Setting up OpenVPN to use on your chromebook

Chromebooks are fun, light, and have a long battery life, which is why I use one. It’s an awesome companion for travelling, studies, and other cases that require long battery life and mobility more than they do computing power.

ChromeOS lacks some of the capabilities you find on Windows OS’s and Linux distributions, but it does have built-in OpenVPN support. However, it currently requires a specific configuration and some work to get to work. This post hopefully explains how!

OpenVPN server

On your server box, start by setting up the OpenVPN server.

sudo apt-get install openvpn

Locate the easy-rsa directory. It can be in /usr/share/doc/packages/openvpn /usr/share/doc/openvpn or /usr/share/easy-rsa/, or in certain cases you may have to install easy-rsa seperately. In either case, once you’ve found it, cd to it:

cd /usr/share/easy-rsa/

Now, we can build our ca certificate:

. ./vars
./clean-all
./build-ca

Follow all the instructions given when running that script. It should ask some questions, answer accordingly.
This should generate ca.crt. Copy this file to your chromebook, as you will need it. Furthermore, copy it to your OpenVPN configuration directory, usually /etc/openvpn

Now we can build a key for the openvpn server:

./build-key-server server

The ‘server’ argument will determine the name of the resulting key, in this case you should end up with server.crt and server.key. Copy them in /etc/openvpn as well.

Now we can build a key for our client. Run:

./build-key client1

This will generate client1.key and client1.crt. Normally you should be able to use these files to connect, however chrome OS requires a different format. We can convert the client key now that we have the required files:

openssl pkcs12 -export -in client1.crt -inkey client1.key -certfile ca.crt -name MyClient -out client.p12

If done correctly, you should end up with client.p12. Copy this to your chromebook, as you will need it.

Finally, run

./build-dh

Congratulations, you finally have ALL the files you need! Now you need to edit the OpenVPN configuration. This is usually in /etc/openvpn/server.conf

sudo vim /etc/openvpn/server.conf

Since chrome OS does not yet have the UI to allow for all possible OpenVPN settings, you need specific settings set.

Firstly, since Chrome OS requires both password AND key authentication, you need to enable the PAM module:

plugin  /usr/lib/openvpn/openvpn-plugin-auth-pam.so login

Unfortunately, the location of this plugin varies per distribution, so please double-check its location for your server.

The server type should be UDP, and the device set to ‘tun’:

proto udp
dev tun

Now, make sure the server cert and key are set properly. These are the files you generated earlier. Ensure these files are in /etc/openvpn and their names are right:

ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem

You can configure your OpenVPN to handle DHCP and DNS:

push "redirect-gateway def1 bypass-dhcp bypass-dns"

If you don’t want to do that, keep only “redirect-gateway def1”. Both configs should work.

Set DNS:

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

If comp-lzo is enabled, you need to disable it, since chromeOS does not support it:

# comp-lzo

Any settings not mentioned above can be left to defaults.

Now you should restart OpenVPN

sudo /etc/init.d/opennms restart

You can check /var/log/syslog to see if it restarted properly, and correct any errors.

Chromebook client

Now that your server is working fine, it’s time to set up the client.

First, make sure you’ve generated and copied ca.crt and client.p12 from before.
Now, we’re going to need to import the certificate authority’s cert and our key into Chrome OS.
Navigate to chrome://settings/certificates

In the Authorities tab click Import and find ca.crt. You will be asked if you want to trust the CA; “trust this certificate for identifying websites” should be checked there, otherwise your self-signed cert will be rejected by Chrome OS.

Now, from the chrome://settings/certificates page, navigate to “your certificates”. You need to click import and bind to device, and NOT import. Select the .p12 file. You should now see your certificate and “(hardware-backed)” if done correctly.

Adding the VPN

Hopefully, you can now add the VPN to chrome OS. Click on the bottom right (where the clock, network, battery, etc. are), and bring up the network settings. Click “Add connection” and select “OpenVPN/L2TP”

Fill it in thusly:
Server hostname: the IP address or host name of your VPN server.
Service name: This is just the name the network will be saved under, can be anything.
Provider type: OpenVPN
Server CA certificate: This is the CA certificate you imported earlier. If done correctly, it will appear in the drop down here.
User certificate: This is the user certificate you imported. If done correctly, it’ll be here and say “hardware-backed”.
Username/Password: Your Server username and password.

Leave everything else empty/default. Hopefully, it’ll connect!

Debugging

If something fails, these are the places you can look to find what’s going on:

  • /var/log/syslog on your server will tell you if ChromeOS is trying to connect at all, and if yes, what problem it’s having
  • If ChromeOS is not trying to connect at all, it most likely doesn’t like something in your certificate or settings. chrome://system contains the user log, syslog, netlog, and network-services log where you can hopefully get some more verbose error message about WHAT it doesn’t like!
  • If the VPN connects but you have no Internet connection, make sure you’ve done the required network forwarding server side, e.g.:
    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

    . The OpenVPN documentation has more explanation on that.

Settings not supported by the ChromeOS UI

Allegedly, you can force Chrome OS to accept settings like comp-lzo and other settings the gui doesn’t support, by creating a configuration file. You can read that document and try to follow it if you’re particularly a glutton for punishment.

That’s it! Enjoy your (hopefully) VPN-connected chromebook.

Sources:
OpenVPN on ChromeOS which helped me find out how to import certificates and all that jazz.
OpenVPN HOWTO!

30 thoughts on “Setting up OpenVPN to use on your chromebook

  1. Hi Errietta – Thanks for the fantastic post. Very clearly written. You might like to mention that if people are using a non-standard port, they can specify the port in the chrome OS server hostname i.e. Server hostname : myserver.com:1155

  2. Hi Errietta,
    thank you for your post.
    In case a vpn.conf file is available, and your chromebook is in developer mode, you may want to have a look below:

    https://goo.gl/Rf7O9g

    it makes connecting to openvpn really easy :)

  3. Hi Errietta,

    Thank you for your post.

    My circumstances are slightly different from your write up. I have an Asus RT-AC66U wireless router capable of acting as a OVPN VPN server. With these routers, you set-up the VPN as you see fit and then you can export an *.ovpn file. Nice and easy with an OVPN client to use on your desktop/laptop. Not so much with Chromebooks…

    With a little bit of trial and error and using your Chromebook instructions as a template, I’ve now managed to set-up a fully working home VPN that my Linux laptop AND Chromebook can connect to :)

    I had to pull apart the *.ovpn file and create the three required certificates. Then on my Linux laptop, I had to install easyRSA and create the .p12 file from the three certificates. Then I had to copy the resulting files/certs to a USB stick and copy them over to my Chromebook. However, from there, I was able to successfully import everything as per your instructions.

    There were a few final gotchas, like having to disable compression on the router; making sure DNS was setup correctly and being on a separate wifi network when you try to connect…but it was a thing of beauty when I saw the Chromebook connect to my VPN for the first time, allowing me safe browsing through my home network :D

    So thank you for helping me on my way! :)

    I can only hope Google eventually make ChromeOS much, much more VPN user friendly. But I kind of get the feeling that’s never going to happen. Why? I imagine VPNs cause all sorts of problems with their analytics; therefore their main source of income. You catch my drift, I’m sure ;)

      • Hi,

        Sorry about the delay. I imagine I put a fake email address in the email field so didn’t get notified about your comment. I just checked on an old bookmark for some random reason. Anyway, I’ve used my correct address in this post.

        Short story, my router provides me with an .ovpn file. The .ovpn file has three sections. The CA, Client and Key. I used each section and made three separate certificates. Then I used easyRSA (sudo apt-get install easyrsa) and the commands listed in Errietta’s write-up.

        Did you get it working?

    • Ben

      I have the same issue. I am trying to figure out how to use the .ovpn from my Asus RT-AC68R router to use on my ChromeBook.

      I don’t have a Linux machine I can use. Would you be able to provide me some more detailed instructions on how you did it and got it working? Can you email me at itech.bogedin@gmail.com?

  4. Hi Errieta,

    I found this how-to very helpful since I use ChromeBooks. Thanks for the write up. However I was struggling for the longest time with self-signed certificate errors where the TLS handshake would just fail.
    There is a step missing from here. Seems that importing the p12 file alone does not import the CA as a verified authority. So in the same chrome://settings/certificates page user needs to go to the Authorities tab and import the ca.crt just as outlined in the link you provided for custom Chrome OS settings using ONC files.

