Chromebook OpenVPN client connection?



  • Been trying to get a OpenVPN connection working on a chromebook, connecting through the graphical user interface.

    Following these directions here.
    https://docs.google.com/document/d/1ecDUFsvoBNivDQHeeGAN3xZZiQ9LkhEp_kzg4fgRgmM/edit

    It requires both a .crt file and a .p12 file.

    Using the OpenVPN client export option and the Standard Archive export, gives me the .p12 but not the .crt

    Where do I get that from?

    Chromebooks don't use the standard .ovpn file imports for some reason.



  • You can use System > Cert Manager in pfSense GUI to export certs in crt format.
    You can also export them from the p12 file, e.g. in Linux or Windows, however, I don't know if it is possible in Chrome OS.



  • Thanks, downloaded it and when attempting to import the authority, I get the error of 'www.mydomainname.com: Not a Certification Authority'

    Any ideas?


  • Banned

    Perhaps you could move to some Google Groups to ask about Chrome OS? Nothing here has any relevance to pfSense.



  • In common you need 3 parts for establishing a VPN connection:
    CA cert - the CA which is set at "Peer Certificate Authority" in VPN server config
    user cert
    users private key

    You can find them all in cert manager and export it from there.

    If you use "TLS Authentication" you need the TLS key in addition. You may copy it from server config into a file.



  • @doktornotor:

    Perhaps you could move to some Google Groups to ask about Chrome OS? Nothing here has any relevance to pfSense.

    I'm using the Chromebook to connect to a network via the pfSense router, using OpenVPN.

    I haven't found anywhere else on the internet where a person has mentioned how to do this.



  • Hello, popping in a bit after the fact, but did you get this working? Just about to head down this path and would greatly appreciate any clues. Thanks!



  • Also looking for help getting a Chromebook to use open VPN.



  • Hi All, I am also stumped by this and wonder if anyone has had any luck with the configuration. I have setup the OpenVPN server and the chromebook can connect to the vpn but I can not get any packets to flow. I can see that the chromebook gets an IP and updates the routes, the chromebook can ping it's tun adapter address but it can not ping the pfSense OpenVPN server. The same OpenVPN connection and settings work well from a Windows system and I am able to make OpenVPN connection on the ChromeBook from a Untangle server using a exported onc file.



  • For anyone else looking into this, there may be a way to configure the connection by generating your own .onc file.

    Here is some information on that:

    https://docs.google.com/document/d/18TU22gueH5OKYHZVJ5nXuqHnk2GN6nDvfu2Hbrb4YLE/pub

    ChromeOS VPN ONC block

    Now for the hard part.  We are using a configuration that is supported by OpenVPN on ChromeOS, but not yet fully supported by the UI. 
    Fortunately there is a way to get more configuration options available via an “under the hood” method, using “Open Network Config” blocks, which are JSON opjects (JavaScript Object Notation).  Normally these are pushed down via the enterprise control panel for enterprised enrolled devices, but for non enterprise accounts, we can inject an ONC config via an internal URL.
    Disclaimer

    This method of importing the ONC is available on Verified Boot mode devices (no need to be in dev mode)  but is not officially supported. There is work underway to make the config UI more rich, but at the moment this is the way to go. I add this warning to make sure that while this method works, it would be bad if it got too wide spread and broke. Please use some discretion in sharing this document. 
    To make the ONC block, we need 2 GUIDs (though I suspect we can use random strings).  I got 2 from http://www.uuidgenerator.net/ they are just random.  Just hit reload to get another.
    To make this block, copy the template below into a text editor and fill in the appropriate fields.
    There is more documentation on the ONC format here: http://dev.chromium.org/chromium-os/chromiumos-design-docs/open-network-configuration  But some things are a bit trial and error, or require searching the source code.  The Links section at the end of this document has more info.
    Here, on the next page, is a template, and things between “<” and “>”  will be filled in as noted below.
    {
    "Type":"UnencryptedConfiguration",
          "Certificates": [ {
          "GUID": "{<guid#1>}",
          "Type": "Authority",
          "X509": "<ca_cert>"
      } ],
        "NetworkConfigurations": [ {
          "GUID": "{<guid#2>}",
          "Name": "<vpn_name>",
          "Type": "VPN",
          "VPN": {
              "Type": "OpenVPN",
              "Host": "<hosthame>",
              "OpenVPN": {
                            "ServerCARef": "{<guid#1>}",
                        "AuthRetry": "interact",
                        "ClientCertType": "Pattern",
                        "ClientCertPattern": {             
                              "IssuerCARef": [ "{<guid#1>}" ]
                            },
                        "CompLZO": "true",
                        "Port": 1194,
                        "Proto": "udp",
                        "RemoteCertTLS":"server",
                        "RemoteCertEKU": "TLS Web Server Authentication",
                        "SaveCredentials": false,
                        "ServerPollTimeout": 10,
                        "Username": "<username>",
                        "KeyDirection":"1",                   
                        "TLSAuthContents":"<tls_auth_key>"
                        }
                }
                                  } ]
    }
    OK, this is a bit of a mess, but we will take it one field at a time:
    GUID#1  just a random string as an identifier, it’s used in 3 places to link the network config to the CA for that config.  If you want to generate a GUID, you can get one from the above website, and it will look something like:  48944528-58fa-401e-8cea-7a75e4305592,  or you can perhaps just use “MY-CERT-AUTHORITY”  without the quotes. 
    GUID#2 is another identifier, to label the VPN config, and is not actually used, but we need an identifier here to make things work.
    VPN_NAME: This can be anything you like, it will be used in the UI for selecting the VPN.  If you have a name for your network e.g., “Walter White’s Home VPN” you can use it here.
    CA-CERT: this is the contents of the CA.crt, without the header lines, on one long line, so it will be one long string of base64 encoded ascii, typically begining with “MII” and continuing on for some lines, remove the newlines in the cert.  The footer line “–---END CERTIFICATE-----” is also not included.
    HOSTNAME:  This is simply the hostname of your VPN server, e.g. homserver.myhomenet.com 
    USERNAME:  Is your username on the vpn server.
    TLS_AUTH_KEY:  This one is the TLS auth key, but there is a catch.  We need to remove the comment lines, but DO need to include the header and footer lines “-----BEGIN OpenVPN Static Key V1-----” and the footer line “-----END OpenVPN Static Key V1-----”, but we replace all the newlines with literal “\n” characters.  This is not documented, but can be seen in the test cases for the ChromeOS VPN support.
    You can do this with this shell command: 
    grep -v '#' ta-demo.key | perl -p -e 's/\n/\n/' -
    Yeah, it’s a bit of a Yak shave, I am sure there is a more optimum way to do this in sed / awk / perl, but this works, and we only need it once. Copy the output of the command into the TLS auth key value as shown:
    Here is what the key looks like before and after:
    Before:

    2048 bit OpenVPN static key

    -----BEGIN OpenVPN Static key V1-----
    ad81f4aafe33ecbbc68ae88536ccd8d4
    9c929dfdd6d57aff5e082a37da9a827c
    ca3f3db0815b1ae268bb106946c6e757
    4f5e624824b5e3c62c02a6098f1d4efe
    8d9858df2a73c5ec1a3b6e3901f1d70d
    3e16a318999d6515f3a7f1b0971ebe48
    e59145aa968c8c2b69926a78ce6ddf5f
    f5df09d1340bd3227ed65c294fe15273
    fc142b05a4bce36395c86727825c378a
    56ca3d32ccc888172f4549334835cae2
    39d7348daccba3c2131f6e62e85873aa
    be8c79a342f64335963825468b262789
    e94148ea636272928002770262b345d7
    a3bcf8637c2138ffebe47ac879755a5d
    51cfa985db7d56006e4d865dd0487a12
    55bfe0b9d162e0dc54457a9bb9bbeaaf
    -----END OpenVPN Static key V1-----
    And After:
    -----BEGIN OpenVPN Static key V1-----\nad81f4aafe33ecbbc68ae88536ccd8d4\n9c929dfdd6d57aff5e082a37da9a827c\nca3f3db0815b1ae268bb106946c6e757\n4f5e624824b5e3c62c02a6098f1d4efe\n8d9858df2a73c5ec1a3b6e3901f1d70d\n3e16a318999d6515f3a7f1b0971ebe48\ne59145aa968c8c2b69926a78ce6ddf5f\nf5df09d1340bd3227ed65c294fe15273\nfc142b05a4bce36395c86727825c378a\n56ca3d32ccc888172f4549334835cae2\n39d7348daccba3c2131f6e62e85873aa\nbe8c79a342f64335963825468b262789\ne94148ea636272928002770262b345d7\na3bcf8637c2138ffebe47ac879755a5d\n51cfa985db7d56006e4d865dd0487a12\n55bfe0b9d162e0dc54457a9bb9bbeaaf\n-----END OpenVPN Static key V1-----\n
    Note the “\n” characters buried inside. so the final value looks like:
    “TLSAuthContents”:”-----BEGIN OpenVPN Static key V1-----\nad81f4aafe33ecbbc68ae88536ccd8d4\n9c929dfdd6d57aff5e082a37da9a827c\nca3f3db0815b1ae268bb106946c6e757\n4f5e624824b5e3c62c02a6098f1d4efe\n8d9858df2a73c5ec1a3b6e3901f1d70d\n3e16a318999d6515f3a7f1b0971ebe48\ne59145aa968c8c2b69926a78ce6ddf5f\nf5df09d1340bd3227ed65c294fe15273\nfc142b05a4bce36395c86727825c378a\n56ca3d32ccc888172f4549334835cae2\n39d7348daccba3c2131f6e62e85873aa\nbe8c79a342f64335963825468b262789\ne94148ea636272928002770262b345d7\na3bcf8637c2138ffebe47ac879755a5d\n51cfa985db7d56006e4d865dd0487a12\n55bfe0b9d162e0dc54457a9bb9bbeaaf\n-----END OpenVPN Static key V1-----\n”

    Save the edited file, as filename.onc, and copy it to Google Drive, or get it on the Chromebook somehow. You should treat it as secure since it has a TLS auth key inside.

    That looks a bit different than the onc I had from Untangle and some testing should shed soem light on this.:)</tls_auth_key></username></guid#1></guid#1></hosthame></vpn_name></guid#2></ca_cert></guid#1>



  • I had some issues getting this to work, don't forget to add lines for auth, cipher, etc. for you OpenVPN configuration.  Perhaps those are obvious, but it wasn't to me.

    
    "Auth": "SHA256",
    "CompLZO": "adaptive",
    "Cipher": "AES-256-CBC",
    

    Lastly, the template is great, but I used the HTML ONC generator (https://github.com/CharlesErickT/oncgenerator/blob/master/index.html) to help me.