OpenVPN and Chromebook

This forum is for general conversation and user-user networking.
Post Reply
alpinekarst
OpenVpn Newbie
Posts: 2
Joined: Tue Dec 03, 2013 4:55 pm

OpenVPN and Chromebook

Post by alpinekarst » Tue Dec 03, 2013 5:33 pm

I recently picked up a C720 Chromebook based on the google page that says OpenVPN is supported. I need this functionality in order to remote into Windows desktops and access intranet sites to get actual work done, not for browsing obfuscation.

Anyways, my initial impression is that as of December 2013 OpenVPN on ChromeOS is still not ready for prime time.

After trying to get this working for days here's what I've determined so far.

1. You can enable developer mode and sudo OpenVPN from a terminal prompt with a standard .ovpn file which seems to work but might require manually configuring tun0 or tap0.

https://groups.google.com/forum/#!msg/c ... 9kQK8KiygJ

2. Converting your .ovpn file to an .onc file with base64 encoded embedded certificates sort of works from non-developer mode.

http://www.chromium.org/chromium-os/chr ... figuration

http://www-co.ch.cam.ac.uk/facilities/v ... envpn.html


3. TLS-Auth with a secret ta.key doesn't seem to be supported yet. (Not sure if it is using an ovpn file though). There are onc fields for the tls key and key direction but they throw errors in some openvpn wrapper that chrome os uses. You can see this if you turn on network debugging.

ff_debug +route+connection+vpn
ff_debug --level -2


4. When connecting from non-developer mode using an ONC file, you cannot specify the connection type (tun versus tap).

5. Based on this link ( http://spentry.net/wp/index.php/2013/09 ... hromebook/ ) it appeared that ChromeOs defaults to bridge mode in non-developer mode. However, when I connect to an OpenVPN bridge server the server using an ONC file, the bridge server notes that the client is actually connecting as tun (routed.)

6. Once connected to a tun (routed) server from non-developer mode using an ONC file, ChromeOs wants to route all of your traffic through the tunnel. Unfortunately I cannot seem to get ChromeOs to honor routes or gateways pushed from the OpenVPN server.

7. As of December 2013, the best I've been able to get working from non-developer mode is to connect to a routed tun server using an onc file and access the internal network only. Is there anyone out there that actually has a working OpenVPN setup on ChromeOS in non-developer mode? It seems that I've almost got it working but something is off with the DHCP dns and pushed routes.


Any help would be much appreciated,
Thx.
Last edited by debbie10t on Tue Dec 03, 2013 8:21 pm, edited 1 time in total.
Reason: Modify Title - Remove Access Server

alpinekarst
OpenVpn Newbie
Posts: 2
Joined: Tue Dec 03, 2013 4:55 pm

Re: OpenVPN AS and Chromebook

Post by alpinekarst » Tue Dec 03, 2013 7:56 pm

ii. OpenVPN-Community Software (Free community software)

I suspect this is when you tell me to "take it to the Chaplin..."

Chris Cogdon
OpenVpn Newbie
Posts: 1
Joined: Sun Dec 29, 2013 9:43 pm

Re: OpenVPN and Chromebook

Post by Chris Cogdon » Sun Dec 29, 2013 9:47 pm

I actually managed to get tls-auth configured correctly through the ONC configuration files. These two parameters are required:


"TLSAuthContents": "-----BEGIN OpenVPN Static key V1-----\n....\n....\n....-----END OpenVPN Static key V1\n",
"KeyDirection": "1",

If your ovpn configuration has tls-auth filename 1, then you'll need KeyDirection=1.

Also, note that the value of TLSAuthContents has to be exactly like that, with all the \n embedded for each newline in the file. Otherwise openvpn will think its "freeform" format, and therefore won't be the key you're really trying to use.


Perhaps someone could help me with my own issue. I've got this configuration "working" in that the VPN will connect, but not pass traffic. I believe this is because the Chromebook is using "tun" mode, where I really want "tap". Anyone know how to convince the Chromebook to pass "tap" options through to the openvpn process _only_ by fiddling with the ONC file ?

offenmeier
OpenVpn Newbie
Posts: 1
Joined: Wed Apr 09, 2014 1:17 am

Re: OpenVPN and Chromebook

Post by offenmeier » Wed Apr 09, 2014 1:20 am

Chris,

Could you upload your example ONC file somewhere? After several attempts, each of them resulted in "error to parse ONC file format" in Chrome OS, I am at a loss, since no exact error is given.

