Chromebooks are fun, light, and have a long battery life, which is why I use one. It’s an awesome companion for travelling, studies, and other cases that require long battery life and mobility more than they do computing power.
ChromeOS lacks some of the capabilities you find on Windows OS’s and Linux distributions, but it does have built-in OpenVPN support. However, it currently requires a specific configuration and some work to get to work. This post hopefully explains how!
On your server box, start by setting up the OpenVPN server.
sudo apt-get install openvpn
Locate the easy-rsa directory. It can be in /usr/share/doc/packages/openvpn /usr/share/doc/openvpn or /usr/share/easy-rsa/, or in certain cases you may have to install easy-rsa seperately. In either case, once you’ve found it, cd to it:
Now, we can build our ca certificate:
. ./vars ./clean-all ./build-ca
Follow all the instructions given when running that script. It should ask some questions, answer accordingly.
This should generate ca.crt. Copy this file to your chromebook, as you will need it. Furthermore, copy it to your OpenVPN configuration directory, usually /etc/openvpn
Now we can build a key for the openvpn server:
The ‘server’ argument will determine the name of the resulting key, in this case you should end up with server.crt and server.key. Copy them in /etc/openvpn as well.
Now we can build a key for our client. Run:
This will generate client1.key and client1.crt. Normally you should be able to use these files to connect, however chrome OS requires a different format. We can convert the client key now that we have the required files:
openssl pkcs12 -export -in client1.crt -inkey client1.key -certfile ca.crt -name MyClient -out client.p12
If done correctly, you should end up with client.p12. Copy this to your chromebook, as you will need it.
Congratulations, you finally have ALL the files you need! Now you need to edit the OpenVPN configuration. This is usually in /etc/openvpn/server.conf
sudo vim /etc/openvpn/server.conf
Since chrome OS does not yet have the UI to allow for all possible OpenVPN settings, you need specific settings set.
Firstly, since Chrome OS requires both password AND key authentication, you need to enable the PAM module:
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
Unfortunately, the location of this plugin varies per distribution, so please double-check its location for your server.
The server type should be UDP, and the device set to ‘tun’:
proto udp dev tun
Now, make sure the server cert and key are set properly. These are the files you generated earlier. Ensure these files are in /etc/openvpn and their names are right:
ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh2048.pem
You can configure your OpenVPN to handle DHCP and DNS:
push "redirect-gateway def1 bypass-dhcp bypass-dns"
If you don’t want to do that, keep only “redirect-gateway def1”. Both configs should work.
push "dhcp-option DNS 22.214.171.124" push "dhcp-option DNS 126.96.36.199"
If comp-lzo is enabled, you need to disable it, since chromeOS does not support it:
Any settings not mentioned above can be left to defaults.
Now you should restart OpenVPN
sudo /etc/init.d/opennms restart
You can check /var/log/syslog to see if it restarted properly, and correct any errors.
Now that your server is working fine, it’s time to set up the client.
First, make sure you’ve generated and copied ca.crt and client.p12 from before.
Now, we’re going to need to import the certificate authority’s cert and our key into Chrome OS.
Navigate to chrome://settings/certificates
In the Authorities tab click Import and find ca.crt. You will be asked if you want to trust the CA; “trust this certificate for identifying websites” should be checked there, otherwise your self-signed cert will be rejected by Chrome OS.
Now, from the chrome://settings/certificates page, navigate to “your certificates”. You need to click import and bind to device, and NOT import. Select the .p12 file. You should now see your certificate and “(hardware-backed)” if done correctly.
Adding the VPN
Hopefully, you can now add the VPN to chrome OS. Click on the bottom right (where the clock, network, battery, etc. are), and bring up the network settings. Click “Add connection” and select “OpenVPN/L2TP”
Fill it in thusly:
Server hostname: the IP address or host name of your VPN server.
Service name: This is just the name the network will be saved under, can be anything.
Provider type: OpenVPN
Server CA certificate: This is the CA certificate you imported earlier. If done correctly, it will appear in the drop down here.
User certificate: This is the user certificate you imported. If done correctly, it’ll be here and say “hardware-backed”.
Username/Password: Your Server username and password.
Leave everything else empty/default. Hopefully, it’ll connect!
If something fails, these are the places you can look to find what’s going on:
- /var/log/syslog on your server will tell you if ChromeOS is trying to connect at all, and if yes, what problem it’s having
- If ChromeOS is not trying to connect at all, it most likely doesn’t like something in your certificate or settings. chrome://system contains the user log, syslog, netlog, and network-services log where you can hopefully get some more verbose error message about WHAT it doesn’t like!
- If the VPN connects but you have no Internet connection, make sure you’ve done the required network forwarding server side, e.g.:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
. The OpenVPN documentation has more explanation on that.
Settings not supported by the ChromeOS UI
Allegedly, you can force Chrome OS to accept settings like comp-lzo and other settings the gui doesn’t support, by creating a configuration file. You can read that document and try to follow it if you’re particularly a glutton for punishment.
That’s it! Enjoy your (hopefully) VPN-connected chromebook.