Using Chromebook to connect to an OpenVPN server

There are two ways that I know of which would allow Chromebook to connect to an OpenVPN server. One method is using developer mode of Chromebook, and the other is using the UI. I am explaining the method which uses the UI below. This is based on certificate authentication, and not a username/password combination.

Using the Chromebook web based user interface method:

– Collect your OpenVPN CA certificate (ca.crt), your private keys (client.keys) and your client certificate (client.crt).
If you are not sure on how to get these files, you should ask your OpenVPN server administrator.
I will explain in a soon to follow blog on how to setup an OpenVPN sevrer.
You will also need an ONC file, instructions are below for this file.

– Export your client.crt into pkcs12 format
You need to do this since Chromebook OS understand pkcs12 format, which stores your private keys with the client certificate.

openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -name MyClient

– Upload your ca.crt to Chromebook authority repository
* In your Chromebook, for the URL type in chrome://settings/certificates
* Click on ‘Authorities’
* Click on Import
* Click on Google Drive and then the ca.crt file
– Upload your client.crt to Chromebook certificates repo and bind to an interface

– Upload your client.crt to Chromebook certificates repo and bind to an interface
* In your Chromebook, for the URL type in chrome://settings/certificates
* Click on ‘Your Certificates’
* Click on ‘Import and Bind to Device’
* Click on Google Drive and then the client.p12 file

– Create an OpenVPN ONC file and upload to Chromebook
* In your Chromebook, for the URL type in chrome://net-internals/#chromeos
* Click on Choose File
* Click on Google Drive and then the openvpn.onc file (see below for ONC)

– Try to connect as follows
* In your Chromebook, for the URL type in chrome://settings
* Under Private network, click on MyVPNServer
* If you get asked for a username/password, enter whatever random characters, they don’t matter since we are using certificate based authentication

ONC FIle

A sample of this file can be found here https://github.com/syedaali/configs/blob/master/openvpn-sample.onc. Replace the UUID with a random UUID. You can generate one from http://uuidgenerator.net/ if you like. Replace the name of MyOpenVPN with whatever name you want. For the host, type in your OpenVPN server hostname or IP address. The cacert and the clientcert sections are the important ones. For the CA cert copy your CA cert and paste it in the lines as shown. For the client certificate, copy just the PEM format, or the one that starts with —-BEGIN CERTIFICATE—-.

That’s about it. It’s not very easy, but it’s not too hard either. Perhaps in the future the developers of Chromebook OS will make it a bit easier to connect via VPN.

21 thoughts on “Using Chromebook to connect to an OpenVPN server

  1. Mark

    Im confused on the onc file. How many places am i supposed to adjust? just the top guid? do i replace the {} with just the generated uuid or do i keep the curly brackets? Do i just do the certs after that or do i need to enter the guid in the other places as well?

    Reply
  2. Mark

    oh, i thought it failed to import because of that error. So each GUID should look like that? or just the first one and dont do anything with the others? I havent been able to get it work yet. =(

    Is there a log i can tail to see what might be happening wrong in the background when it tries to connect?

    Reply
  3. Joe

    Regarding the ONC:

    For the “PKCS12” key, the comments in the template onc suggest to the contents of one’s client.crt. When importing into the chromebook, this resulted in an “ONC file parse failed”.

    To get the ONC to import, for the value of the “PKCS12”, I had to instead use the base64 encoding of the client.pk12 created in the steps outlined above.

    openssl base64 -in client.pk12

    After removing the line feeds, and pasting that base64 string into the “pkcs12” value, the ONC file parsed!

    I’m still not able to connect to my VPN server… but I feel one step closer. Thanks for your blog post!

    Reply
  4. Antonin

    Hi,
    many thanks for your post… Very interesting.
    Just 1 question regarding certificate: do I need to paste it on 1 line with \n or just paste as it is?

    Reply
    1. Tom

      Hi 🙂 the 1st line of the instructions shows a command-line instruction to convert the .crt to pkcx12. You might need to change the file-names of the .crt, either in the command or in the file-browser. Regards from Tom 🙂

      Reply
  5. Mike Edwards

    The Chromebook VPN is very frustrating. L2TP used to work for me with our company’s WatchGuard VPN server, but ChromeOS changed somehow and now it’s broken. So I’m stuck trying to get the OpenVPN to work, but am getting errors when I try to import the client.p12 file: “import Error. Unknown error.” How helpful.
    Thank you for posting this, though. WatchGuard exports an *.ovpn file and I would not known about converting to the *.p12 file without it.

