OpenVPN on ChromeOS, Android

Updated 28-Jun-2024

Complexity with a Simplistic Solution

OpenVPN on ChromeOS and Android has become a bit complicated, since ChromeOS now supports Android. However, Android seems to live inside its own environment within ChromeOS, accessible to other Android Apps, but without the ability to modify the larger ChromeOS environment. This means that using an Android OpenVPN app doesn't have an effect on ChromeOS Apps, only other Android apps. For example, the Android Outlook app would not authenticate properly to external accounts until a compatible browser app was installed (and since Chrome was not available, it needed to be Chrome Beta, Chrome Dev, or possibly Chrome Canary). Our testing indicates that the OpenVPN Connect or OpenVPN for Android apps apply their new VPN routes only to Android apps and not the larger ChromeOS environment, if the prefer this network setting is enabled in ChromeOS. Disable this and Bob's your uncle.

OpenVPN on Android

OpenVPN Android apps make a lot of sense, both for Android and for ChromeOS + Android. OpenVPN on Android is a simple affair via the Android app OpenVPN Connect or related iOS OpenVPN Connect app. A single .ovpn file is needed for configuration, which in it has embedded the ca.crt, client.crt, and client.key files. This file can be emailed/messaged to the ~/Downloads folder and then imported into the OpenVPN client.

OpenVPN on ChromeOS with Native Interface

There is a native interface inside ChromeOS which allows for configuring L2TP and OpenVPN connections. However, it is limited in a few ways and requires several steps: - Install the ca.crt Certificate Authority - Install and Bind a client.p12 (pkcs12) Certificate - Configure the settings for the VPN, including a required username and optional password (this does not support key-only VPN configurations) To generate the pkcs12 client.p12 file:

openssl pkcs12 -export -out client.p12 -inkey key.key -in cert.crt -certfile ca.crt

Unfortunately, if one uses only keys/certs and does not also use a username to log in, then the native Chrome interface won't work (a long-standing bug that is labeled as a feature request with priority 2 (not sure what that means). There is an alternative approach, if one already has Developer mode enabled (root access), as follows.

OpenVPN on ChromeOS with CROSH + Developer (root)

The command line is where the magic is, since essentially everything just works, once Developer Mode is invoked (and small script is run). First, tun0 needs to be made stable so it isn't ended by the shill service.

sudo stop shill
sudo start shill BLACKLISTED_DEVICES="tun0,br0"

Second, simply invoke openvpn using a config file (either with references to keys or the keys embedded in the config file), such as:

openvpn client.ovpn

Review of Files used for OpenVPN Client Configuration

  • client.ovpn - config file (with key references, or with the keys embedded)
  • ca.crt - certificate authority certificate
  • client.crt - client certificate
  • client.key - client private key
  • client.p12 - pkcs12 format generated from ca, cert, and key (see above)

Ovpn File Example

-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- key-direction 1 remote 1194 udp4 nobind dev tun redirect-gateway def1 ipv6 tun-mtu 1500 compress lzo pull tls-client push "redirect-gateway def1" comp-lzo mssfix 1450 resolv-retry infinite tun-mtu-extra 32 reneg-sec 0

More OpenVPN Resources

Some of these are useful references, others I have not yet read... - OpenVPN on ChromeOS - Official Google Document - ChromeOS + OpenVPN (+ TLSAuth) - Configuring an OpenVPN client connection on Chromebook - Configuring OpenVPN on Three Platforms