In my case it's a bit different, as I am not using the static key, I am using combination of user certificate and key to authenticate. Works fine on any OS, but Chrome OS is a bit raw in this area..

ahily
OpenVpn Newbie
Posts: 2
Joined: Thu Mar 20, 2014 9:44 am

Re: OpenVPN and Chromebook

Post by ahily » Fri May 09, 2014 9:06 am

Hi,

do you solve your problem with CB and OpenVPN?
I'm in the same case, and even if the .onc file is ok, no success...

Thanks.

A.

betta21
OpenVpn Newbie
Posts: 2
Joined: Fri May 09, 2014 9:44 am

Re: OpenVPN and Chromebook

Post by betta21 » Fri May 09, 2014 9:47 am

This is very usefully for me :)

buck
OpenVpn Newbie
Posts: 1
Joined: Mon Jun 09, 2014 10:48 pm

Re: OpenVPN and Chromebook

Post by buck » Mon Jun 09, 2014 10:51 pm

@alpinekarst You can get more details on the parse error under chrome://system/

You'll see a message something like:

Code: Select all

[856:856:0609/153121:ERROR:onc_validator.cc(384)] At NetworkConfigurations.0.VPN.OpenVPN: The required field 'ClientCertType' is missing.
I did 'expand all' and searched for 'onc' to find it. This document gave me some hints: http://goo.gl/pCxvvC

nchall
OpenVpn Newbie
Posts: 8
Joined: Tue Jul 10, 2012 3:50 am

Re: OpenVPN and Chromebook

Post by nchall » Thu Oct 16, 2014 4:57 pm

Were you all ever get this to run?

I wonder if there have been any improvements with updated versions of the OS?

cau5tik
OpenVpn Newbie
Posts: 1
Joined: Wed Dec 24, 2014 2:52 pm

Re: OpenVPN and Chromebook

Post by cau5tik » Sat Jan 03, 2015 4:28 am

I've managed to get this working on my c720. Most of this was following the Ubuntu OpenVPN howto here:
https://help.ubuntu.com/community/OpenVPN

The only difference from the above is that DNS settings can't be pushed to the Chromebook through OpenVPN. Pushing settings to /etc/resolv.conf doesn't seem to work, and editing it in vi doesn't seem to put my changes into effect.

The solution to this was to install dnsmasq onto the Chromebook and manually set 127.0.0.1 as the first DNS server in the list through the Chrome network settings GUI. If there's a programatic way to do this I'd love to know.

The first thing you'll need to do is install the dev tools:
http://www.chromium.org/chromium-os/how ... ase-images
It seems pretty standard that installing dev tools will fail at installing tcpdump on the c720, but that doesn't keep this OpenVPN setup from working.

Once this is done, use emerge dnsmasq to install dnsmasq. You'll need to create a config file for dnsmasq that contains the DNS server IP addresses for the VPN and start dnsmasq using this config file as you start the vpn client. Unfortunately this means that your DNS server settings will be hard coded on your client. Kill the instance of dnsmasq when your client connection shuts down. It's pretty manageable to put this into a script.

I keep my copy of this in a public repo here (use the server and chromebook folders):
https://github.com/Cau5tik/openvpn
You can use this yourself by generating your own keys and tailoring some of the IP settings for your environment.

psaindon
OpenVpn Newbie
Posts: 1
Joined: Sat Jul 18, 2015 3:55 am

Re: OpenVPN and Chromebook

Post by psaindon » Sat Jul 18, 2015 4:02 am

One thing that I got stuck with was this error whlie trying to set up the chromebook:

ERR openvpn[16096]: Key file '/tmp/.org.chromium.Chromium.h5bYuT' used in --tls-auth contains insufficient key material [keys found=1 required=2] -- try generating a new key file with 'openvpn --genkey --secret [file]', or use the existing key file in bidirectional mode by specifying --tls-auth without a key direction parameter

This turned out to be because I forgot to put the "\n" between each line of the TLS key file. Add the \n's between the lines, but put everything on one line like

"TLSAuthContents": "-----BEGIN OpenVPN Static key V1-----\n[key line 1]\n[key line 2]\n....\n-----END OpenVPN Static key V1-----",
"KeyDirection": "1"

Also, on my chromebook, when you do the "Import ONC File" and select your file, nothing appears to happen. Stuff is happening though, you just need to check to see if it changed your network connection to see if it succeeded or not. (Annoying)

pippo0312
OpenVpn Newbie
Posts: 4
Joined: Sun Dec 06, 2015 7:11 am

Re: OpenVPN and Chromebook

Post by pippo0312 » Thu Dec 10, 2015 3:24 pm

Hello,
if you are in developer mode the openvpn command is already available in the shell (ctrl-alt-t + shell)
There are however a couple of issues:

- the shill network service kills unused connections (for example it may kill the tun0 interface before openvpn is able to use it)
- even if the openvpn connection is successful the DNS servers in the /etc/resolv.conf file are not updated so usually the name resolution does not work

I did some search and found out how to solve the above problems.

