Using Chromebook to connect to an OpenVPN server

There are two ways that I know of which would allow Chromebook to connect to an OpenVPN server. One method is using developer mode of Chromebook, and the other is using the UI. I am explaining the method which uses the UI below. This is based on certificate authentication, and not a username/password combination.

Using the Chromebook web based user interface method:

– Collect your OpenVPN CA certificate (ca.crt), your private keys (client.keys) and your client certificate (client.crt).
If you are not sure on how to get these files, you should ask your OpenVPN server administrator.
I will explain in a soon to follow blog on how to setup an OpenVPN sevrer.
You will also need an ONC file, instructions are below for this file.

– Export your client.crt into pkcs12 format
You need to do this since Chromebook OS understand pkcs12 format, which stores your private keys with the client certificate.

openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -name MyClient

– Upload your ca.crt to Chromebook authority repository
* In your Chromebook, for the URL type in chrome://settings/certificates
* Click on ‘Authorities’
* Click on Import
* Click on Google Drive and then the ca.crt file
– Upload your client.crt to Chromebook certificates repo and bind to an interface

– Upload your client.crt to Chromebook certificates repo and bind to an interface
* In your Chromebook, for the URL type in chrome://settings/certificates
* Click on ‘Your Certificates’
* Click on ‘Import and Bind to Device’
* Click on Google Drive and then the client.p12 file

– Create an OpenVPN ONC file and upload to Chromebook
* In your Chromebook, for the URL type in chrome://net-internals/#chromeos
* Click on Choose File
* Click on Google Drive and then the openvpn.onc file (see below for ONC)

– Try to connect as follows
* In your Chromebook, for the URL type in chrome://settings
* Under Private network, click on MyVPNServer
* If you get asked for a username/password, enter whatever random characters, they don’t matter since we are using certificate based authentication


A sample of this file can be found here Replace the UUID with a random UUID. You can generate one from if you like. Replace the name of MyOpenVPN with whatever name you want. For the host, type in your OpenVPN server hostname or IP address. The cacert and the clientcert sections are the important ones. For the CA cert copy your CA cert and paste it in the lines as shown. For the client certificate, copy just the PEM format, or the one that starts with —-BEGIN CERTIFICATE—-.

That’s about it. It’s not very easy, but it’s not too hard either. Perhaps in the future the developers of Chromebook OS will make it a bit easier to connect via VPN.

12 Comments on “Using Chromebook to connect to an OpenVPN server

  1. Im confused on the onc file. How many places am i supposed to adjust? just the top guid? do i replace the {} with just the generated uuid or do i keep the curly brackets? Do i just do the certs after that or do i need to enter the guid in the other places as well?

  2. The reason why i asked is i keep getting parse errors when i try to import the onc and im not sure what i did wrong.

    • Some parse errors can be ignore, so don’t worry about it as long as you can connect. 🙂

  3. oh, i thought it failed to import because of that error. So each GUID should look like that? or just the first one and dont do anything with the others? I havent been able to get it work yet. =(

    Is there a log i can tail to see what might be happening wrong in the background when it tries to connect?

  4. Regarding the ONC:

    For the “PKCS12” key, the comments in the template onc suggest to the contents of one’s client.crt. When importing into the chromebook, this resulted in an “ONC file parse failed”.

    To get the ONC to import, for the value of the “PKCS12”, I had to instead use the base64 encoding of the client.pk12 created in the steps outlined above.

    openssl base64 -in client.pk12

    After removing the line feeds, and pasting that base64 string into the “pkcs12” value, the ONC file parsed!

    I’m still not able to connect to my VPN server… but I feel one step closer. Thanks for your blog post!

  5. Hi,
    many thanks for your post… Very interesting.
    Just 1 question regarding certificate: do I need to paste it on 1 line with \n or just paste as it is?

  6. Hi there, what software do you use to export a client.crt file into pkcs12 format?

  7. The Chromebook VPN is very frustrating. L2TP used to work for me with our company’s WatchGuard VPN server, but ChromeOS changed somehow and now it’s broken. So I’m stuck trying to get the OpenVPN to work, but am getting errors when I try to import the client.p12 file: “import Error. Unknown error.” How helpful.
    Thank you for posting this, though. WatchGuard exports an *.ovpn file and I would not known about converting to the *.p12 file without it.

  8. Thank you, this guide finally got me on VPN. Only change I struggled a bit with is that in the ONC file the protocol needed to be changed from tcp to udp.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: