GL-MT3000 openVPN with p12 file

cookb · September 9, 2023, 10:31pm

Hello,

I am trying to connect to my home openVPN Server with the internal openVPN client in the GL-MT3000.
But when I look at the logs it doesn’t find the p12 file that is in the zip file I uploaded to configure the connection.

The config file looks like this (Hostname is fake for security reasons.)

#OpenVPN Client conf
tls-client
client
nobind
dev tun
proto udp
tun-mtu 1492
remote 123domain.com 1194
pkcs12 vps.p12
cipher AES-256-CBC
auth SHA512
verb 3
remote-cert-tls server
verify-x509-name 123domain.com name
mssfix 0
auth-nocache
auth-token-user USER
auth-token TOTP
auth-retry interact

And here is the OpenVPN log from the GL-MT3000

Sat Sep  9 18:29:33 2023 daemon.notice netifd: Interface 'ovpnclient' is setting up now
Sat Sep  9 18:29:33 2023 daemon.warn ovpnclient[26196]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Sat Sep  9 18:29:33 2023 daemon.notice ovpnclient[26196]: OpenVPN 2.5.3 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Sep  9 18:29:33 2023 daemon.notice ovpnclient[26196]: library versions: OpenSSL 1.1.1q  5 Jul 2022, LZO 2.10
Sat Sep  9 18:29:33 2023 daemon.warn ovpnclient[26196]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Sep  9 18:29:33 2023 daemon.err ovpnclient[26196]: Error opening file vpn.p12
Sat Sep  9 18:29:33 2023 daemon.notice ovpnclient[26196]: Exiting due to fatal error
Sat Sep  9 18:29:33 2023 daemon.notice netifd: ovpnclient (26199): cat: can't open '/tmp/run/ovpn_resolved_ip': No such file or directory

hansome · September 15, 2023, 4:18am

What’s the OpenVPN server? pkcs12 is not supported yet. Can you pm me a config zip file for a try?

Stifu69 · March 16, 2025, 1:41pm

Hi
I know, old thread, but are there any changes about pkcs12?
I try to make a ovpn connection with with a client package with .ovpn conf and .p12 certifikate, wirh no luck...

hansome · March 19, 2025, 8:32am

Can you try extract configurtions currently?

openssl pkcs12 -in client.p12 -cacerts -nokeys -out ca.crt

openssl pkcs12 -in client.p12 -clcerts -nokeys -out client.crt

openssl pkcs12 -in client.p12 -nocerts -out client.key

Then zip the extracted file, and .conf file and then upload to admin panel.
We will re-evaluate this requirement as we develop.

Stifu69 · March 19, 2025, 5:00pm

Thanks for your response, i found a solution for me, so if anybody else with the same question will find this thread here it is.

Import the ovpn.conf in your WebUi.
After this, you can loggin with Fliezilla for Linux or WinSCP for Windows in your Router.
For WinSCP, you have to install first in Luci the openssh-sftp-server.
In /etc/openvpn/profiles you'll find a folder with your openvpn.conf.
Put your openvpn.p12 file inside this folder.
make a text file openvpn.auth with your Password inside.
Then you have to open your openvpn.conf file and adjust your conf as follows

pkcs12 /etc/openvpn/profiles/?????/openvpn.p12
askpass /etc/openvpn/profiles/?????/openvpn.auth

save.

This works for me, i hope, it help you.

Stephan