Chromebook OpenVPN client connection?

viragomann

You can use System > Cert Manager in pfSense GUI to export certs in crt format.
You can also export them from the p12 file, e.g. in Linux or Windows, however, I don't know if it is possible in Chrome OS.

Guest

Thanks, downloaded it and when attempting to import the authority, I get the error of 'www.mydomainname.com: Not a Certification Authority'

Any ideas?

doktornotor

Perhaps you could move to some Google Groups to ask about Chrome OS? Nothing here has any relevance to pfSense.

viragomann

In common you need 3 parts for establishing a VPN connection:
CA cert - the CA which is set at "Peer Certificate Authority" in VPN server config
user cert
users private key

You can find them all in cert manager and export it from there.

If you use "TLS Authentication" you need the TLS key in addition. You may copy it from server config into a file.

Guest

@doktornotor:

Perhaps you could move to some Google Groups to ask about Chrome OS? Nothing here has any relevance to pfSense.

I'm using the Chromebook to connect to a network via the pfSense router, using OpenVPN.

I haven't found anywhere else on the internet where a person has mentioned how to do this.

ronlee

Hello, popping in a bit after the fact, but did you get this working? Just about to head down this path and would greatly appreciate any clues. Thanks!

brianc69

Also looking for help getting a Chromebook to use open VPN.

fstephani

Hi All, I am also stumped by this and wonder if anyone has had any luck with the configuration. I have setup the OpenVPN server and the chromebook can connect to the vpn but I can not get any packets to flow. I can see that the chromebook gets an IP and updates the routes, the chromebook can ping it's tun adapter address but it can not ping the pfSense OpenVPN server. The same OpenVPN connection and settings work well from a Windows system and I am able to make OpenVPN connection on the ChromeBook from a Untangle server using a exported onc file.

fstephani

For anyone else looking into this, there may be a way to configure the connection by generating your own .onc file.

Here is some information on that:

https://docs.google.com/document/d/18TU22gueH5OKYHZVJ5nXuqHnk2GN6nDvfu2Hbrb4YLE/pub

ChromeOS VPN ONC block

Now for the hard part.  We are using a configuration that is supported by OpenVPN on ChromeOS, but not yet fully supported by the UI. 
Fortunately there is a way to get more configuration options available via an “under the hood” method, using “Open Network Config” blocks, which are JSON opjects (JavaScript Object Notation).  Normally these are pushed down via the enterprise control panel for enterprised enrolled devices, but for non enterprise accounts, we can inject an ONC config via an internal URL.
Disclaimer

This method of importing the ONC is available on Verified Boot mode devices (no need to be in dev mode)  but is not officially supported. There is work underway to make the config UI more rich, but at the moment this is the way to go. I add this warning to make sure that while this method works, it would be bad if it got too wide spread and broke. Please use some discretion in sharing this document. 
To make the ONC block, we need 2 GUIDs (though I suspect we can use random strings).  I got 2 from http://www.uuidgenerator.net/ they are just random.  Just hit reload to get another.
To make this block, copy the template below into a text editor and fill in the appropriate fields.
There is more documentation on the ONC format here: http://dev.chromium.org/chromium-os/chromiumos-design-docs/open-network-configuration  But some things are a bit trial and error, or require searching the source code.  The Links section at the end of this document has more info.
Here, on the next page, is a template, and things between “<” and “>”  will be filled in as noted below.
{
"Type":"UnencryptedConfiguration",
      "Certificates": [ {
      "GUID": "{<guid#1>}",
      "Type": "Authority",
      "X509": "<ca_cert>"
  } ],
    "NetworkConfigurations": [ {
      "GUID": "{<guid#2>}",
      "Name": "<vpn_name>",
      "Type": "VPN",
      "VPN": {
          "Type": "OpenVPN",
          "Host": "<hosthame>",
          "OpenVPN": {
                        "ServerCARef": "{<guid#1>}",
                    "AuthRetry": "interact",
                    "ClientCertType": "Pattern",
                    "ClientCertPattern": {             
                          "IssuerCARef": [ "{<guid#1>}" ]
                        },
                    "CompLZO": "true",
                    "Port": 1194,
                    "Proto": "udp",
                    "RemoteCertTLS":"server",
                    "RemoteCertEKU": "TLS Web Server Authentication",
                    "SaveCredentials": false,
                    "ServerPollTimeout": 10,
                    "Username": "<username>",
                    "KeyDirection":"1",                   
                    "TLSAuthContents":"<tls_auth_key>"
                    }
            }
                              } ]
}
OK, this is a bit of a mess, but we will take it one field at a time:
GUID#1  just a random string as an identifier, it’s used in 3 places to link the network config to the CA for that config.  If you want to generate a GUID, you can get one from the above website, and it will look something like:  48944528-58fa-401e-8cea-7a75e4305592,  or you can perhaps just use “MY-CERT-AUTHORITY”  without the quotes. 
GUID#2 is another identifier, to label the VPN config, and is not actually used, but we need an identifier here to make things work.
VPN_NAME: This can be anything you like, it will be used in the UI for selecting the VPN.  If you have a name for your network e.g., “Walter White’s Home VPN” you can use it here.
CA-CERT: this is the contents of the CA.crt, without the header lines, on one long line, so it will be one long string of base64 encoded ascii, typically begining with “MII” and continuing on for some lines, remove the newlines in the cert.  The footer line “–---END CERTIFICATE-----” is also not included.
HOSTNAME:  This is simply the hostname of your VPN server, e.g. homserver.myhomenet.com 
USERNAME:  Is your username on the vpn server.
TLS_AUTH_KEY:  This one is the TLS auth key, but there is a catch.  We need to remove the comment lines, but DO need to include the header and footer lines “-----BEGIN OpenVPN Static Key V1-----” and the footer line “-----END OpenVPN Static Key V1-----”, but we replace all the newlines with literal “\n” characters.  This is not documented, but can be seen in the test cases for the ChromeOS VPN support.
You can do this with this shell command: 
grep -v '#' ta-demo.key | perl -p -e 's/\n/\n/' -
Yeah, it’s a bit of a Yak shave, I am sure there is a more optimum way to do this in sed / awk / perl, but this works, and we only need it once. Copy the output of the command into the TLS auth key value as shown:
Here is what the key looks like before and after:
Before:

2048 bit OpenVPN static key

-----BEGIN OpenVPN Static key V1-----
ad81f4aafe33ecbbc68ae88536ccd8d4
9c929dfdd6d57aff5e082a37da9a827c
ca3f3db0815b1ae268bb106946c6e757
4f5e624824b5e3c62c02a6098f1d4efe
8d9858df2a73c5ec1a3b6e3901f1d70d
3e16a318999d6515f3a7f1b0971ebe48
e59145aa968c8c2b69926a78ce6ddf5f
f5df09d1340bd3227ed65c294fe15273
fc142b05a4bce36395c86727825c378a
56ca3d32ccc888172f4549334835cae2
39d7348daccba3c2131f6e62e85873aa
be8c79a342f64335963825468b262789
e94148ea636272928002770262b345d7
a3bcf8637c2138ffebe47ac879755a5d
51cfa985db7d56006e4d865dd0487a12
55bfe0b9d162e0dc54457a9bb9bbeaaf
-----END OpenVPN Static key V1-----
And After:
-----BEGIN OpenVPN Static key V1-----\nad81f4aafe33ecbbc68ae88536ccd8d4\n9c929dfdd6d57aff5e082a37da9a827c\nca3f3db0815b1ae268bb106946c6e757\n4f5e624824b5e3c62c02a6098f1d4efe\n8d9858df2a73c5ec1a3b6e3901f1d70d\n3e16a318999d6515f3a7f1b0971ebe48\ne59145aa968c8c2b69926a78ce6ddf5f\nf5df09d1340bd3227ed65c294fe15273\nfc142b05a4bce36395c86727825c378a\n56ca3d32ccc888172f4549334835cae2\n39d7348daccba3c2131f6e62e85873aa\nbe8c79a342f64335963825468b262789\ne94148ea636272928002770262b345d7\na3bcf8637c2138ffebe47ac879755a5d\n51cfa985db7d56006e4d865dd0487a12\n55bfe0b9d162e0dc54457a9bb9bbeaaf\n-----END OpenVPN Static key V1-----\n
Note the “\n” characters buried inside. so the final value looks like:
“TLSAuthContents”:”-----BEGIN OpenVPN Static key V1-----\nad81f4aafe33ecbbc68ae88536ccd8d4\n9c929dfdd6d57aff5e082a37da9a827c\nca3f3db0815b1ae268bb106946c6e757\n4f5e624824b5e3c62c02a6098f1d4efe\n8d9858df2a73c5ec1a3b6e3901f1d70d\n3e16a318999d6515f3a7f1b0971ebe48\ne59145aa968c8c2b69926a78ce6ddf5f\nf5df09d1340bd3227ed65c294fe15273\nfc142b05a4bce36395c86727825c378a\n56ca3d32ccc888172f4549334835cae2\n39d7348daccba3c2131f6e62e85873aa\nbe8c79a342f64335963825468b262789\ne94148ea636272928002770262b345d7\na3bcf8637c2138ffebe47ac879755a5d\n51cfa985db7d56006e4d865dd0487a12\n55bfe0b9d162e0dc54457a9bb9bbeaaf\n-----END OpenVPN Static key V1-----\n”

Save the edited file, as filename.onc, and copy it to Google Drive, or get it on the Chromebook somehow. You should treat it as secure since it has a TLS auth key inside.

That looks a bit different than the onc I had from Untangle and some testing should shed soem light on this.:)</tls_auth_key></username></guid#1></guid#1></hosthame></vpn_name></guid#2></ca_cert></guid#1>

illeatthat

I had some issues getting this to work, don't forget to add lines for auth, cipher, etc. for you OpenVPN configuration.  Perhaps those are obvious, but it wasn't to me.

"Auth": "SHA256",
"CompLZO": "adaptive",
"Cipher": "AES-256-CBC",

Lastly, the template is great, but I used the HTML ONC generator (https://github.com/CharlesErickT/oncgenerator/blob/master/index.html) to help me.