OpenVPN and Chromebook
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 2
- Joined: Tue Dec 03, 2013 4:55 pm
OpenVPN and Chromebook
I recently picked up a C720 Chromebook based on the google page that says OpenVPN is supported. I need this functionality in order to remote into Windows desktops and access intranet sites to get actual work done, not for browsing obfuscation.
Anyways, my initial impression is that as of December 2013 OpenVPN on ChromeOS is still not ready for prime time.
After trying to get this working for days here's what I've determined so far.
1. You can enable developer mode and sudo OpenVPN from a terminal prompt with a standard .ovpn file which seems to work but might require manually configuring tun0 or tap0.
https://groups.google.com/forum/#!msg/c ... 9kQK8KiygJ
2. Converting your .ovpn file to an .onc file with base64 encoded embedded certificates sort of works from non-developer mode.
http://www.chromium.org/chromium-os/chr ... figuration
http://www-co.ch.cam.ac.uk/facilities/v ... envpn.html
3. TLS-Auth with a secret ta.key doesn't seem to be supported yet. (Not sure if it is using an ovpn file though). There are onc fields for the tls key and key direction but they throw errors in some openvpn wrapper that chrome os uses. You can see this if you turn on network debugging.
ff_debug +route+connection+vpn
ff_debug --level -2
4. When connecting from non-developer mode using an ONC file, you cannot specify the connection type (tun versus tap).
5. Based on this link ( http://spentry.net/wp/index.php/2013/09 ... hromebook/ ) it appeared that ChromeOs defaults to bridge mode in non-developer mode. However, when I connect to an OpenVPN bridge server the server using an ONC file, the bridge server notes that the client is actually connecting as tun (routed.)
6. Once connected to a tun (routed) server from non-developer mode using an ONC file, ChromeOs wants to route all of your traffic through the tunnel. Unfortunately I cannot seem to get ChromeOs to honor routes or gateways pushed from the OpenVPN server.
7. As of December 2013, the best I've been able to get working from non-developer mode is to connect to a routed tun server using an onc file and access the internal network only. Is there anyone out there that actually has a working OpenVPN setup on ChromeOS in non-developer mode? It seems that I've almost got it working but something is off with the DHCP dns and pushed routes.
Any help would be much appreciated,
Thx.
Anyways, my initial impression is that as of December 2013 OpenVPN on ChromeOS is still not ready for prime time.
After trying to get this working for days here's what I've determined so far.
1. You can enable developer mode and sudo OpenVPN from a terminal prompt with a standard .ovpn file which seems to work but might require manually configuring tun0 or tap0.
https://groups.google.com/forum/#!msg/c ... 9kQK8KiygJ
2. Converting your .ovpn file to an .onc file with base64 encoded embedded certificates sort of works from non-developer mode.
http://www.chromium.org/chromium-os/chr ... figuration
http://www-co.ch.cam.ac.uk/facilities/v ... envpn.html
3. TLS-Auth with a secret ta.key doesn't seem to be supported yet. (Not sure if it is using an ovpn file though). There are onc fields for the tls key and key direction but they throw errors in some openvpn wrapper that chrome os uses. You can see this if you turn on network debugging.
ff_debug +route+connection+vpn
ff_debug --level -2
4. When connecting from non-developer mode using an ONC file, you cannot specify the connection type (tun versus tap).
5. Based on this link ( http://spentry.net/wp/index.php/2013/09 ... hromebook/ ) it appeared that ChromeOs defaults to bridge mode in non-developer mode. However, when I connect to an OpenVPN bridge server the server using an ONC file, the bridge server notes that the client is actually connecting as tun (routed.)
6. Once connected to a tun (routed) server from non-developer mode using an ONC file, ChromeOs wants to route all of your traffic through the tunnel. Unfortunately I cannot seem to get ChromeOs to honor routes or gateways pushed from the OpenVPN server.