You can try to put the following script "openvpn2" under /usr/local/bin:

Code: Select all

chronos@localhost /usr/local/bin $ cat openvpn2

Code: Select all

#!/bin/sh -e
trap '' 2
# Stop shill and restart it with a nicer attitude towards tun0
sudo stop shill
sudo start shill BLACKLISTED_DEVICES=tun0
# Sleep 10 seconds to allow chromebook to reconnect to the network
sudo sleep 10
sudo openvpn --mktun --dev tun0
sudo sleep 3
# Add google DNS on top of current ones, since openvpn command does not do it
sudo sed -i '1s/^/# new DNS\nnameserver 8.8.8.8\nnameserver 8.8.4.4\n# old DNS\n/' /var/run/shill/resolv.conf
# Lauch openvpn, finally...
sudo openvpn --config $1 --dev tun0
# When ctrl-c is hit remove tun0 and cleanup the DNS
sudo openvpn --rmtun --dev tun0
sudo sed -i '/# new DNS/,/# old DNS/d' /var/run/shill/resolv.conf
trap 2
then if you have a openvpn config file myVPN.ovpn you can just launch the command:

Code: Select all

openvpn2 myVPN.ovpn
So far I tested it with sevaral providers and configuration files and it works flawlessy.
To exit from the openvpn connection it is enough to hit ctrl+c in the shell terminal.

garevans
OpenVpn Newbie
Posts: 2
Joined: Sat Mar 05, 2016 3:44 am

Re: OpenVPN and Chromebook

Post by garevans » Sat Mar 05, 2016 3:48 am

This worked perfectly!

I'm running a version of CloudReady on my macbook, it doesn't yet support hardware certificates, it also doesn't support crouton. So I was stuck with having to host my vpn on a raspberry pi and then ssh through it as a sort of middle man to get to my server ( ssh via ovpn only).

This script is perfect.

For my build, I did the following

cd /usr/local
sudo mkdir bin
sudo vi openvpn2
[paste the script entirely]
save the file (esc, x, return)
sudo chmod 777 openvpn2
cd ~/Downloads
openvpn2 mycert.ovpn

--- Here's the tricky part ---
My MacBook Pro isn't entirely supported by CloudReady for wi-fi. SO, if you're like me and when you run the script the internet goes down:

once you run openvpn2 mycert.ovpn - quickly click the wifi button and wait for your wifi network to appear
click to reconnect to the wifi network,
the script will still run in the background.
If you're too slow, try again :)
------

seriously, thank you for this!

Garevans.

pippo0312
OpenVpn Newbie
Posts: 4
Joined: Sun Dec 06, 2015 7:11 am

Re: OpenVPN and Chromebook

Post by pippo0312 » Sun Mar 20, 2016 3:38 pm

I am glad to hear it works for you!

Ziyon
OpenVpn Newbie
Posts: 4
Joined: Sat Apr 02, 2016 10:37 am

Re: OpenVPN and Chromebook

Post by Ziyon » Sat Apr 02, 2016 11:00 am

I've also had success doing this through Crouton. You might need to manually create the tunnel though using the --mktun switch.

jameshouston135
OpenVpn Newbie
Posts: 9
Joined: Fri Feb 12, 2016 11:32 am

Re: OpenVPN and Chromebook

Post by jameshouston135 » Tue Apr 12, 2016 10:21 am

Very good stuff over here with lots of relevant information. Keep it up.

Zin4uk
OpenVpn Newbie
Posts: 1
Joined: Mon Jul 03, 2017 4:23 pm

Re: OpenVPN and Chromebook

Post by Zin4uk » Mon Jul 03, 2017 4:54 pm

Spent a lot of time to set it up to work with TAP, my steps:
  • Turn on developer mode (hold down Esc + F3, restart, hit Control+D).
  • Open a terminal (Ctrl+Alt+T, type ‘shell’, hit enter). In my case Ctrl + Alt + F2
  • sudo vim /etc/resolv.conf; add “nameserver 10.10.0.1” (replacing “10.10.0.1” with the right IP) at the top
  • openvpn --mktun --dev tap0
  • openvpn --config /user/vpn/openvpn.ovpn --dev tap0
  • When you’re done with the VPN, switch back to this tab and hit Ctrl+C
  • openvpn --rmtun --dev tap0
You can also try this article https://blog.ikeran.org/?p=123
Hope this will save your time while set up.

Post Reply