ChromeOS ONC File Generator for OpenVPN

Suggesion: Use this in combination with Kenneth White's "My $169 development Chromebook"!

This pages main goal is to generate an ONC file that can be used to import an OpenVPN connection in ChromeOS in pursuit of setting up a OpenVPN client on ChromeOS. But it also contains general setup instructions for a OpenVPN server that matches it.

We suggest generating both a UDP version and a TCP version.

Then, when one is in a not-too-restricted network one can use the UDP edition which is a bit better behaved on lossy networks.

But when one in a more restricted network the TCP edition can work.

Background Documentation

There are various articles about ChromeOS and OpenVPN setup:

This generator is based on Charles-Erick Tremblay's oncgenerator, but:

  • Does not have inline Javascript
  • Does not have any tracking code embedded (do verify by checking what is loaded)
  • Various usability tweaks (html5 form validation, description of fields, examples etc)
  • TCP & UDP port variants
  • Full OpenVPN ChromeOS client & server instructions

Generator Form

Fill in all the fields that are not marked optional.

Note that Javascript is required to generate the ONC files, all processing happens client side in Javascript so that crypographic tokens do not leave your computer, we do not need to know your OpenVPN details ;) The form has action="about:blank" to make sure posts do not go to our server. The source of this all should be pretty well readable, thus do verify this is the case, we are talking about cryptographic secrets here.

No Javascript enabled or onc.js blocked, while this tool really requires it. Please inspect the source and enable it when deemed safe.

This ONC Generator inlines the client certificate and key so that only 1 file has to be distributed to the client. For that one needs to convert the client.crt+key using the following shell code:

openssl pkcs12 -export -in client.crt -inkey client.key -out client.pk12 -certfile ca.crt
base64 client.pk12 > client.pk12.b64

One can chose to enter a password, at which point one has to provide that to ChromeOS later, or to not provide one at which point ONC install becomes a passwordless instance. Chose your security wisely and securely distribute the ONC file as it gives full access to connect to your OpenVPN instance.

Installation of the generated ONC file can happen by installing it using the "Import ONC file" dialog provided at chrome://net-internals/#chromeos of ChromeOS.

OpenVPN server installation

Instructions expect using a root user or prefixing sudo everywhere. Install required packages:
apt-get install openvpn easy-rsa
Setup Easy CA:
cd /root
make-cadir my_ca
cd my_ca/
vi vars
....
source vars
./clean-all
./build-ca
# Hit <enter> everywhere
./build-key-server server
# Hit <enter> except for last two questions (Sign the certificate?): y
# The following will take quite a bit...
./build-dh
# And create a TLS Auth Key:
openvpn --genkey --secret /root/my_ca/keys/ta.key
For each client:
./build-key clientABC
# Hit <enter> except for last two questions (Sign the certificate?): y

The public ca.crt certificate is needed on all servers and clients.

The private ca.key key is secret and only needed on the key generating machine.

A server needs server.crt, dh4096.pem (public), server.key and ta.key (private)

A client needs clientABC.crt (public), clientABC.key and ta.key (private)

Put the Certs in the right spot for OpenVPN server:

mkdir -p /etc/openvpn/certs cp -pv /root/my_ca/keys/{ca.{crt,key},server.{crt,key},ta.key,dh4096.pem} /etc/openvpn/certs/

OpenVPN server configuration

These go together with a Debian OpenVPN install, though most platforms will install configs in /etc/openvpn/ and use systemd for automatically starting all servers for configs ending in .conf in that directory.

server-common.config contains the shared configuration for both the TCP listener and the UDP listener.

Note that at the moment the OpenVPN version on ChromeOS is 2.3, hence why the tls-min-version and tls-cipher options are unfortunately commented out as they are not supported on ChromeOS.

Use the standard easy-rsa tricks for creating the certificates.

/etc/openvpn/server-common.config
mode server
tls-server
dev tun

port 443

ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh4096.pem
tls-auth /etc/openvpn/certs/ta.key 0

#tls-version-min 1.2
#tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
cipher AES-256-CBC
auth SHA512

comp-lzo

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
# (8.8.8.8 is of course routed to your local version of a DNS recursor)

client-to-client
keepalive 10 120

max-clients 64

user nobody
group nogroup

persist-key
persist-tun

# Debugging Options, for when there are issues
#verb 9
#mute 20

#explicit-exit-notify 1
/etc/openvpn/server.conf (TCP Edition)
config server-common.config

proto tcp6

# First half of /24 for TCP based hosts
server 192.168.100.0 255.255.255.128
ifconfig-pool-persist ipp-tcp.txt

# Optional: Forward non-OpenVPN traffic to a real HTTPS box
#port-share 192.168.0.1 443
/etc/openvpn/server-udp.conf (UDP Edition)
config server-common.config

proto udp6

# Second half of the /24 for UDP based ports
server 192.168.100.128 255.255.255.128
ifconfig-pool-persist ipp-udp.txt
Bonus: Apple iOS (iPhone/iPad) OpenVPN Connect .ovpn 'inline' file format:
client
dev tun
remote <ip>
port 443
proto tcp
key-direction 1
cipher AES-256-CBC
auth SHA512
comp-lzo yes
auth-nocache

<ca>
-----BEGIN CERTIFICATE-----
MIIGv....
...uQ==
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIHFzCC....
...1inw==
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIJQwIBAD...
EaPV0c=
-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
2b0194....
a9f
-----END OpenVPN Static key V1-----
</tls-auth>