7. As of December 2013, the best I've been able to get working from non-developer mode is to connect to a routed tun server using an onc file and access the internal network only. Is there anyone out there that actually has a working OpenVPN setup on ChromeOS in non-developer mode? It seems that I've almost got it working but something is off with the DHCP dns and pushed routes.
Any help would be much appreciated,
Thx.
Last edited by debbie10t on Tue Dec 03, 2013 8:21 pm, edited 1 time in total.
Reason: Modify Title - Remove Access Server
Reason: Modify Title - Remove Access Server
-
- OpenVpn Newbie
- Posts: 2
- Joined: Tue Dec 03, 2013 4:55 pm
Re: OpenVPN AS and Chromebook
ii. OpenVPN-Community Software (Free community software)
I suspect this is when you tell me to "take it to the Chaplin..."
I suspect this is when you tell me to "take it to the Chaplin..."
-
- OpenVpn Newbie
- Posts: 1
- Joined: Sun Dec 29, 2013 9:43 pm
Re: OpenVPN and Chromebook
I actually managed to get tls-auth configured correctly through the ONC configuration files. These two parameters are required:
"TLSAuthContents": "-----BEGIN OpenVPN Static key V1-----\n....\n....\n....-----END OpenVPN Static key V1\n",
"KeyDirection": "1",
If your ovpn configuration has tls-auth filename 1, then you'll need KeyDirection=1.
Also, note that the value of TLSAuthContents has to be exactly like that, with all the \n embedded for each newline in the file. Otherwise openvpn will think its "freeform" format, and therefore won't be the key you're really trying to use.
Perhaps someone could help me with my own issue. I've got this configuration "working" in that the VPN will connect, but not pass traffic. I believe this is because the Chromebook is using "tun" mode, where I really want "tap". Anyone know how to convince the Chromebook to pass "tap" options through to the openvpn process _only_ by fiddling with the ONC file ?
"TLSAuthContents": "-----BEGIN OpenVPN Static key V1-----\n....\n....\n....-----END OpenVPN Static key V1\n",
"KeyDirection": "1",
If your ovpn configuration has tls-auth filename 1, then you'll need KeyDirection=1.
Also, note that the value of TLSAuthContents has to be exactly like that, with all the \n embedded for each newline in the file. Otherwise openvpn will think its "freeform" format, and therefore won't be the key you're really trying to use.
Perhaps someone could help me with my own issue. I've got this configuration "working" in that the VPN will connect, but not pass traffic. I believe this is because the Chromebook is using "tun" mode, where I really want "tap". Anyone know how to convince the Chromebook to pass "tap" options through to the openvpn process _only_ by fiddling with the ONC file ?
-
- OpenVpn Newbie
- Posts: 1
- Joined: Wed Apr 09, 2014 1:17 am
Re: OpenVPN and Chromebook
Chris,
Could you upload your example ONC file somewhere? After several attempts, each of them resulted in "error to parse ONC file format" in Chrome OS, I am at a loss, since no exact error is given.
In my case it's a bit different, as I am not using the static key, I am using combination of user certificate and key to authenticate. Works fine on any OS, but Chrome OS is a bit raw in this area..
Could you upload your example ONC file somewhere? After several attempts, each of them resulted in "error to parse ONC file format" in Chrome OS, I am at a loss, since no exact error is given.
In my case it's a bit different, as I am not using the static key, I am using combination of user certificate and key to authenticate. Works fine on any OS, but Chrome OS is a bit raw in this area..
-
- OpenVpn Newbie
- Posts: 2
- Joined: Thu Mar 20, 2014 9:44 am
Re: OpenVPN and Chromebook
Hi,
do you solve your problem with CB and OpenVPN?
I'm in the same case, and even if the .onc file is ok, no success...
Thanks.
A.
do you solve your problem with CB and OpenVPN?
I'm in the same case, and even if the .onc file is ok, no success...
Thanks.
A.