  5. Hi and thank you for writing this. Can you tell me what username/password I use in the Adding the VPN section?

  6. Hi, I’ve followed these instructions (and several others) and no matter what, my chomebook says that my .p12 file is invalid or corrupt.

    any ideas/advice? I have to idea what the chromebook expects for a file to be ‘valid’ let alone how to generate a file that fits the bill :(

    Ta

  7. First up, nice post !

    probably the only one post came up in Google search that provides definitive thorough instructions to do this

    I still failed to connect my chromebook though to my vpn server with this way, I’m wondering if you can help me find what’s causing connection failed in my case

    I’ve been setting up my vpn server ( it’s hosted on raspberry pi ) and I usually connect to it from variety of means. Android’s OpenVPN Connect or from Windows machine and other linux-based server it’s fine

    The only changes I made is adding the line plugin … auth.pam.so login, so that it’s suited to what Chromebook needs. However after following the steps in your page, the chromebook is failing to connect to my vpn server. It’s as if there’s no ‘route’ to go there. My internet connection is working fine, so I’m not too sure yet what’s causing this …

    Chromebook don’t really have firewall restriction, do they ?

    • Did you check the logs I mentioned? That’s the only way to find out the error unfortunately. Start by the server logs, see if there’s even a connection attempt then if not try to find the chromebook logs.
      Chromebook does set firewall rules but they only prevent incoming connections. You can install iptables and check with iptables -L.

  8. just thought I let an update on this post

    I have now managed to get OpenVPN connection finally working on my chromebook. Sadly, the GUI solution where you have to import certificates etc doesn’t really work for me, because internally whenever a new tun connection is created it gets destroyed by the system ( weird ! ), but there’s an ongoing issue with this and Google supports are working on it

    I got it working by bypass the GUI and working behind the scenes from commandline like ‘sudo openvpn config.ovpn’ basically

    full src:
    https://github.com/dnschneid/crouton/wiki/Using-Cisco-AnyConnect-VPN-with-openconnect

    • Hi Arief,
      mind if I contact you with some specific questions? It seems I have the same setup as you (openvpn on a rpi, android connecting to it without a problem, however I get stuck when i try to connect using my Chromebook)

      tia

      Bruno

  9. Is there currently a way to utilize this without auth-pam? I have a working OPenVPN server on dd-wrt, that handles several devices successfully. I’d prefer not to implement this auth-pam module so to complicate those other devices. I have created the proper files from my chromebook, and have imported them successfully, but alas – the chromebook requests username/password.

    Additionally, I don’t see a way to install this module when using the Router as the VPN server.

  10. Erietta,

    I don’t think I can run these commands on my VPN server. I only have a client Linux machine. Will it still work?

    Thanks.

  11. I seemed to be lost before I even got started on this article.

    You seem to be using Linux code on a Chromebook? How?

    Thank you for your time.

    • Getting Linux on a chromebook is indeed possible with crouton however not required for this article; all the Linux commands I provided are for your openvpn server. if you already have a VPN setup you can just ignore it

  12. Excellent post!

    Together with the tutorial by Lauren Orsini (link below) your post and the link to the doc (“creating a configuration file”) at the end of your post I managed to set up a functional VPN server on a RaspberryPi3.

    For others who want to enable comp-lzo and tls-auth and follow the instructions in the “creating a configuration” doc a possibly useful tip: after following all the steps I could connect, but no network.. this was caused by a “cipher final failed”. In my case it was solved by setting the correct cipher in the ONC file. (see second link below)

    what also helped me a great deal was to first read up on “public key infrastructure” to understand the many files generated (ca.key/ca.crt/server.crt/etc.) understanding what each file is used for makes it much easier understanding the different tutorials

    anyway..thanks for your post Errietta

    http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing/
    http://matthewcasperson.blogspot.nl/2015/03/fixing-openvpn-authenticatedecrypt.html

  13. Since this was one of the first places I landed trying to get OpenVPN running on ChromeOS I thought I’d give back for anyone else going down this path. If you have an advanced use case (i.e. TLS or client certs) I’ve augmented an existing ONC generator to support most of the OpenVPN section spec: https://github.com/R3vXX/oncgenerator

  14. Hi, I’ve just followed this tutorial and when i import the .p12 certificate it says it’s untrusted. When I created the file it gave me an error something like ‘could not write to random thing’ (I don’t remember exactly, but i can check the exact message if you want), But it still created the file. I am not able to connect to the VPN. Do you know how I could fix this?

Leave a Comment

Your email address will not be published. Required fields are marked *