes</id>
+        <label>Remove vendor-attribute(s)</label>
+        <type>textbox</type>
+        <help><![CDATA[<i>vendor[:subattribute]</i>, one per line<br/>Remove all vendor attributes that match the given vendor and subattribute. If the subattribute is omitted, all attributes with the given vendor id are removed.]]></help>
+    </field>
+
+    <field>
+        <id>rewrite.whitelistMode</id>
+        <label>Whitelist-mode</label>
+        <type>dropdown</type>
+        <help><![CDATA[Enable whitelist mode. All attributes except those configured with <b>WhitelistAttribute</b> or <b>WhitelistVendorAttribute</b> will be removed. While whitelist mode is active, <b>RemoveAttribute</b> and <b>RemoveVendorAttribute</b> statements are ignored.]]></help>
+    </field>
+
+    <field>
+        <id>rewrite.whitelistAttributes</id>
+        <label>Whitelist attribute(s)</label>
+        <type>textbox</type>
+        <help><![CDATA[<i>attribute</i>, one per line<br/>Do not remove attributes with the given id when WhitelistMode is on. Ignored otherwise.]]></help>
+    </field>
+
+    <field>
+        <id>rewrite.whitelistVendorAttributes</id>
+        <label>Whitelist vendor-attribute(s)</label>
+        <type>textbox</type>
+        <help><![CDATA[<i>vendor[:subattribute]</i>, one per line<br/>Do not remove vendor attributes that match the given vendor and subattribute when WhitelistMode is on. Ignored otherwise. If the subattribute is omitted, the complete vendor attribute is whitelisted. Otherwise only the specified subattribute is kept but all other subattributes are removed.]]></help>
+    </field>
+
+</form>
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogServer.xml b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogServer.xml
new file mode 100644
index 000000000..ce44adcb9
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogServer.xml
@@ -0,0 +1,102 @@
+<form>
+
+    <field>
+        <type>section_title</type>
+        <label>General</label>
+    </field>
+
+    <field>
+        <id>server.identifier</id>
+        <label>Unique identifier</label>
+        <type>text</type>
+        <help>Unique identifier for this server</help>
+    </field>
+
+    <field>
+        <id>server.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help>Short description to identify this server</help>
+    </field>
+
+    <field>
+        <id>server.host</id>
+        <label>Hostname / IP</label>
+        <type>text</type>
+        <help>The server's IP or hostname to connect to</help>
+    </field>
+
+    <field>
+        <id>server.port</id>
+        <label>Port</label>
+        <type>text</type>
+        <help>The port (UDP/TCP) to connect to. If omitted, UDP and TCP will default to 1812 while TLS and DTLS will default to 2083.</help>
+    </field>
+
+    <field>
+        <id>server.statusServer</id>
+        <label>Status-Server</label>
+        <type>dropdown</type>
+        <help><![CDATA[Enable the use of status-server messages for this server (default <b>off</b>). If statusserver is enabled (<b>on</b>), the proxy will send regular status-server messages to the server to verify that it is alive. Status tracking of the server will solely depend on status-server message and ignore lost requests. This should only be enabled if the server supports it. With the option <b>minimal</b> status-server messages are only sent when regular requests have been lost and no other replies have been received.]]></help>
+    </field>
+
+    <field>
+        <id>server.type</id>
+        <label>Type</label>
+        <type>dropdown</type>
+        <help>Choose the type of server. Default Radius-clients use UDP.</help>
+    </field>
+
+    <field>
+        <id>server.secret</id>
+        <label>Secret</label>
+        <type>text</type>
+        <help>The shared RADIUS key with this server. This option is optional for TLS/DTLS and if omitted will default to "radsec". (Note that using a secret other than "radsec" for TLS is a violation of the standard (RFC 6614) and that the proposed standard for DTLS stipulates that the secret must be "radius/dtls".)</help>
+    </field>
+
+    <field>
+        <id>server.tlsConfig</id>
+        <label>TLS-Config</label>
+        <type>dropdown</type>
+        <help>For a TLS/DTLS client you may also specify the tls option. The option value must be the name of a previously defined TLS block. If this option is not specified, the TLS block with the name defaultClient or default will be used if defined (in that order). If the specified TLS block name does not exist, or the option is not specified and none of the defaults exist, the proxy will exit with an error.</help>
+    </field>
+
+    <field>
+        <type>section_title</type>
+        <label>Advanced settings</label>
+        <advanced>true</advanced>
+    </field>
+
+    <field>
+        <id>server.certificateNameCheck</id>
+        <label>Certificate-Name-Check</label>
+        <advanced>true</advanced>        
+        <type>dropdown</type>
+        <help>For a TLS/DTLS server, disable the default behaviour of matching CN or SubjectAltName against the specified hostname or IP address.</help>
+    </field>
+
+    <field>
+        <id>server.matchCertificateAttribute</id>
+        <label>Match Certificate-Attribute</label>
+        <advanced>true</advanced>        
+        <type>text</type>
+        <help>Perform additional validation of certificate attributes (CN | SubjectAltName:URI | SubjectAltName:DNS). Currently matching of CN and SubjectAltName types URI DNS and IP is supported. Note that currently this option can only be specified once in a client block.</help>
+    </field>
+
+    <field>
+        <id>server.rewriteIn</id>
+        <label>Rewrite incoming requests</label>
+        <advanced>true</advanced>
+        <type>dropdown</type>
+        <help><![CDATA[Apply the operations in the specified rewrite block on incoming (request) or outgoing (response) messages for this server. Rewriting incoming messages is done before, outgoing after other processing. If the <b>RewriteIn</b> is not configured, the rewrite blocks <b>defaultClient</b> or <b>default</b> will be applied if defined. No default blocks are applied for <b>RewriteOut</b>.]]></help>
+    </field>
+
+    <field>
+        <id>server.rewriteOut</id>
+        <label>Rewrite outgoing requests</label>
+        <advanced>true</advanced>
+        <type>dropdown</type>
+        <help><![CDATA[Apply the operations in the specified rewrite block on incoming (request) or outgoing (response) messages for this server. Rewriting incoming messages is done before, outgoing after other processing. If the <b>RewriteIn</b> is not configured, the rewrite blocks <b>defaultClient</b> or <b>default</b> will be applied if defined. No default blocks are applied for <b>RewriteOut</b>.]]></help>
+    </field>
+
+</form>
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogTls.xml b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogTls.xml
new file mode 100644
index 000000000..240d91266
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogTls.xml
@@ -0,0 +1,68 @@
+<form>
+
+    <field>
+        <type>section_title</type>
+        <label>General</label>
+    </field>
+
+    <field>
+        <id>tlsConfig.name</id>
+        <label>Unique name</label>
+        <type>text</type>
+        <help>This TLS-config's unique name</help>
+    </field>
+
+    <field>
+        <id>tlsConfig.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help>Short description to identify this TLS-config</help>
+    </field>
+    
+    <field>
+        <id>tlsConfig.caCertificateRefId</id>
+        <label>CA-certificate</label>
+        <type>dropdown</type>
+        <help>The CA certificate file used to verify the peers certificate.</help>
+    </field>
+
+    <field>
+        <id>tlsConfig.proxyCertificateRefId</id>
+        <label>This server's certificate</label>
+        <type>dropdown</type>
+        <help>The server certificate this proxy will use. The file may also contain a certificate chain.</help>
+    </field>
+    
+    <field>
+        <type>section_title</type>
+        <label>Advanced settings</label>
+        <advanced>true</advanced>
+    </field>
+
+    <field>
+        <id>tlsConfig.policyOids</id>
+        <label>Policy OIDs</label>
+        <advanced>true</advanced>   
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help>Require the peers certificate to adhere to the policy specified by this oid / these oids.</help>
+    </field>
+
+    <field>
+        <id>tlsConfig.crlCheck</id>
+        <label>CRL-Check</label>
+        <advanced>true</advanced>   
+        <type>dropdown</type>
+        <help><![CDATA[Enable checking peer certificate against the CRL (default off). Note that radsecproxy does not fetch the CRLs itslef. This has to be done separately, e.g. with <b>fetch-crl</b>.]]></help>
+    </field>
+
+    <field>
+        <id>tlsConfig.cacheExpiry</id>
+        <label>Cache Expiry (seconds)</label>
+        <advanced>true</advanced>   