-
- OpenVpn Newbie
- Posts: 2
- Joined: Fri May 09, 2014 9:44 am
Re: OpenVPN and Chromebook
This is very usefully for me
-
- OpenVpn Newbie
- Posts: 1
- Joined: Mon Jun 09, 2014 10:48 pm
Re: OpenVPN and Chromebook
@alpinekarst You can get more details on the parse error under chrome://system/
You'll see a message something like:
I did 'expand all' and searched for 'onc' to find it. This document gave me some hints: http://goo.gl/pCxvvC
You'll see a message something like:
Code: Select all
[856:856:0609/153121:ERROR:onc_validator.cc(384)] At NetworkConfigurations.0.VPN.OpenVPN: The required field 'ClientCertType' is missing.
-
- OpenVpn Newbie
- Posts: 8
- Joined: Tue Jul 10, 2012 3:50 am
Re: OpenVPN and Chromebook
Were you all ever get this to run?
I wonder if there have been any improvements with updated versions of the OS?
I wonder if there have been any improvements with updated versions of the OS?
-
- OpenVpn Newbie
- Posts: 1
- Joined: Wed Dec 24, 2014 2:52 pm
Re: OpenVPN and Chromebook
I've managed to get this working on my c720. Most of this was following the Ubuntu OpenVPN howto here:
https://help.ubuntu.com/community/OpenVPN
The only difference from the above is that DNS settings can't be pushed to the Chromebook through OpenVPN. Pushing settings to /etc/resolv.conf doesn't seem to work, and editing it in vi doesn't seem to put my changes into effect.
The solution to this was to install dnsmasq onto the Chromebook and manually set 127.0.0.1 as the first DNS server in the list through the Chrome network settings GUI. If there's a programatic way to do this I'd love to know.
The first thing you'll need to do is install the dev tools:
http://www.chromium.org/chromium-os/how ... ase-images
It seems pretty standard that installing dev tools will fail at installing tcpdump on the c720, but that doesn't keep this OpenVPN setup from working.
Once this is done, use emerge dnsmasq to install dnsmasq. You'll need to create a config file for dnsmasq that contains the DNS server IP addresses for the VPN and start dnsmasq using this config file as you start the vpn client. Unfortunately this means that your DNS server settings will be hard coded on your client. Kill the instance of dnsmasq when your client connection shuts down. It's pretty manageable to put this into a script.
I keep my copy of this in a public repo here (use the server and chromebook folders):
https://github.com/Cau5tik/openvpn
You can use this yourself by generating your own keys and tailoring some of the IP settings for your environment.
https://help.ubuntu.com/community/OpenVPN
The only difference from the above is that DNS settings can't be pushed to the Chromebook through OpenVPN. Pushing settings to /etc/resolv.conf doesn't seem to work, and editing it in vi doesn't seem to put my changes into effect.
The solution to this was to install dnsmasq onto the Chromebook and manually set 127.0.0.1 as the first DNS server in the list through the Chrome network settings GUI. If there's a programatic way to do this I'd love to know.
The first thing you'll need to do is install the dev tools:
http://www.chromium.org/chromium-os/how ... ase-images
It seems pretty standard that installing dev tools will fail at installing tcpdump on the c720, but that doesn't keep this OpenVPN setup from working.
Once this is done, use emerge dnsmasq to install dnsmasq. You'll need to create a config file for dnsmasq that contains the DNS server IP addresses for the VPN and start dnsmasq using this config file as you start the vpn client. Unfortunately this means that your DNS server settings will be hard coded on your client. Kill the instance of dnsmasq when your client connection shuts down. It's pretty manageable to put this into a script.
I keep my copy of this in a public repo here (use the server and chromebook folders):
https://github.com/Cau5tik/openvpn
You can use this yourself by generating your own keys and tailoring some of the IP settings for your environment.
