In this post we will discuss how to configure Open VPN for ChromeOS. OpenVPN Chromebook is not currently reachable by the User Interface but hopefully in the future it will be available. The following are the features supported by openvpn chromebooks.
The following instructions consists of creating a self signed certificate authority and also creates self signed certificates for the server and client. The certificates are imported into ChromeOS TPM (A secure Hard Ware on Chromebook) and then an ONC config is created with full VPN option set required, and this is imported into Chromebook.
Please Make sure that you have these with you:
- An Open VPN server. It should be running linux. This should be reachable from the public internet or atleast should have a DNS record that points to it.
- A ChromeBook
- A Second laptop that is running linux.
Setting up a VPN server:
- Use a 2048 bit keys.
- Keep the ca.key file someplace safe.
- While Creating The Server Cetrificate, use the external host name for your server.
- Use the build key script for Client while creating Client Certificate.
- Upload the ca.crt, client.crt/client.key, pkcs12, ta.key to google drive.
- The port 1194 is mostly used for openvpn. Using port 443 instead will prevent setting https server on the same machine.
The following are the server.conf file contents:
Setting up Home Network for VPN:
- In the home router, forward the VPN port to the IP address of the VPN Server.
- Allow IP forwarding and set IP tables accordingly.
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
Files Needed for the Client:
- ca.crt – the certificate authority’s public key certificate.
- client-cert.p12 – the client’s public/private key
- ta.key – the tls authentication key
Importing Certifcates into ChromeOS:
- Browser the URL:
- In the page that opens, select the Authoritites tab.
- The click on Import. Then browser to CA.crt and click on Open.
- “Trust this certificates for identifying websites” should be checked.
- You should see the Certificates Authority listed in the Authority Tab
- Import the pkcs12 certificates. In your certificates, use import and bind to device
You can remove the certifictes by using the delete options.
ChromeOS VPN ONC block:
ONC stands for Open Network Configuration. These are JSON objects. You can inject ONC using an internal URL.
- You will need two GUIDs
- Use online GUID generator for generating two GUID.
- GUID#1: It is a random string identifier, you can get it from online generator.
- GUID#2: It is the VPN name. Choose one you like.
- CA-CERT: This contains the contents of CA.crt. It does not have the header lines.
- HOSTNAME: This is the hostname of the VPN server.
- USERNAME: It is the username in the server.
- TLS_AUTH_KEY: This is the TLS authentication key. Remove the Comments lines, but include the header and footer lines. Header: —–BEGIN OpenVPN Static Key V1—– . Footer: —–END OpenVPN Static Key V1—–. We need to replace all the new line with ‘\n’
- After Editing the file, save it as filename.onc and upload it to Google Drive.
- Use the following URL to upload the .onc file
There you go, now you know the basics of getting openvpn chromebooks. Follow the instructions carefully as it is very easy to make mistakes. For a detailed post on how to use openvpn chromebook please let us know in the comments below.
This has been a very useful article. Chromebook openvpn
Be the first to write a comment.