Using Chromebook to connect to an OpenVPN server

There are two ways that I know of which would allow Chromebook to connect to an OpenVPN server. One method is using developer mode of Chromebook, and the other is using the UI. I am explaining the method which uses the UI below. This is based on certificate authentication, and not a username/password combination.

Using the Chromebook web based user interface method:

– Collect your OpenVPN CA certificate (ca.crt), your private keys (client.keys) and your client certificate (client.crt).
If you are not sure on how to get these files, you should ask your OpenVPN server administrator.
I will explain in a soon to follow blog on how to setup an OpenVPN sevrer.
You will also need an ONC file, instructions are below for this file.

– Export your client.crt into pkcs12 format
You need to do this since Chromebook OS understand pkcs12 format, which stores your private keys with the client certificate.

openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -name MyClient

– Upload your ca.crt to Chromebook authority repository
* In your Chromebook, for the URL type in chrome://settings/certificates
* Click on ‘Authorities’
* Click on Import
* Click on Google Drive and then the ca.crt file
– Upload your client.crt to Chromebook certificates repo and bind to an interface

– Upload your client.crt to Chromebook certificates repo and bind to an interface
* In your Chromebook, for the URL type in chrome://settings/certificates
* Click on ‘Your Certificates’
* Click on ‘Import and Bind to Device’
* Click on Google Drive and then the client.p12 file

– Create an OpenVPN ONC file and upload to Chromebook
* In your Chromebook, for the URL type in chrome://net-internals/#chromeos
* Click on Choose File
* Click on Google Drive and then the openvpn.onc file (see below for ONC)

– Try to connect as follows
* In your Chromebook, for the URL type in chrome://settings
* Under Private network, click on MyVPNServer
* If you get asked for a username/password, enter whatever random characters, they don’t matter since we are using certificate based authentication

ONC FIle

A sample of this file can be found here https://github.com/syedaali/configs/blob/master/openvpn-sample.onc. Replace the UUID with a random UUID. You can generate one from http://uuidgenerator.net/ if you like. Replace the name of MyOpenVPN with whatever name you want. For the host, type in your OpenVPN server hostname or IP address. The cacert and the clientcert sections are the important ones. For the CA cert copy your CA cert and paste it in the lines as shown. For the client certificate, copy just the PEM format, or the one that starts with —-BEGIN CERTIFICATE—-.

That’s about it. It’s not very easy, but it’s not too hard either. Perhaps in the future the developers of Chromebook OS will make it a bit easier to connect via VPN.

11 thoughts on “Using Chromebook to connect to an OpenVPN server

  1. Im confused on the onc file. How many places am i supposed to adjust? just the top guid? do i replace the {} with just the generated uuid or do i keep the curly brackets? Do i just do the certs after that or do i need to enter the guid in the other places as well?

  2. oh, i thought it failed to import because of that error. So each GUID should look like that? or just the first one and dont do anything with the others? I havent been able to get it work yet. =(

    Is there a log i can tail to see what might be happening wrong in the background when it tries to connect?

  3. Regarding the ONC:

    For the “PKCS12” key, the comments in the template onc suggest to the contents of one’s client.crt. When importing into the chromebook, this resulted in an “ONC file parse failed”.

    To get the ONC to import, for the value of the “PKCS12”, I had to instead use the base64 encoding of the client.pk12 created in the steps outlined above.

    openssl base64 -in client.pk12

    After removing the line feeds, and pasting that base64 string into the “pkcs12” value, the ONC file parsed!

    I’m still not able to connect to my VPN server… but I feel one step closer. Thanks for your blog post!

  4. Hi,
    many thanks for your post… Very interesting.
    Just 1 question regarding certificate: do I need to paste it on 1 line with \n or just paste as it is?

  5. The Chromebook VPN is very frustrating. L2TP used to work for me with our company’s WatchGuard VPN server, but ChromeOS changed somehow and now it’s broken. So I’m stuck trying to get the OpenVPN to work, but am getting errors when I try to import the client.p12 file: “import Error. Unknown error.” How helpful.
    Thank you for posting this, though. WatchGuard exports an *.ovpn file and I would not known about converting to the *.p12 file without it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s