+        <type>text</type>
+        <help>Specify how many seconds the CA and CRL information should be cached. By default, the CA and CRL are loaded at startup and cached indefinetely. This option may be set to zero to disable caching.</help>
+    </field>
+
+</form>
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/general.xml b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/general.xml
new file mode 100644
index 000000000..eaf9611ed
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/general.xml
@@ -0,0 +1,121 @@
+<form>
+
+    <field>
+        <id>radsecproxy.general.enabled</id>
+        <label>Enable RadSecProxy</label>
+        <type>checkbox</type>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.logLevel</id>
+        <label>Loglevel</label>
+        <type>dropdown</type>
+        <help>This option specifies the debug level. It must be set to 1, 2, 3, 4 or 5, where 1 logs only serious errors, and 5 logs everything. The default is 2 which logs errors, warnings and a few informational messages.</help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.logFullUsername</id>
+        <label>Log full username</label>
+        <type>dropdown</type>
+        <help>This can be set to off to only log the realm in Access-Accept/Reject log messages (for privacy).</help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.logMac</id>
+        <label>Log MAC</label>
+        <type>dropdown</type>
+        <help><![CDATA[The LogMAC option can be used to control if and how Calling-Station-Id (the users Ethernet MAC address) is being logged. It can be set to one of <b>Static</b>, <b>Original</b>, <b>VendorHashed</b>, <b>VendorKeyHashed</b>, <b>FullyHashed</b> or <b>FullyKeyHashed</b>. The default value for LogMAC is <b>Original</b>.]]></help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.loopPrevention</id>
+        <label>Loop-prevention</label>
+        <type>dropdown</type>
+        <help>When this is enabled (on), a request will never be sent to a server named the same as the client it was received from. I.e., the names of the client block and the server block are compared. Note that this only gives limited protection against loops. It can be used as a basic option and inside server blocks where it overrides the basic setting.</help>
+    </field>
+
+    <field>
+        <type>section_title</type>
+        <label>Advanced settings</label>
+        <advanced>true</advanced>
+    </field>
+    
+    <field>
+        <type>section_title</type>
+        <label>Listening IPs and Ports</label>
+        <advanced>true</advanced>
+        <help>Listen for the address and port for the respective protocol. Normally the proxy will listen to the standard ports if configured to handle clients with the respective protocol. The default ports are 1812 for UDP and TCP and 2083 for TLS and DTLS. On most systems it will do this for all of the system’s IP addresses (both IPv4 and IPv6). On some systems however, it may respond to only IPv4 or only IPv6. To specify an alternate port you may use a value on the form *:port where port is any valid port number. If you also want to specify a specific address you can do e.g. 192.168.1.1:1812 or [2001:db8::1]:1812. The port may be omitted if you want the default one. Note that you must use brackets around the IPv6 address. These options may be specified multiple times to listen to multiple addresses and/or ports for each protocol.</help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.listenUdp</id>
+        <label>Listen UDP</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Format: (address|*)[:port]]]></help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.listenTcp</id>
+        <label>Listen TCP</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Format: (address|*)[:port]]]></help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.listenTls</id>
+        <label>Listen TLS</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Format: (address|*)[:port]]]></help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.listenDtls</id>
+        <label>Listen DTLS</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Format: (address|*)[:port]]]></help>
+    </field>
+    
+    <field>
+        <type>section_title</type>
+        <label>Source IPs and Ports</label>
+        <advanced>true</advanced>
+        <help>This can be used to specify source address and/or source port that the proxy will use for connecting to clients to send messages (e.g. Access Request). The same syntax as for Listen... applies.</help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.sourceUdp</id>
+        <label>Source UDP</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Format: (address|*)[:port]]]></help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.sourceTcp</id>
+        <label>Source TCP</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Format: (address|*)[:port]]]></help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.sourceTls</id>
+        <label>Source TLS</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Format: (address|*)[:port]]]></help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.sourceDtls</id>
+        <label>Source DTLS</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Format: (address|*)[:port]]]></help>
+    </field>
+
+ </form>
diff --git a/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/Menu/Menu.xml b/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/Menu/Menu.xml
new file mode 100644
index 000000000..65b18340f
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/Menu/Menu.xml
@@ -0,0 +1,12 @@
+<menu>
+    <Services>
+        <RadSecProxy VisibleName="RadSecProxy" cssClass="fa fa-shield fa-fw">
+            <Basic VisibleName="General" order="10" url="/ui/radsecproxy/general" />
+            <Clients VisibleName="Clients" order="20" url="/ui/radsecproxy/clients" />
+            <Servers VisibleName="Servers" order="30" url="/ui/radsecproxy/servers" />
+            <Realms VisibleName="Realms" order="40" url="/ui/radsecproxy/realms" />
+            <Tls VisibleName="TLS" order="50" url="/ui/radsecproxy/tls" />
+            <Rewrites VisibleName="Rewrite-Rules" order="60" url="/ui/radsecproxy/rewrites" />
+        </RadSecProxy>
+    </Services>
+</menu>
diff --git a/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/RadSecProxy.php b/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/RadSecProxy.php
new file mode 100644
index 000000000..31e1b506e
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/RadSecProxy.php
@@ -0,0 +1,31 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\RadSecProxy;
+
+use OPNsense\Base\BaseModel;
+
+class RadSecProxy extends BaseModel
+{
+}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/RadSecProxy.xml b/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/RadSecProxy.xml
new file mode 100644
index 000000000..145fb8b59
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/RadSecProxy.xml
@@ -0,0 +1,514 @@
+<model>
+    <mount>//OPNsense/radsecproxy</mount>
+    <description>
+        RadSecProxy-Management
+    </description>
+    <version>0.0.1</version>
+    <items>
+        <general>
+
+            <enabled type="BooleanField">
+                <default>0</default>
+                <Required>Y</Required>
+            </enabled>
+
+            <logLevel type="OptionField">
+                <Required>Y</Required>
+                <default>2</default>
+                <OptionValues>
+                    <ll1 value="1">1 (only serious errors)</ll1>
+                    <ll2 value="2">2 (default)</ll2>
+                    <ll3 value="3">3</ll3>
+                    <ll4 value="4">4</ll4>
+                    <ll5 value="5">5 (log everything)</ll5>
+                </OptionValues>    
+            </logLevel>
+
+            <logFullUsername type="OptionField">
+                <Required>Y</Required>
+                <default>off</default>
+                <OptionValues>
+                    <on>On</on>
+                    <off>Off</off>
+                </OptionValues>
+            </logFullUsername>
+
+            <logMac type="OptionField">
+                <Required>Y</Required>
+                <default>Original</default>
+                <OptionValues>
+                    <Static>Static</Static>
+                    <Original>Original</Original>
+                    <VendorHashed>VendorHashed</VendorHashed>
+                    <VendorKeyHashed>VendorKeyHashed</VendorKeyHashed>
+                    <FullyHashed>FullyHashed</FullyHashed>
+                    <FullyKeyHashed>FullyKeyHashed</FullyKeyHashed>
+                </OptionValues>    
+            </logMac>
+
+            <loopPrevention type="OptionField">
+                <Required>Y</Required>
+                <default>on</default>
+                <OptionValues>
+                    <on>On</on>
+                    <off>Off</off>
+                </OptionValues>
+            </loopPrevention>
+
+            <listenUdp type="TextField">