    Reply
  6. Tom

    Hi 🙂 I got stuck with the “Upload your ca.crt to Chromebook authority repository”. The Authorities tab didn’t seem to accept either of my .crt or .p12 files. Regards from Tom 🙂

    Reply
    1. Tom

      Hi 🙂 Err, my client.p12 did seem to be accepted in the “Your Certificates” tab but that doesn’t seem to be the right place according to the way i understood the instructions. My understanding could easily be at fault tho! Regards from Tom 🙂

      Reply
  7. chris

    I just found that the PKCS12 line can be blanked, just like
    “GUID”: “{clientcert}”,
    “Type”: “Client”,
    “PKCS12”: “”
    }

    “ONC file parse failed: Some certificates couldn’t be imported.” can be safely ignored.

    Reply
  8. Peter

    Hey i try to connect Chrome OS with a Synology VPN Server.
    I have just a ca.cart and the ovpn File, but i don’t have a client cert oder key. It works on Ubuntu, Android, Win and iOS.

    Can you help me with a ONC File for Chrome OS.

    THAT IS MY OVPN FILE:
    ———————————————————————————
    dev tun
    tls-client

    remote YOUR_SERVER_IP 20000

    # The “float” tells OpenVPN to accept authenticated packets from any address,
    # not only the address which was specified in the –remote option.
    # This is useful when you are connecting to a peer which holds a dynamic address
    # such as a dial-in user or DHCP client.
    # (Please refer to the manual of OpenVPN for more information.)

    #float

    # If redirect-gateway is enabled, the client will redirect it’s
    # default network gateway through the VPN.
    # It means the VPN connection will firstly connect to the VPN Server
    # and then to the internet.
    # (Please refer to the manual of OpenVPN for more information.)

    redirect-gateway def1

    # dhcp-option DNS: To set primary domain name server address.
    # Repeat this option to set secondary DNS server addresses.

    #dhcp-option DNS DNS_IP_ADDRESS

    pull

    # If you want to connect by Server’s IPv6 address, you should use
    # “proto udp6” in UDP mode or “proto tcp6-client” in TCP mode
    proto udp

    script-security 2

    ca ca.crt

    comp-lzo

    reneg-sec 0

    auth-user-pass
    ———————————————————————————

    Thank you very much.

    Peter

    Reply
  9. Peter

    Hi,

    i write you, because i had a Problem with the Connection between Chrome OS and Synology VPN Server.

    I have a ca.cert and a .ovpn Configuration, but not a Client Cert oder Key. I can’t connect my Chrome OS to the OpenVPn (Synology).

    The Connection work on Ubuntu, Win, Andoird, iOS, but not from Chrome.

    Here is the .ovpn File
    dev tun
    tls-client
    remote YOUR_SERVER_IP 20000
    redirect-gateway
    pull
    proto udp
    script-security 2
    ca ca.crt
    comp-lzo
    reneg-sec 0
    auth-user-pass

    Do you have any idea how i can connect my Chrome OS to the VPN?
    Thank you very much.

    Reply
  10. Peter

    Hi,

    i write you, because i had a Problem with the Connection between Chrome OS and Synology VPN Server.

    I have a ca.cert and a .ovpn Configuration, but not a Client Cert oder Key. I can’t connect my Chrome OS to the OpenVPn (Synology).

    The Connection work on Ubuntu, Win, Andoird, iOS, but not from Chrome.

    Here is the .ovpn File
    dev tun
    tls-client
    remote YOUR_SERVER_IP 20000
    redirect-gateway
    pull
    proto udp
    script-security 2
    ca ca.crt
    comp-lzo
    reneg-sec 0
    auth-user-pass

    Do you have any idea how i can connect my Chrome OS to the VPN?
    Thank you very much.

    Reply
  11. rosted

    Thank you, this guide finally got me on VPN. Only change I struggled a bit with is that in the ONC file the protocol needed to be changed from tcp to udp.

    Reply
  12. Ardje

    The first guide that made me get a working connection.
    Now the biggest problem I have is that the chromebook openvpn does not configure IPv6. Running it inside an lxc using real openvpn I get a 100% succes. But running it from chromeos… Just V4 :-(.
    Thanks for the working example

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s