Some notes on getting OpenVPN LAN2LAN VPN working from a GL.iNET GL-SFT1200 AC1200 Travel Router to a pfSense that is behind a Fritz!Box 7490
Posted by jpluimers on 2025/12/19
TL;DR: it failed
Since GL.iNET does not support site-to-site “Peer to Peer” OpenVPN (only “Remote Access” is supported) which is needed to route to/from the networks on both sides of the connection. the below did fail.
Original idea
Below was what I hoped to function.
Some links that should get me started (though my situation is a tad more difficult, see below):
- [Wayback/Archive] Connecting an GL.iNet GL-MT300N-V2 to pfSense® OpenVPN® – Pf store (requires a fixed IPv4 on one side, solution is based on certificates, but not pfSense behind a perimeter firewall with port forwarding). Too bad this question is not yet answered:
One question, what would you need to do to allow the LAN traffic traverse the other way? i.e. for devices on the pfsense LAN to connect to the gl device LAN?
- [Wayback/Archive] MT300N-V2 using openvpn to PFsense router – Product Discussion – GL.iNet
I am on the latest firmware and was using firefox. I did finally get it to work by removing my “Additional configuration options” in PF Sense under the Client Export and using the Inline Configurations:Most Clients.
- [Wayback/Archive] Pfsense OpenVPN and MT300N-V2 (SOLVED) – Product Discussion – GL.iNet describes how to incorporate the required certificates in the .ovpn file itself:
actually embed the certificate and key into the ovpn file. You can convert your p12 like so:openssl pkcs12 -in path.p12 -out newfile.crt.pem -clcerts -nokeys
openssl pkcs12 -in path.p12 -out newfile.key.pem -nocerts -nodesor if you need to enter a password too:openssl pkcs12 -in path.p12 -out newfile.crt.pem -clcerts -nokeys -passin ‘pass:P@s5w0rD’Then you paste the contents of the cert and key like so into the ovpn file:<ca> -----BEGIN CERTIFICATE----- ***Paste CA Cert Text Here*** -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- ***Paste Your Cert Text Here*** -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- ***Paste Your Cert Private Key Here*** -----END PRIVATE KEY----- </key>You can see my full opvn file here: - [Wayback/Archive] Site to Site OpenVPN Firewall Settings – Technical Support – GL.iNet has a good description on how to get this going when pfSense is the outer firewall on the OpenVPN server side.
- [Wayback/Archive] Connecting AR-150 OpenVPN to home pfSense OpenVPN server – Product Discussion – GL.iNet fixes some EBCAK problems, and suggests to route all traffic over the VPN (which can be useful for privacy reasons, for instance when traveling)
- [Wayback/Archive] OpenVPN Site to Site Issue – Technical Support – GL.iNet
…
I finally fixed this today and hopefully this resolves the issue for other threads about site to site with pf/OPNSense as the VPN server.Turns out you need to create a Client Specific Override:A client specific override is added to the pfSense OpenVPN configuration, this is matched based on the certificate name the client is using, it’s best practice to use unique names/certificates for each client during implementation which identify the site/client clearly.Because the OpenVPN client should be connected you can use the pfSense OpenVPN status page to copy and paste the exact certificate name of the connected OpenVPN client. Important settings are as follows:- Common Name is set to the client certificate name.
- iroute for each remote network of that client is added in the Advanced field.
The OpenVPN server is restarted to force the OpenVPN client to reconnect and apply the changes, the network routes will now appear in the OpenVPN routing table in the status page.…
[Wayback/Archive] pfSense Mikrotik OpenVPN Site-to-Site | by Graeme Noble | Medium
Situation is a tad complex:
Queries
- [Wayback/Archive] Connecting an GL.iNet GL-MT300N-V2 to pfSense® OpenVPN® – Google Search
- [Wayback/Archive] pfSense GL.iNET site to site OpenVPN – Google Search
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a comment