+                <Required>N</Required>
+            </listenUdp>
+
+            <listenTcp type="TextField">
+                <Required>N</Required>
+            </listenTcp>
+
+            <listenTls type="TextField">
+                <Required>N</Required>
+            </listenTls>
+
+            <listenDtls type="TextField">
+                <Required>N</Required>
+            </listenDtls>
+
+            <sourceUdp type="TextField">
+                <Required>N</Required>
+            </sourceUdp>
+
+            <sourceTcp type="TextField">
+                <Required>N</Required>
+            </sourceTcp>
+
+            <sourceTls type="TextField">
+                <Required>N</Required>
+            </sourceTls>
+
+            <sourceDtls type="TextField">
+                <Required>N</Required>
+            </sourceDtls>
+
+        </general>
+
+        <clients>
+            <client type="ArrayField">
+
+                <enabled type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </enabled>
+
+                <identifier type="TextField">
+                    <Required>Y</Required>
+                    <mask>/^([0-9a-zA-Z_\-]){1,25}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 25 characters whithout special characters.</ValidationMessage>
+                    <Constraints>
+                        <check001>
+                            <type>UniqueConstraint</type>
+                            <ValidationMessage>Identifier already in use</ValidationMessage>
+                        </check001>
+                    </Constraints>
+                </identifier>
+
+                <description type="TextField">
+                    <Required>N</Required>
+                </description>
+
+                <host type="NetworkField">
+                    <Required>Y</Required>
+                    <IpAllowed>Y</IpAllowed>
+                    <Constraints>
+                        <check001>
+                            <type>UniqueConstraint</type>
+                        </check001>
+                    </Constraints>
+                </host>
+
+                <type type="OptionField">
+                    <Required>Y</Required>
+                    <default>udp</default>
+                    <OptionValues>
+                        <udp>UDP</udp>
+                        <tcp>TCP</tcp>
+                        <tls>TLS</tls>
+                        <dtls>DTLS</dtls>
+                    </OptionValues>    
+                </type>
+
+                <secret type="TextField">
+                    <Required>N</Required>
+                    <Constraints>
+                        <check001>
+                            <ValidationMessage>Must be set for UDP-clients.</ValidationMessage>
+                            <type>SetIfConstraint</type>
+                            <field>type</field>
+                            <check>udp</check>
+                        </check001>
+                        <check002>
+                            <ValidationMessage>Must be set for TCP-clients.</ValidationMessage>
+                            <type>SetIfConstraint</type>
+                            <field>type</field>
+                            <check>tcp</check>
+                        </check002>
+                    </Constraints>
+                </secret>
+
+                <tlsConfig type="ModelRelationField">
+                    <Required>N</Required>
+                    <Model>
+                        <tlsConfigs>
+                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
+                            <items>tlsConfigs.tlsConfig</items>
+                            <display>name</display>
+                        </tlsConfigs>
+                    </Model>
+                </tlsConfig>
+
+                <certificateNameCheck type="OptionField">
+                    <Required>Y</Required>
+                    <default>off</default>
+                    <OptionValues>
+                        <on>On</on>
+                        <off>Off</off>
+                    </OptionValues>
+                </certificateNameCheck>
+
+                <matchCertificateAttribute type="TextField">
+                    <Required>N</Required>
+                </matchCertificateAttribute>
+
+                <rewriteIn type="ModelRelationField">
+                    <Required>N</Required>
+                    <Model>
+                        <rewrites>
+                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
+                            <items>rewrites.rewrite</items>
+                            <display>name</display>
+                        </rewrites>
+                    </Model>
+                </rewriteIn>
+
+                <rewriteOut type="ModelRelationField">
+                    <Required>N</Required>
+                    <Model>
+                        <rewrites>
+                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
+                            <items>rewrites.rewrite</items>
+                            <display>name</display>
+                        </rewrites>
+                    </Model>
+                </rewriteOut>
+
+            </client>
+        </clients>
+
+        <servers>
+            <server type="ArrayField">
+
+                <identifier type="TextField">
+                    <Required>Y</Required>
+                    <mask>/^([0-9a-zA-Z_\-]){1,25}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 25 characters whithout special characters.</ValidationMessage>
+                    <Constraints>
+                        <check001>
+                            <type>UniqueConstraint</type>
+                            <ValidationMessage>Identifier already in use</ValidationMessage>
+                        </check001>
+                    </Constraints>
+                </identifier>
+
+                <description type="TextField">
+                    <Required>N</Required>
+                </description>
+                
+                <host type="TextField">
+                    <Required>Y</Required>
+                    <IpAllowed>Y</IpAllowed>
+                </host>
+
+                <port type="PortField">
+                    <Required>N</Required>
+                </port>
+
+                <statusServer type="OptionField">
+                    <Required>Y</Required>
+                    <default>off</default>
+                    <OptionValues>
+                        <on>On</on>
+                        <off>Off</off>
+                        <minimal>Minimal</minimal>
+                        <auto>Auto</auto>
+                    </OptionValues>
+                </statusServer>
+
+                <type type="OptionField">
+                    <Required>Y</Required>
+                    <default>udp</default>
+                    <OptionValues>
+                        <udp>UDP</udp>
+                        <tcp>TCP</tcp>
+                        <tls>TLS</tls>
+                        <dtls>DTLS</dtls>
+                    </OptionValues>
+                </type>
+
+                <secret type="TextField">
+                    <Required>N</Required>
+                    <Constraints>
+                        <check001>
+                            <ValidationMessage>Must be set for UDP-servers.</ValidationMessage>
+                            <type>SetIfConstraint</type>
+                            <field>type</field>
+                            <check>udp</check>
+                        </check001>
+                        <check002>
+                            <ValidationMessage>Must be set for TCP-servers.</ValidationMessage>
+                            <type>SetIfConstraint</type>
+                            <field>type</field>
+                            <check>tcp</check>
+                        </check002>
+                    </Constraints>
+                </secret>
+
+                <tlsConfig type="ModelRelationField">
+                    <Required>N</Required>
+                    <Model>
+                        <tlsConfigs>
+                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
+                            <items>tlsConfigs.tlsConfig</items>
+                            <display>name</display>
+                        </tlsConfigs>
+                    </Model>
+                </tlsConfig>
+
+                <certificateNameCheck type="OptionField">
+                    <Required>Y</Required>
+                    <default>off</default>
+                    <OptionValues>
+                        <on>On</on>
+                        <off>Off</off>
+                    </OptionValues>
+                </certificateNameCheck>
+
+                <matchCertificateAttribute type="TextField">
+                    <Required>N</Required>
+                </matchCertificateAttribute>
+
+                <rewriteIn type="ModelRelationField">
+                    <Required>N</Required>
+                    <Model>