-
- OpenVpn Newbie
- Posts: 1
- Joined: Sat Jul 18, 2015 3:55 am
Re: OpenVPN and Chromebook
One thing that I got stuck with was this error whlie trying to set up the chromebook:
ERR openvpn[16096]: Key file '/tmp/.org.chromium.Chromium.h5bYuT' used in --tls-auth contains insufficient key material [keys found=1 required=2] -- try generating a new key file with 'openvpn --genkey --secret [file]', or use the existing key file in bidirectional mode by specifying --tls-auth without a key direction parameter
This turned out to be because I forgot to put the "\n" between each line of the TLS key file. Add the \n's between the lines, but put everything on one line like
"TLSAuthContents": "-----BEGIN OpenVPN Static key V1-----\n[key line 1]\n[key line 2]\n....\n-----END OpenVPN Static key V1-----",
"KeyDirection": "1"
Also, on my chromebook, when you do the "Import ONC File" and select your file, nothing appears to happen. Stuff is happening though, you just need to check to see if it changed your network connection to see if it succeeded or not. (Annoying)
ERR openvpn[16096]: Key file '/tmp/.org.chromium.Chromium.h5bYuT' used in --tls-auth contains insufficient key material [keys found=1 required=2] -- try generating a new key file with 'openvpn --genkey --secret [file]', or use the existing key file in bidirectional mode by specifying --tls-auth without a key direction parameter
This turned out to be because I forgot to put the "\n" between each line of the TLS key file. Add the \n's between the lines, but put everything on one line like
"TLSAuthContents": "-----BEGIN OpenVPN Static key V1-----\n[key line 1]\n[key line 2]\n....\n-----END OpenVPN Static key V1-----",
"KeyDirection": "1"
Also, on my chromebook, when you do the "Import ONC File" and select your file, nothing appears to happen. Stuff is happening though, you just need to check to see if it changed your network connection to see if it succeeded or not. (Annoying)
-
- OpenVpn Newbie
- Posts: 4
- Joined: Sun Dec 06, 2015 7:11 am
Re: OpenVPN and Chromebook
Hello,
if you are in developer mode the openvpn command is already available in the shell (ctrl-alt-t + shell)
There are however a couple of issues:
- the shill network service kills unused connections (for example it may kill the tun0 interface before openvpn is able to use it)
- even if the openvpn connection is successful the DNS servers in the /etc/resolv.conf file are not updated so usually the name resolution does not work
I did some search and found out how to solve the above problems.
You can try to put the following script "openvpn2" under /usr/local/bin:
then if you have a openvpn config file myVPN.ovpn you can just launch the command:
So far I tested it with sevaral providers and configuration files and it works flawlessy.
To exit from the openvpn connection it is enough to hit ctrl+c in the shell terminal.
if you are in developer mode the openvpn command is already available in the shell (ctrl-alt-t + shell)
There are however a couple of issues:
- the shill network service kills unused connections (for example it may kill the tun0 interface before openvpn is able to use it)
- even if the openvpn connection is successful the DNS servers in the /etc/resolv.conf file are not updated so usually the name resolution does not work
I did some search and found out how to solve the above problems.
You can try to put the following script "openvpn2" under /usr/local/bin:
Code: Select all
chronos@localhost /usr/local/bin $ cat openvpn2
Code: Select all
#!/bin/sh -e
trap '' 2
# Stop shill and restart it with a nicer attitude towards tun0
sudo stop shill
sudo start shill BLACKLISTED_DEVICES=tun0
# Sleep 10 seconds to allow chromebook to reconnect to the network
sudo sleep 10
sudo openvpn --mktun --dev tun0
sudo sleep 3
# Add google DNS on top of current ones, since openvpn command does not do it
sudo sed -i '1s/^/# new DNS\nnameserver 8.8.8.8\nnameserver 8.8.4.4\n# old DNS\n/' /var/run/shill/resolv.conf
# Lauch openvpn, finally...
sudo openvpn --config $1 --dev tun0
# When ctrl-c is hit remove tun0 and cleanup the DNS
sudo openvpn --rmtun --dev tun0
sudo sed -i '/# new DNS/,/# old DNS/d' /var/run/shill/resolv.conf
trap 2
Code: Select all
openvpn2 myVPN.ovpn
To exit from the openvpn connection it is enough to hit ctrl+c in the shell terminal.
