There are two ways that I know of which would allow Chromebook to connect to an OpenVPN server. One method is using developer mode of Chromebook, and the other is using the UI. I am explaining the method which uses the UI below. This is based on certificate authentication, and not a username/password combination.
Using the Chromebook web based user interface method:
– Collect your OpenVPN CA certificate (ca.crt), your private keys (client.keys) and your client certificate (client.crt).
If you are not sure on how to get these files, you should ask your OpenVPN server administrator.
I will explain in a soon to follow blog on how to setup an OpenVPN sevrer.
You will also need an ONC file, instructions are below for this file.
– Export your client.crt into pkcs12 format
You need to do this since Chromebook OS understand pkcs12 format, which stores your private keys with the client certificate.
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -name MyClient
– Upload your ca.crt to Chromebook authority repository
* In your Chromebook, for the URL type in chrome://settings/certificates
* Click on ‘Authorities’
* Click on Import
* Click on Google Drive and then the ca.crt file
– Upload your client.crt to Chromebook certificates repo and bind to an interface
– Upload your client.crt to Chromebook certificates repo and bind to an interface
* In your Chromebook, for the URL type in chrome://settings/certificates
* Click on ‘Your Certificates’
* Click on ‘Import and Bind to Device’
* Click on Google Drive and then the client.p12 file
– Create an OpenVPN ONC file and upload to Chromebook
* In your Chromebook, for the URL type in chrome://net-internals/#chromeos
* Click on Choose File
* Click on Google Drive and then the openvpn.onc file (see below for ONC)
– Try to connect as follows
* In your Chromebook, for the URL type in chrome://settings
* Under Private network, click on MyVPNServer
* If you get asked for a username/password, enter whatever random characters, they don’t matter since we are using certificate based authentication
ONC FIle
A sample of this file can be found here https://github.com/syedaali/configs/blob/master/openvpn-sample.onc. Replace the UUID with a random UUID. You can generate one from http://uuidgenerator.net/ if you like. Replace the name of MyOpenVPN with whatever name you want. For the host, type in your OpenVPN server hostname or IP address. The cacert and the clientcert sections are the important ones. For the CA cert copy your CA cert and paste it in the lines as shown. For the client certificate, copy just the PEM format, or the one that starts with —-BEGIN CERTIFICATE—-.
That’s about it. It’s not very easy, but it’s not too hard either. Perhaps in the future the developers of Chromebook OS will make it a bit easier to connect via VPN.
Syed Ali 
Im confused on the onc file. How many places am i supposed to adjust? just the top guid? do i replace the {} with just the generated uuid or do i keep the curly brackets? Do i just do the certs after that or do i need to enter the guid in the other places as well?
For the ONC file, please follow the example here https://github.com/syedaali/configs/blob/master/openvpn-sample.onc. You can take that file and use it. The only things you will have to enter are , , X509 line, and PKCS12 line. You should keep the curly brackets. So the UUID would look like this “GUID”: “{sdf983jd93kd}”. Hope that helps.
The reason why i asked is i keep getting parse errors when i try to import the onc and im not sure what i did wrong.
Some parse errors can be ignore, so don’t worry about it as long as you can connect. 🙂
oh, i thought it failed to import because of that error. So each GUID should look like that? or just the first one and dont do anything with the others? I havent been able to get it work yet. =(
Is there a log i can tail to see what might be happening wrong in the background when it tries to connect?
Regarding the ONC:
For the “PKCS12” key, the comments in the template onc suggest to the contents of one’s client.crt. When importing into the chromebook, this resulted in an “ONC file parse failed”.
To get the ONC to import, for the value of the “PKCS12”, I had to instead use the base64 encoding of the client.pk12 created in the steps outlined above.
openssl base64 -in client.pk12
After removing the line feeds, and pasting that base64 string into the “pkcs12” value, the ONC file parsed!
I’m still not able to connect to my VPN server… but I feel one step closer. Thanks for your blog post!
Joe, did you have any luck to get this working?
Hi,
many thanks for your post… Very interesting.
Just 1 question regarding certificate: do I need to paste it on 1 line with \n or just paste as it is?
Hi there, what software do you use to export a client.crt file into pkcs12 format?