+                        <rewrites>
+                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
+                            <items>rewrites.rewrite</items>
+                            <display>name</display>
+                        </rewrites>
+                    </Model>
+                </rewriteIn>
+
+                <rewriteOut type="ModelRelationField">
+                    <Required>N</Required>
+                    <Model>
+                        <rewrites>
+                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
+                            <items>rewrites.rewrite</items>
+                            <display>name</display>
+                        </rewrites>
+                    </Model>
+                </rewriteOut>
+
+            </server>
+        </servers>
+
+        <tlsConfigs>
+            <tlsConfig type="ArrayField">
+
+                <name type="TextField">
+                    <Required>Y</Required>
+                    <mask>/^([0-9a-zA-Z_\-]){1,25}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 25 characters whithout special characters.</ValidationMessage>
+                    <default>default</default>
+                    <Constraints>
+                        <check001>
+                            <type>UniqueConstraint</type>
+                            <ValidationMessage>Name already in use</ValidationMessage>
+                        </check001>
+                    </Constraints>
+                </name>
+
+                <description type="TextField">
+                    <Required>N</Required>
+                </description>
+
+                <caCertificateRefId type="CertificateField">
+                    <Required>Y</Required>
+                    <ValidationMessage>Field is required</ValidationMessage>
+                    <Type>ca</Type>
+                </caCertificateRefId>
+
+                <proxyCertificateRefId type="CertificateField">
+                    <Required>Y</Required>
+                    <ValidationMessage>Field is required</ValidationMessage>
+                    <Type>cert</Type>
+                </proxyCertificateRefId>
+
+                <policyOids type="CSVListField">
+                    <Required>N</Required>
+                    <multiple>Y</multiple>
+                </policyOids>
+
+                <crlCheck type="OptionField">
+                    <Required>Y</Required>
+                    <default>off</default>
+                    <OptionValues>
+                        <on>On</on>
+                        <off>Off</off>
+                    </OptionValues>
+                </crlCheck>
+
+                <cacheExpiry type="IntegerField">
+                    <Required>N</Required>
+                </cacheExpiry>
+
+            </tlsConfig>
+        </tlsConfigs>
+
+        <realms>
+            <realm type="ArrayField">
+
+                <enabled type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </enabled>
+                
+                <description type="TextField">
+                    <Required>N</Required>
+                </description>
+
+                <realm type="TextField">
+                    <Required>Y</Required>
+                    <ValidationMessage>Must not be empty</ValidationMessage>
+                    <Constraints>
+                        <check001>
+                            <type>UniqueConstraint</type>
+                            <ValidationMessage>Must be unique</ValidationMessage>
+                        </check001>
+                    </Constraints>
+                </realm>
+
+                <server type="ModelRelationField">
+                    <Multiple>Y</Multiple>
+                    <Required>N</Required>
+                    <Sorted>Y</Sorted>
+                    <Model>
+                        <servers>
+                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
+                            <items>servers.server</items>
+                            <display>identifier</display>
+                        </servers>
+                    </Model>
+                    <ValidationMessage>Related server not found</ValidationMessage>
+                </server>
+
+                <accountingServer type="ModelRelationField">
+                    <Multiple>Y</Multiple>
+                    <Required>N</Required>
+                    <Sorted>Y</Sorted>
+                    <Model>
+                        <servers>
+                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
+                            <items>servers.server</items>
+                            <display>identifier</display>
+                        </servers>
+                    </Model>
+                    <ValidationMessage>Related server not found</ValidationMessage>
+                </accountingServer>
+
+                <accountingResponse type="OptionField">
+                    <Required>Y</Required>
+                    <default>off</default>
+                    <OptionValues>
+                        <on>On</on>
+                        <off>Off</off>
+                    </OptionValues>
+                </accountingResponse>
+
+                <replyMessage type="TextField">
+                    <Required>N</Required>
+                </replyMessage>
+
+            </realm>
+        </realms>
+
+        <rewrites>
+            <rewrite type="ArrayField">
+
+                <enabled type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </enabled>
+
+                <name type="TextField">
+                    <Required>Y</Required>
+                    <mask>/^([0-9a-zA-Z_\-]){1,25}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 25 characters whithout special characters.</ValidationMessage>
+                    <default>default</default>
+                    <Constraints>
+                        <check001>
+                            <type>UniqueConstraint</type>
+                            <ValidationMessage>Name already in use</ValidationMessage>
+                        </check001>
+                    </Constraints>
+                </name>
+
+                <addAttributes type="TextField">
+                    <Required>N</Required>
+                </addAttributes>
+
+                <addVendorAttributes type="TextField">
+                    <Required>N</Required>
+                </addVendorAttributes>
+
+                <supplementAttributes type="TextField">
+                    <Required>N</Required>
+                </supplementAttributes>
+
+                <supplementVendorAttributes type="TextField">
+                    <Required>N</Required>
+                </supplementVendorAttributes>
+
+                <modifyAttributes type="TextField">
+                    <Required>N</Required>
+                </modifyAttributes>
+
+                <modifyVendorAttributes type="TextField">
+                    <Required>N</Required>
+                </modifyVendorAttributes>
+
+                <removeAttributes type="TextField">
+                    <Required>N</Required>
+                </removeAttributes>
+
+                <removeVendorAttributes type="TextField">
+                    <Required>N</Required>
+                </removeVendorAttributes>
+
+                <whitelistMode type="OptionField">
+                    <Required>Y</Required>
+                    <default>off</default>
+                    <OptionValues>
+                        <on>On</on>
+                        <off>Off</off>
+                    </OptionValues>
+                </whitelistMode>
+ 
+                <whitelistAttributes type="TextField">
+                    <Required>N</Required>
+                </whitelistAttributes>
+ 
+                <whitelistVendorAttributes type="TextField">
+                    <Required>N</Required>
+                </whitelistVendorAttributes>
+
+            </rewrite>
+        </rewrites>
+    </items>
+</model>
diff --git a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/clients.volt b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/clients.volt
new file mode 100644
index 000000000..33e7413f2
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/clients.volt
@@ -0,0 +1,56 @@
+<script>
+    $( document ).ready(function() {
+        $("#grid-addresses").UIBootgrid(
+            {   search:'/api/radsecproxy/clients/searchItem/',
+                get:'/api/radsecproxy/clients/getItem/',
+                set:'/api/radsecproxy/clients/setItem/',
+                add:'/api/radsecproxy/clients/addItem/',
+                del:'/api/radsecproxy/clients/delItem/',
+                toggle:'/api/radsecproxy/clients/toggleItem/'
+            }
+        );
+        updateServiceControlUI('radsecproxy');
+
+        // link apply button to API set action
+        $("#saveAct").click(function(){
+            $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+            // action to run after successful save, for example reconfigure service.
