- See also OpenVPN on Amazon Linux
Complexity with a Simplistic Solution
OpenVPN on ChromeOS and Android has become a bit complicated, since ChromeOS now supports Android. However, Android seems to live inside its own environment within ChromeOS, accessible to other Android Apps, but without the ability to modify the larger ChromeOS environment. This means that using an Android OpenVPN app doesn't have an effect on ChromeOS Apps, only other Android apps.
For example, the Android Outlook app would not authenticate properly to external accounts until a compatible browser app was installed (and since Chrome was not available, it needed to be Chrome Beta, Chrome Dev, or possibly Chrome Canary).
Our testing indicates that the
OpenVPN Connect or
OpenVPN for Android apps apply their new VPN routes only to Android apps and not the larger ChromeOS environment, if the
prefer this network setting is enabled in ChromeOS. Disable this and Bob's your uncle.
OpenVPN on Android
OpenVPN Android apps make a lot of sense, both for Android and for ChromeOS + Android. OpenVPN on Android is a simple affair via the Android app OpenVPN Connect or related iOS OpenVPN Connect app.
.ovpn file is needed for configuration, which in it has embedded the ca.crt, client.crt, and client.key files. This file can be emailed/messaged to the
~/Downloads folder and then imported into the OpenVPN client.
OpenVPN on ChromeOS with Native Interface
There is a native interface inside ChromeOS which allows for configuring L2TP and OpenVPN connections. However, it is limited in a few ways and requires several steps:
- Install the
ca.crt Certificate Authority
- Install and Bind a
client.p12 (pkcs12) Certificate
- Configure the settings for the VPN, including a required username and optional password (this does not support key-only VPN configurations)
To generate the pkcs12
openssl pkcs12 -export -out client.p12 -inkey key.key -in cert.crt -certfile ca.crt
Unfortunately, if one uses only keys/certs and does not also use a username to log in, then the native Chrome interface won't work (a long-standing bug that is labeled as a feature request with priority 2 (not sure what that means).
There is an alternative approach, if one already has
Developer mode enabled (root access), as follows.
OpenVPN on ChromeOS with CROSH + Developer (root)
The command line is where the magic is, since essentially everything just works, once
Developer Mode is invoked (and small script is run).
tun0 needs to be made stable so it isn't ended by the
sudo stop shill sudo start shill BLACKLISTED_DEVICES="tun0,br0"
Second, simply invoke openvpn using a config file (either with references to keys or the keys embedded in the config file), such as:
Review of Files used for OpenVPN Client Configuration
- client.ovpn - config file (with key references, or with the keys embedded)
- ca.crt - certificate authority certificate
- client.crt - client certificate
- client.key - client private key
- client.p12 - pkcs12 format generated from ca, cert, and key (see above)
Ovpn File Example
<ca> -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- </key> key-direction 1 remote 188.8.131.52 1194 udp4 nobind dev tun redirect-gateway def1 ipv6 tun-mtu 1500 compress lzo pull tls-client push "redirect-gateway def1" comp-lzo mssfix 1450 resolv-retry infinite tun-mtu-extra 32 reneg-sec 0
More OpenVPN Resources
Some of these are useful references, others I have not yet read... - OpenVPN on ChromeOS - Official Google Document - ChromeOS + OpenVPN (+ TLSAuth) - Configuring an OpenVPN client connection on Chromebook - Configuring OpenVPN on Three Platforms