Hi 🙂 the 1st line of the instructions shows a command-line instruction to convert the .crt to pkcx12. You might need to change the file-names of the .crt, either in the command or in the file-browser. Regards from Tom 🙂
If anyone else needs, the Open Network Configuration format is described in more detail here:
http://www.chromium.org/chromium-os/chromiumos-design-docs/open-network-configuration
The Chromebook VPN is very frustrating. L2TP used to work for me with our company’s WatchGuard VPN server, but ChromeOS changed somehow and now it’s broken. So I’m stuck trying to get the OpenVPN to work, but am getting errors when I try to import the client.p12 file: “import Error. Unknown error.” How helpful.
Thank you for posting this, though. WatchGuard exports an *.ovpn file and I would not known about converting to the *.p12 file without it.
Hi 🙂 I got stuck with the “Upload your ca.crt to Chromebook authority repository”. The Authorities tab didn’t seem to accept either of my .crt or .p12 files. Regards from Tom 🙂
Hi 🙂 Err, my client.p12 did seem to be accepted in the “Your Certificates” tab but that doesn’t seem to be the right place according to the way i understood the instructions. My understanding could easily be at fault tho! Regards from Tom 🙂
I just found that the PKCS12 line can be blanked, just like
“GUID”: “{clientcert}”,
“Type”: “Client”,
“PKCS12”: “”
}
“ONC file parse failed: Some certificates couldn’t be imported.” can be safely ignored.
Here you can find detailed docs with examples for setting up an OpenVPN connection with TLS:
https://docs.google.com/document/d/18TU22gueH5OKYHZVJ5nXuqHnk2GN6nDvfu2Hbrb4YLE/pub
Hey i try to connect Chrome OS with a Synology VPN Server.
I have just a ca.cart and the ovpn File, but i don’t have a client cert oder key. It works on Ubuntu, Android, Win and iOS.
Can you help me with a ONC File for Chrome OS.
THAT IS MY OVPN FILE:
———————————————————————————
dev tun
tls-client
remote YOUR_SERVER_IP 20000
# The “float” tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the –remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)
#float
# If redirect-gateway is enabled, the client will redirect it’s
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)
redirect-gateway def1
# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.
#dhcp-option DNS DNS_IP_ADDRESS
pull
# If you want to connect by Server’s IPv6 address, you should use
# “proto udp6” in UDP mode or “proto tcp6-client” in TCP mode
proto udp
script-security 2
ca ca.crt
comp-lzo
reneg-sec 0
auth-user-pass
———————————————————————————
Thank you very much.
Peter
Hi,
i write you, because i had a Problem with the Connection between Chrome OS and Synology VPN Server.
I have a ca.cert and a .ovpn Configuration, but not a Client Cert oder Key. I can’t connect my Chrome OS to the OpenVPn (Synology).
The Connection work on Ubuntu, Win, Andoird, iOS, but not from Chrome.
Here is the .ovpn File
dev tun
tls-client
remote YOUR_SERVER_IP 20000
redirect-gateway
pull
proto udp
script-security 2
ca ca.crt
comp-lzo
reneg-sec 0
auth-user-pass
Do you have any idea how i can connect my Chrome OS to the VPN?
Thank you very much.
Hi,
i write you, because i had a Problem with the Connection between Chrome OS and Synology VPN Server.
I have a ca.cert and a .ovpn Configuration, but not a Client Cert oder Key. I can’t connect my Chrome OS to the OpenVPn (Synology).
The Connection work on Ubuntu, Win, Andoird, iOS, but not from Chrome.
Here is the .ovpn File
dev tun
tls-client
remote YOUR_SERVER_IP 20000
redirect-gateway
pull
proto udp
script-security 2
ca ca.crt
comp-lzo
reneg-sec 0
auth-user-pass
Do you have any idea how i can connect my Chrome OS to the VPN?
Thank you very much.
Thank you, this guide finally got me on VPN. Only change I struggled a bit with is that in the ONC file the protocol needed to be changed from tcp to udp.
The first guide that made me get a working connection.
Now the biggest problem I have is that the chromebook openvpn does not configure IPv6. Running it inside an lxc using real openvpn I get a 100% succes. But running it from chromeos… Just V4 :-(.
Thanks for the working example