+            ajaxCall(url="/api/radsecproxy/service/reconfigure", sendData={},callback=function(data,status) {
+                // action to run after reload
+                $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+                updateServiceControlUI('radsecproxy');
+            });
+        });
+    });
+</script>
+
+<table id="grid-addresses" class="table table-condensed table-hover table-striped" data-editDialog="DialogClient">
+    <thead>
+        <tr>
+            <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
+            <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+            <th data-column-id="type" data-type="string">{{ lang._('Type') }}</th>
+            <th data-column-id="host" data-type="string">{{ lang._('Host') }}</th>
+            <th data-column-id="identifier" data-type="string">{{ lang._('Identifier') }}</th>
+            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+        </tr>
+    </thead>
+    <tbody>
+    </tbody>
+    <tfoot>
+        <tr>
+            <td></td>
+            <td>
+                <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+            </td>
+        </tr>
+    </tfoot>
+</table>
+
+<div class="col-md-12">
+    <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
+</div>
+
+{{ partial("layout_partials/base_dialog",['fields':formDialogClient,'id':'DialogClient','label':lang._('Edit client')])}}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/general.volt b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/general.volt
new file mode 100644
index 000000000..1508a57b5
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/general.volt
@@ -0,0 +1,31 @@
+<script type="text/javascript">
+    $( document ).ready(function() {
+        var data_get_map = {'frm_GeneralSettings':"/api/radsecproxy/general/get"};
+        mapDataToFormUI(data_get_map).done(function(data){
+            $('.selectpicker').selectpicker('refresh');
+        });
+        updateServiceControlUI('radsecproxy');
+        
+        // link save button to API set action
+        $("#saveAct").click(function(){
+            $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+            saveFormToEndpoint(url="/api/radsecproxy/general/set",formid='frm_GeneralSettings',callback_ok=function(){
+                // action to run after successful save, for example reconfigure service.
+                ajaxCall(url="/api/radsecproxy/service/reconfigure", sendData={},callback=function(data,status) {
+                    // action to run after reload
+                    $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+                    updateServiceControlUI('radsecproxy');
+                });
+            });
+        });
+        
+    });
+</script>
+<div class="content-box" style="padding-bottom: 1.5em;">
+    {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_GeneralSettings'])}}
+
+    <div class="col-md-12">
+        <hr />
+        <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
+    </div>
+</div>
diff --git a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/realms.volt b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/realms.volt
new file mode 100644
index 000000000..974842f40
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/realms.volt
@@ -0,0 +1,54 @@
+<script>
+    $( document ).ready(function() {
+        $("#grid-addresses").UIBootgrid(
+            {   search:'/api/radsecproxy/realms/searchItem/',
+                get:'/api/radsecproxy/realms/getItem/',
+                set:'/api/radsecproxy/realms/setItem/',
+                add:'/api/radsecproxy/realms/addItem/',
+                del:'/api/radsecproxy/realms/delItem/',
+                toggle:'/api/radsecproxy/realms/toggleItem/'
+            }
+        );
+        updateServiceControlUI('radsecproxy');
+
+        // link apply button to API set action
+        $("#saveAct").click(function(){
+            $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+            // action to run after successful save, for example reconfigure service.
+            ajaxCall(url="/api/radsecproxy/service/reconfigure", sendData={},callback=function(data,status) {
+                // action to run after reload
+                $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+                updateServiceControlUI('radsecproxy');
+            });
+        });
+    });
+</script>
+
+<table id="grid-addresses" class="table table-condensed table-hover table-striped" data-editDialog="DialogRealm">
+    <thead>
+        <tr>
+            <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
+            <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+            <th data-column-id="realm" data-type="string">{{ lang._('Realm') }}</th>
+            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+        </tr>
+    </thead>
+    <tbody>
+    </tbody>
+    <tfoot>
+        <tr>
+            <td></td>
+            <td>
+                <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+            </td>
+        </tr>
+    </tfoot>
+</table>
+
+<div class="col-md-12">
+    <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
+</div>
+
+{{ partial("layout_partials/base_dialog",['fields':formDialogRealm,'id':'DialogRealm','label':lang._('Edit realm')])}}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/rewrites.volt b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/rewrites.volt
new file mode 100644
index 000000000..ded628966
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/rewrites.volt
@@ -0,0 +1,54 @@
+<script>
+    $( document ).ready(function() {
+        $("#grid-addresses").UIBootgrid(
+            {   search:'/api/radsecproxy/rewrites/searchItem/',
+                get:'/api/radsecproxy/rewrites/getItem/',
+                set:'/api/radsecproxy/rewrites/setItem/',
+                add:'/api/radsecproxy/rewrites/addItem/',
+                del:'/api/radsecproxy/rewrites/delItem/',
+                toggle:'/api/radsecproxy/rewrites/toggleItem/'
+            }
+        );
+        updateServiceControlUI('radsecproxy');
+
+        // link apply button to API set action
+        $("#saveAct").click(function(){
+            $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+            // action to run after successful save, for example reconfigure service.
+            ajaxCall(url="/api/radsecproxy/service/reconfigure", sendData={},callback=function(data,status) {
+                // action to run after reload
+                $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+                updateServiceControlUI('radsecproxy');
+            });
+        });
+    });
+</script>
+
+<table id="grid-addresses" class="table table-condensed table-hover table-striped" data-editDialog="DialogRewrite">
+    <thead>
+        <tr>
+            <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
+            <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+            <th data-column-id="name" data-type="string">{{ lang._('Type') }}</th>
+            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+        </tr>
+    </thead>
+    <tbody>
+    </tbody>
+    <tfoot>
+        <tr>
+            <td></td>
+            <td>
+                <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+            </td>
+        </tr>
+    </tfoot>
+</table>
+
+<div class="col-md-12">
+    <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
+</div>
+
+{{ partial("layout_partials/base_dialog",['fields':formDialogRewrite,'id':'DialogRewrite','label':lang._('Edit rewrite-rule')])}}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/servers.volt b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/servers.volt
new file mode 100644
index 000000000..058186999
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/servers.volt
@@ -0,0 +1,56 @@
+<script>
+    $( document ).ready(function() {
+        $("#grid-addresses").UIBootgrid(
+            {   search:'/api/radsecproxy/servers/searchItem/',
+                get:'/api/radsecproxy/servers/getItem/',
+                set:'/api/radsecproxy/servers/setItem/',
+                add:'/api/radsecproxy/servers/addItem/',
+                del:'/api/radsecproxy/servers/delItem/',
+                toggle:'/api/radsecproxy/servers/toggleItem/'
+            }
+        );
+        updateServiceControlUI('radsecproxy');
+
+        // link apply button to API set action
+        $("#saveAct").click(function(){
+            $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+            // action to run after successful save, for example reconfigure service.
+            ajaxCall(url="/api/radsecproxy/service/reconfigure", sendData={},callback=function(data,status) {
+                // action to run after reload
+                $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+                updateServiceControlUI('radsecproxy');
+            });
+        });
+    });
+</script>
+
+<table id="grid-addresses" class="table table-condensed table-hover table-striped" data-editDialog="DialogServer">
+    <thead>
+        <tr>
+            <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
+            <th data-column-id="host" data-type="string">{{ lang._('Host') }}</th>
+            <th data-column-id="identifier" data-type="string">{{ lang._('Identifier') }}</th>
+            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+            <th data-column-id="type" data-type="string">{{ lang._('Type') }}</th>
+            <th data-column-id="tlsConfig" data-type="string">{{ lang._('TLS-Config') }}</th>
+            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+        </tr>
+    </thead>
+    <tbody>
+    </tbody>
+    <tfoot>
+        <tr>
+            <td></td>
+            <td>
+                <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+            </td>
+        </tr>
+    </tfoot>
+</table>
+
+<div class="col-md-12">
+    <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
+</div>
+
+{{ partial("layout_partials/base_dialog",['fields':formDialogServer,'id':'DialogServer','label':lang._('Edit server')])}}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/tls.volt b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/tls.volt
new file mode 100644
index 000000000..353348605
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/tls.volt
@@ -0,0 +1,55 @@
+<script>
+    $( document ).ready(function() {
+        $("#grid-addresses").UIBootgrid(
+            {   search:'/api/radsecproxy/tls/searchItem/',
+                get:'/api/radsecproxy/tls/getItem/',
+                set:'/api/radsecproxy/tls/setItem/',
+                add:'/api/radsecproxy/tls/addItem/',
+                del:'/api/radsecproxy/tls/delItem/',
+                toggle:'/api/radsecproxy/tls/toggleItem/'
+            }
+        );
+        updateServiceControlUI('radsecproxy');
+
+        // link apply button to API set action
+        $("#saveAct").click(function(){
+            $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+            // action to run after successful save, for example reconfigure service.
+            ajaxCall(url="/api/radsecproxy/service/reconfigure", sendData={},callback=function(data,status) {
+                // action to run after reload
+                $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+                updateServiceControlUI('radsecproxy');
+            });
+        });
+    });
+</script>
+
+<table id="grid-addresses" class="table table-condensed table-hover table-striped" data-editDialog="DialogTls">
+    <thead>
+        <tr>
+            <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
+            <th data-column-id="name" data-type="string">{{ lang._('Name') }}</th>
+            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+            <th data-column-id="caCertificateRefId" data-type="string">{{ lang._('CA-certificate') }}</th>
+            <th data-column-id="proxyCertificateRefId" data-type="string">{{ lang._('Proxy-certificate') }}</th>
+            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+        </tr>
+    </thead>
+    <tbody>
+    </tbody>
+    <tfoot>
+        <tr>
+            <td></td>
+            <td>
+                <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+            </td>
+        </tr>
+    </tfoot>
+</table>
+
+<div class="col-md-12">
+    <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
+</div>
+
+{{ partial("layout_partials/base_dialog",['fields':formDialogTls,'id':'DialogTls','label':lang._('Edit TLS-config')])}}
diff --git a/net/radsecproxy/src/opnsense/scripts/OPNsense/RadSecProxy/generate_certs.php b/net/radsecproxy/src/opnsense/scripts/OPNsense/RadSecProxy/generate_certs.php
new file mode 100755
index 000000000..9414db161
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/scripts/OPNsense/RadSecProxy/generate_certs.php
@@ -0,0 +1,105 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+require_once("config.inc");
+require_once("certs.inc");
+require_once("legacy_bindings.inc");
+
+use OPNsense\Core\Config;
+
+$outputFolder = "/usr/local/etc/radsecproxy.d/certs/";
+
+
+echo "begin generating of RadSecProxy-TLS-certificates\n";
+echo "output-directory: " . $outputFolder . "\n";
+
+if (! function_exists('writeCertFile')) {
+    function writeCertFile($pathToFile, $certificateData)
+    {
+        // generate cert pem file
+        $pem_content = trim(str_replace("\n\n", "\n", str_replace(
+            "\r",
+            "",
+            base64_decode((string)$certificateData)
+        )));
+
+        $pem_content .= "\n";
+        file_put_contents($pathToFile, $pem_content);
+        chmod($pathToFile, 0600);
+        echo "generated file " . $pathToFile . "\n";
+    }
+}
+
+if (! function_exists('deleteFilesInFolder')) {
+    function deleteFilesInFolder($pathToFolder)
+    {
+        echo "deleting all files in folder " . $pathToFolder . "\n";
+        $files = glob($pathToFolder . '/*');
+        
+        foreach ($files as $file) {
+            //Make sure that this is a file and not a directory.
+            if (is_file($file)) {
+                //Use the unlink function to delete the file.
+                unlink($file);
+                echo "deleted file " . $file . "\n";
+            }
+        }
+    }
+}
+
+// traverse radsecproxy's tls-configs
+$configObj = Config::getInstance()->object();
+
+deleteFilesInFolder($outputFolder);
+if (isset($configObj->OPNsense->radsecproxy->tlsConfigs)) {
+    foreach ($configObj->OPNsense->radsecproxy->tlsConfigs->children() as $tlsConfig) {
+        echo "parsing TLS-config \"" . $tlsConfig->name . "\"\n";
+
+        $caCertRefId = (string)$tlsConfig->caCertificateRefId;
+        $proxyCertRefId = (string)$tlsConfig->proxyCertificateRefId;
+
+        if ($caCertRefId != "") {
+            echo "looking for CA-cert-file\n";
+            foreach ($configObj->ca as $ca) {
+                if ($caCertRefId == (string)$ca->refid) {
+                    echo "creating CA-cert-files from \"" . $ca->descr . "\"\n";
+                    writeCertFile($outputFolder . $tlsConfig->name . "_ca-cert.pem", $ca->crt);
+                }
+            }
+        }
+
+        if ($proxyCertRefId != "") {
+            foreach ($configObj->cert as $cert) {
+                if ($proxyCertRefId == (string)$cert->refid) {
+                    echo "creating proxy-cert-files from \"" . $cert->descr . "\"\n";
