Connect chromebook to openvpn with custom routes

This post will try to help you get a openvpn connection on a chromebook with a pushed route instead of a redirected gateway. By default chromeos redirects all traffic to the vpn. To overcome this you can make a onc file that can use all the ovpn config options instead of the very limited gui options.

To start you will need the following files:

ca.crt
client.key
client.crt
client.ovpn (or equivalent)
# user and pass auth enabled in server (auth-user-pass)

At the end you will have 3 files that will allow you to connect to the vpn.

ca.crt
client.p12
chrome-vpn.onc

First we create the p12 file to be able to import the user cert and key combo into the chromeos device. This can be done on a external system or in a shell on the chromebook in developer mode. Puting your device in developer mode is not necessary if you have a separate machine to create the. p12

# After running this command you will be asked to set a password for the p12.
# You will need this password to read the contents of it. (when you import it)
openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.crt -name ChromeBook -out client.p12

Import the root CA user p12 on your device

Go to the folowing URL on your chromebook: chrome://settings/certificates Click on the Authorities tab Import the ca.crt and select "Trust this certificate for identifiying websites."

Go to the first tab in the certificate manager (Your certificates) Click on “Import and bind to device” Select client.p12 Click on OK and a password window will appear. Input the password you chose earlier when you created the p12 file

That was the easy part, now for creating the onc file. Underneath is an example:

{
 "Type":"UnencryptedConfiguration",
      "Certificates": [ {
      "GUID": "{<GUID#1>}",
      "Type": "Authority",
      "X509": "<CA_CERT>"
   } ],
    "NetworkConfigurations": [ {
      "GUID": "{<GUID#2>}",
      "Name": "<VPN_NAME>",
      "Type": "VPN",
      "VPN": {
          "Type": "OpenVPN",
          "Host": "<HOSTHAME>",
          "OpenVPN": {
                        "ServerCARef": "{<GUID#1>}",
                    "AuthRetry": "interact",
                    "ClientCertType": "Pattern",
                    "ClientCertPattern": {              
                          "IssuerCARef": [ "{<GUID#1>}" ]
                         },
                    "CompLZO": "true",
                    "Port": 1194,
                    "Proto": "udp",
                    "RemoteCertTLS":"server",
                    "RemoteCertEKU": "TLS Web Server Authentication",
                    "SaveCredentials": false,
                    "ServerPollTimeout": 10,
                    "Username": "<USERNAME>",
                    "KeyDirection":"1",                    
                    "TLSAuthContents":"<TLS_AUTH_KEY>"
                     }
             }
                               } ]
}

In there we first replace the <GUID> with a guid from: https://www.uuidgenerator.net/ Replace all the <GUID#1> with the same guid, use another one for the <GUID#2>

Change the <CA_CERT> with the content of the ca.crt file without: -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----

Example:

# ca.crt:
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----


#becomes one line without begin and end:
"X509": "MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOF.....KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg=="

Rename the VPN connection, this is how will sea it from the user perspective. Chenge <VPN_NAME> to whatever you want.

Now We get to the actual OpenVPN config

Edit the folowing: <HOSTHAME> to your vpn server hostname or ip

Make sure that these are the same uuid as the one in the ca crt block:

"ServerCARef": "{<GUID#1>}",
"IssuerCARef": [ "{<GUID#1>}" ]

Then we have some options:

"CompLZO": "true",
"Port": 1194,
"Proto": "udp",
"RemoteCertTLS":"server",
"RemoteCertEKU": "TLS Web Server Authentication",
"SaveCredentials": true,
"ServerPollTimeout": 10,
"Username": "<USERNAME>",
"KeyDirection":"1",                    

You can add a password with: "Password": "supersectretpass",

Remove or add whatever you need, you can find the full spec here ONC spec

If you use tls auth with your vpn there is a catch in making te config. You need to strip the # comment lines and place \n in the place of newlines. Here is what is should look like:

"TLSAuthContents":"-----BEGIN OpenVPN Static key V1-----\n1f2537daea1be955f7...ef396b1c5df8f5a8c\n-----END OpenVPN Static key V1-----\n"

Now for the option that makes youable to only use pushed routes from the vpn server instead of redirecting everything:

"IgnoreDefaultRoute": true,

Put that in the openvpn block to disable the automatic redirection of all your web traffic. Here is my Office onc file with all the “juicy” details removed.

You can save the file and import it here: chrome://net-internals/#chromeos

{
 "Type":"UnencryptedConfiguration",
      "Certificates": [ {
      "GUID": "{90a39a1e-2ce8-4fc9-b824-0e1a4faad3e5}",
      "Type": "Authority",
      "X509": "MIIEMjCCAxqgAw......eNDl6nIw=="
   } ],
    "NetworkConfigurations": [ {
      "GUID": "{c44e6e82-c0c2-44e8-9f1c-579404464dc4}",
      "Name": "Office VPN",
      "Type": "VPN",
      "VPN": {
          "Type": "OpenVPN",
          "Host": "office.domain.tld",
          "OpenVPN": {
                        "ServerCARef": "{90a39a1e-2ce8-4fc9-b824-0e1a4faad3e5}",
                    "AuthRetry": "interact",
                    "ClientCertType": "Pattern",
                    "ClientCertPattern": {              
                          "IssuerCARef": [ "{90a39a1e-2ce8-4fc9-b824-0e1a4faad3e5}" ]
                         },
                    "Port": 1194,
                    "Proto": "udp",
                    "Cipher": "AES-256-CBC",
                    "CompLZO": "true",
                    "IgnoreDefaultRoute": true,
                    "RemoteCertTLS":"server",
                    "SaveCredentials": true,
                    "ServerPollTimeout": 10,
                    "Username": "user",
                    "Password": "secretpass",
                    "KeyDirection":"1",                    
                    "TLSAuthContents":"-----BEGIN OpenVPN Static key V1-----\n1f2537da....a8c\n-----END OpenVPN Static key V1-----\n"
                     }
             }
                               } ]
}

For more info check the folowing links:

ONC Spec ChromeOS VPN ONC block example