-
- OpenVpn Newbie
- Posts: 2
- Joined: Sat Mar 05, 2016 3:44 am
Re: OpenVPN and Chromebook
This worked perfectly!
I'm running a version of CloudReady on my macbook, it doesn't yet support hardware certificates, it also doesn't support crouton. So I was stuck with having to host my vpn on a raspberry pi and then ssh through it as a sort of middle man to get to my server ( ssh via ovpn only).
This script is perfect.
For my build, I did the following
cd /usr/local
sudo mkdir bin
sudo vi openvpn2
[paste the script entirely]
save the file (esc, x, return)
sudo chmod 777 openvpn2
cd ~/Downloads
openvpn2 mycert.ovpn
--- Here's the tricky part ---
My MacBook Pro isn't entirely supported by CloudReady for wi-fi. SO, if you're like me and when you run the script the internet goes down:
once you run openvpn2 mycert.ovpn - quickly click the wifi button and wait for your wifi network to appear
click to reconnect to the wifi network,
the script will still run in the background.
If you're too slow, try again
------
seriously, thank you for this!
Garevans.
I'm running a version of CloudReady on my macbook, it doesn't yet support hardware certificates, it also doesn't support crouton. So I was stuck with having to host my vpn on a raspberry pi and then ssh through it as a sort of middle man to get to my server ( ssh via ovpn only).
This script is perfect.
For my build, I did the following
cd /usr/local
sudo mkdir bin
sudo vi openvpn2
[paste the script entirely]
save the file (esc, x, return)
sudo chmod 777 openvpn2
cd ~/Downloads
openvpn2 mycert.ovpn
--- Here's the tricky part ---
My MacBook Pro isn't entirely supported by CloudReady for wi-fi. SO, if you're like me and when you run the script the internet goes down:
once you run openvpn2 mycert.ovpn - quickly click the wifi button and wait for your wifi network to appear
click to reconnect to the wifi network,
the script will still run in the background.
If you're too slow, try again
------
seriously, thank you for this!
Garevans.
-
- OpenVpn Newbie
- Posts: 4
- Joined: Sun Dec 06, 2015 7:11 am
Re: OpenVPN and Chromebook
I am glad to hear it works for you!
-
- OpenVpn Newbie
- Posts: 4
- Joined: Sat Apr 02, 2016 10:37 am
Re: OpenVPN and Chromebook
I've also had success doing this through Crouton. You might need to manually create the tunnel though using the --mktun switch.
-
- OpenVpn Newbie
- Posts: 9
- Joined: Fri Feb 12, 2016 11:32 am
Re: OpenVPN and Chromebook
Very good stuff over here with lots of relevant information. Keep it up.
-
- OpenVpn Newbie
- Posts: 1
- Joined: Mon Jul 03, 2017 4:23 pm
Re: OpenVPN and Chromebook
Spent a lot of time to set it up to work with TAP, my steps:
Hope this will save your time while set up.
- Turn on developer mode (hold down Esc + F3, restart, hit Control+D).
- Open a terminal (Ctrl+Alt+T, type ‘shell’, hit enter). In my case Ctrl + Alt + F2
- sudo vim /etc/resolv.conf; add “nameserver 10.10.0.1” (replacing “10.10.0.1” with the right IP) at the top
- openvpn --mktun --dev tap0
- openvpn --config /user/vpn/openvpn.ovpn --dev tap0
- When you’re done with the VPN, switch back to this tab and hit Ctrl+C
- openvpn --rmtun --dev tap0
Hope this will save your time while set up.