+                    writeCertFile($outputFolder . $tlsConfig->name . "_proxy-cert.pem", $cert->crt);
+                    writeCertFile($outputFolder . $tlsConfig->name . "_proxy-key.pem", $cert->prv);
+                }
+            }
+        }
+    }
+} else {
+    echo "no TLS-configs found\n";
+}
diff --git a/net/radsecproxy/src/opnsense/scripts/OPNsense/RadSecProxy/setup.sh b/net/radsecproxy/src/opnsense/scripts/OPNsense/RadSecProxy/setup.sh
new file mode 100755
index 000000000..cd09c51f9
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/scripts/OPNsense/RadSecProxy/setup.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+RADSECPROXY_DIRS="/usr/local/etc/radsecproxy.d /usr/local/etc/radsecproxy.d/certs"
+
+for directory in ${RADSECPROXY_DIRS}; do
+    mkdir -p ${directory}
+    chown -R www:www ${directory}
+    chmod -R 750 ${directory}
+done
+
+
+# export required certs to filesystem
+/usr/local/opnsense/scripts/OPNsense/RadSecProxy/generate_certs.php > /dev/null 2>&1
+
+# remove logfile - sometimes it will stop radsecproxy from starting
+#rm /var/log/radsecproxy.log
+
+exit 0
diff --git a/net/radsecproxy/src/opnsense/service/conf/actions.d/actions_radsecproxy.conf b/net/radsecproxy/src/opnsense/service/conf/actions.d/actions_radsecproxy.conf
new file mode 100644
index 000000000..42dfe2296
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/service/conf/actions.d/actions_radsecproxy.conf
@@ -0,0 +1,35 @@
+[setup]
+command:/usr/local/opnsense/scripts/OPNsense/RadSecProxy/setup.sh;
+parameters:
+type:script
+message:setup radsecproxy service requirements
+
+[start]
+command:/usr/local/opnsense/scripts/OPNsense/RadSecProxy/setup.sh;/usr/local/etc/rc.d/radsecproxy start;
+parameters:
+type:script
+message:starting radsecproxy
+
+[stop]
+command:/usr/local/etc/rc.d/radsecproxy stop;
+parameters:
+type:script
+message:stopping radsecproxy
+
+[restart]
+command:/usr/local/opnsense/scripts/OPNsense/RadSecProxy/setup.sh;/usr/local/etc/rc.d/radsecproxy restart;
+parameters:
+type:script
+message:restarting radsecproxy
+
+[reload]
+command:/usr/local/opnsense/scripts/OPNsense/RadSecProxy/setup.sh;/usr/local/etc/rc.d/radsecproxy restart;
+parameters:
+type:script
+message:reloading radsecproxy
+
+[status]
+command:/usr/local/etc/rc.d/radsecproxy status;exit 0;
+parameters:
+type:script_output
+message:radsecproxy status
diff --git a/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/+TARGETS b/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/+TARGETS
new file mode 100644
index 000000000..294d4f30d
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/+TARGETS
@@ -0,0 +1,2 @@
+radsecproxy.conf:/usr/local/etc/radsecproxy.conf
+rc.conf.d:/etc/rc.conf.d/radsecproxy
diff --git a/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/radsecproxy.conf b/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/radsecproxy.conf
new file mode 100644
index 000000000..b0563b335
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/radsecproxy.conf
@@ -0,0 +1,240 @@
+{% if helpers.exists('OPNsense.radsecproxy.general') and OPNsense.radsecproxy.general.enabled|default("0") == "1" %}
+{% set certDir = '/usr/local/etc/radsecproxy.d/certs/' %}
+# auto-generated config-file for radsecproxy
+###########################################
+# GENERAL
+###########################################
+
+#PidFile /var/run/radsecproxy.pid
+#LogDestination file:///var/log/radsecproxy.log
+LogDestination x-syslog:///LOG_DAEMON
+
+{% if OPNsense.radsecproxy.general.logLevel is defined and OPNsense.radsecproxy.general.logLevel != "" %}
+LogLevel {{ OPNsense.radsecproxy.general.logLevel }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.logFullUsername is defined and OPNsense.radsecproxy.general.logFullUsername != "" %}
+LogFullUsername {{ OPNsense.radsecproxy.general.logFullUsername }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.logMac is defined and OPNsense.radsecproxy.general.logMac != "" %}
+LogMac {{ OPNsense.radsecproxy.general.logMac }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.loopPrevention is defined and OPNsense.radsecproxy.general.loopPrevention != "" %}
+LoopPrevention {{ OPNsense.radsecproxy.general.loopPrevention }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.listenUdp is defined and OPNsense.radsecproxy.general.listenUdp != "" %}
+ListenUDP {{ OPNsense.radsecproxy.general.listenUdp }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.listenTcp is defined and OPNsense.radsecproxy.general.listenTcp != "" %}
+ListenTCP {{ OPNsense.radsecproxy.general.listenTcp }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.listenTls is defined and OPNsense.radsecproxy.general.listenTls != "" %}
+ListenTLS {{ OPNsense.radsecproxy.general.listenTls }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.listenDtls is defined and OPNsense.radsecproxy.general.listenDtls != "" %}
+ListenDTLS {{ OPNsense.radsecproxy.general.listenDtls }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.sourceUdp is defined and OPNsense.radsecproxy.general.sourceUdp != "" %}
+SourceUDP {{ OPNsense.radsecproxy.general.sourceUdp }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.sourceTcp is defined and OPNsense.radsecproxy.general.sourceTcp != "" %}
+SourceTCP {{ OPNsense.radsecproxy.general.sourceTcp }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.sourceTls is defined and OPNsense.radsecproxy.general.sourceTls != "" %}
+SourceTLS {{ OPNsense.radsecproxy.general.sourceTls }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.sourceDtls is defined and OPNsense.radsecproxy.general.sourceDtls != "" %}
+SourceDTLS {{ OPNsense.radsecproxy.general.sourceDtls }}
+{% endif %}
+
+###########################################
+# TLS-CONFIGS
+###########################################
+
+{% for tlsConfig in helpers.toList('OPNsense.radsecproxy.tlsConfigs.tlsConfig') %}
+# config for TLS-Config "{{ tlsConfig.description }}"
+tls {{ tlsConfig.name }} {
+{% if tlsConfig.caCertificateRefId is defined and tlsConfig.caCertificateRefId != "" %}
+  CACertificateFile   {{ certDir}}{{ tlsConfig.name }}_ca-cert.pem
+{% endif %}
+{% if tlsConfig.proxyCertificateRefId is defined and tlsConfig.proxyCertificateRefId != "" %}
+  CertificateFile     {{ certDir}}{{ tlsConfig.name }}_proxy-cert.pem
+  CertificateKeyFile  {{ certDir}}{{ tlsConfig.name }}_proxy-key.pem
+{% endif %}
+{% if tlsConfig.policyOids is defined and tlsConfig.policyOids != "" %}
+{% for policyOid in tlsConfig.policyOids.split(',') %}
+  PolicyOID {{ policyOid }}
+{% endfor %}
+{% endif %} 
+  CRLCheck {{ tlsConfig.crlCheck }}
+{% if tlsConfig.cacheExpiry is defined and tlsConfig.cacheExpiry != "" %}
+  CacheExpiry {{ tlsConfig.cacheExpiry }}
+{% endif %}
+}
+
+{% endfor %}
+
+###########################################
+# REWRITE-RULES
+###########################################
+
+{% for rewriteRule in helpers.toList('OPNsense.radsecproxy.rewrites.rewrite') %}
+{% if rewriteRule.enabled is defined and rewriteRule.enabled == "1" %}
+
+rewrite {{ rewriteRule.name }} {
+{% if rewriteRule.addAttributes is defined and rewriteRule.addAttributes != "" %}
+{% for addAttribute in rewriteRule.addAttributes.split("\n") %}
+  AddAttribute {{ addAttribute }}
+{% endfor %}
+{% endif %}
+{% if rewriteRule.addVendorAttributes is defined and rewriteRule.addVendorAttributes != "" %}
+{% for addVendorAttribute in rewriteRule.addVendorAttributes.split("\n") %}
+  AddVendorAttribute {{ addVendorAttribute }}
+{% endfor %}
+{% endif %}
+{% if rewriteRule.supplementAttributes is defined and rewriteRule.supplementAttributes != "" %}
+{% for supplementAttribute in rewriteRule.supplementAttributes.split("\n") %}
+  SupplementAttribute {{ supplementAttribute }}
+{% endfor %}
+{% endif %}
+{% if rewriteRule.supplementVendorAttributes is defined and rewriteRule.supplementVendorAttributes != "" %}
+{% for supplementVendorAttribute in rewriteRule.supplementVendorAttributes.split("\n") %}
+  SupplementVendorAttribute {{ supplementVendorAttribute }}
+{% endfor %}
+{% endif %}
+{% if rewriteRule.modifyAttributes is defined and rewriteRule.modifyAttributes != "" %}
+{% for modifyAttribute in rewriteRule.modifyAttributes.split("\n") %}
+  ModifyAttribute {{ modifyAttribute }}
+{% endfor %}
+{% endif %}
+{% if rewriteRule.modifyVendorAttributes is defined and rewriteRule.modifyVendorAttributes != "" %}
+{% for modifyVendorAttribute in rewriteRule.modifyVendorAttributes.split("\n") %}
+  ModifyVendorAttribute {{ modifyVendorAttribute }}
+{% endfor %}
+{% endif %}
+{% if rewriteRule.removeAttributes is defined and rewriteRule.removeAttributes != "" %}
+{% for removeAttribute in rewriteRule.removeAttributes.split("\n") %}
+  RemoveAttribute {{ removeAttribute }}
+{% endfor %}
+{% endif %}
+{% if rewriteRule.removeVendorAttributes is defined and rewriteRule.removeVendorAttributes != "" %}
+{% for removeVendorAttribute in rewriteRule.removeVendorAttributes.split("\n") %}
+  RemoveVendorAttribute {{ removeVendorAttribute }}
+{% endfor %}
+{% endif %}
+  WhitelistMode {{ rewriteRule.whitelistMode }}
+{% if rewriteRule.whitelistAttributes is defined and rewriteRule.whitelistAttributes != "" %}
+{% for whitelistAttribute in rewriteRule.whitelistAttributes.split("\n") %}
+  WhitelistAttribute {{ whitelistAttribute }}
+{% endfor %}
+{% endif %}
+{% if rewriteRule.whitelistVendorAttributes is defined and rewriteRule.whitelistVendorAttributes != "" %}
+{% for whitelistVendorAttribute in rewriteRule.whitelistVendorAttributes.split("\n") %}
+  WhitelistVendorAttribute {{ whitelistVendorAttribute }}
+{% endfor %}
+{% endif %}
+}
+{% endif %}
+{% endfor %}
+
+###########################################
+# CLIENTS
+###########################################
+
+{% for client in helpers.toList('OPNsense.radsecproxy.clients.client') %}
+{% if client.enabled is defined and client.enabled == "1" %}
+# config for client "{{ client.description }}"
+client {{ client.identifier }} {
+  Host {{ client.host }}
+  Type {{ client.type }}
+{% if client.secret is defined and client.secret != "" %}
+  Secret {{ client.secret }}
+{% endif %}
+{% if client.tlsConfig is defined and client.tlsConfig != "" %}
+{% set tlsConfig = helpers.getUUID(client.tlsConfig) %}
+  Tls {{ tlsConfig.name }}
+{% endif %}
+  CertificateNameCheck {{ client.certificateNameCheck }}
+{% if client.matchCertificateAttribute is defined and client.matchCertificateAttribute != "" %}
+  matchCertificateAttribute {{ client.matchCertificateAttribute }}
+{% endif %}
+{% if client.rewriteIn is defined and client.rewriteIn != "" %}
+{% set rewriteInRule = helpers.getUUID(client.rewriteIn) %}
+  RewriteIn {{ rewriteInRule.name }}
+{% endif %}
+{% if client.rewriteOut is defined and client.rewriteOut != "" %}
+{% set rewriteOutRule = helpers.getUUID(client.rewriteOut) %}
+  RewriteOut {{ rewriteOutRule.name }}
+{% endif %}
+}
+
+{% else %}
+# config for client "{{ client.description }}" not enabled, skipping!"
+
+{% endif %}
+{% endfor %}
+
+###########################################
+# SERVERS
+###########################################
+
+{% for server in helpers.toList('OPNsense.radsecproxy.servers.server') %}
+# config for server "{{ server.description }}"
+server {{ server.identifier }} {
+  Host {{ server.host }}
+{% if server.port is defined and server.port != "" %}
+  Port {{ server.port }}
+{% endif %}
+  Type {{ server.type }}
+{% if server.secret is defined and server.secret != "" %}
+  Secret {{ server.secret }}
+{% endif %}
+{% if server.tlsConfig is defined and server.tlsConfig != "" %}
+{% set tlsConfig = helpers.getUUID(server.tlsConfig) %}
+  Tls {{ tlsConfig.name }}
+{% endif %}
+  StatusServer {{ server.statusServer }}
+  CertificateNameCheck {{ server.certificateNameCheck }}
+{% if server.matchCertificateAttribute is defined and server.matchCertificateAttribute != "" %}
+  matchCertificateAttribute {{ server.matchCertificateAttribute }}
+{% endif %}
+{% if server.rewriteIn is defined and server.rewriteIn != "" %}
+{% set rewriteInRule = helpers.getUUID(server.rewriteIn) %}
+  RewriteIn {{ rewriteInRule.name }}
+{% endif %}
+{% if server.rewriteOut is defined and server.rewriteOut != "" %}
+{% set rewriteOutRule = helpers.getUUID(server.rewriteOut) %}
+  RewriteOut {{ rewriteOutRule.name }}
+{% endif %}
+}
+
+{% endfor %}
+
+###########################################
+# REALMS
+###########################################
+
+{% for realm in helpers.toList('OPNsense.radsecproxy.realms.realm') %}
+{% if realm.enabled is defined and realm.enabled == "1" %}
+# config for realm "{{ realm.realm }}"
+realm {{ realm.realm }} {
+{% if realm.server is defined and realm.server != "" %}
+{% for serverUuid in realm.server.split(',') %}
+{% set server = helpers.getUUID(serverUuid) %}
+  Server {{ server.identifier }}
+{% endfor %}
+{% endif %}
+{% if realm.replyMessage is defined and realm.replyMessage != "" %}
+  ReplyMessage "{{ realm.replyMessage }}"
+{% endif %}
+{% if realm.accountingResponse is defined and realm.accountingResponse != "" %}
+  AccountingResponse {{ realm.accountingResponse }}
+{% endif %}
+}
+
+{% else %}
+# config for realm "{{ realm.realm }}" not enabled, skipping!"
+
+{% endif %}
+{% endfor %}
+{# END OF TEMPLATE #}
+{% endif %}
diff --git a/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/rc.conf.d b/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/rc.conf.d
new file mode 100644
index 000000000..03409f3a7
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/rc.conf.d
@@ -0,0 +1,7 @@
+{% if helpers.exists('OPNsense.radsecproxy.general.enabled') and OPNsense.radsecproxy.general.enabled == '1' %}
+radsecproxy_enable="YES"
+{% else %}
+radsecproxy_enable="NO"
+{% endif %}
+radsecproxy_user="root"
+radsecproxy_group="wheel"