I finally got the OpenVPN Server on my RT-88U router to host my Chromebook (ASUS C300) now that I'm running Merlin V384.6. That Chromebook does not (yet, anyway) support Android apps, so you're on your own with VPN.
The steps to configure the router and the Chromebook are as follows and please refer to the links for some more background, context, and direction.
Generally, the process is to set up the OpenVPN server on the router, import user and authority certificates into the Chromebook, create an ONC block file and import that into the Chromebook. Then: Connect, QED.
1. Configure the ASUS Router OpenVPN server
Here's how my VPN Server is set up for the Chromebook:
General:
3. Get the Files out of the Router and Onto the Chrombook
4. Import the Certificates into the ChromeBook
6. Testing and Caveats
However, at least on my Chromebook, the UserName will be saved, but not the password.
The awk verbiage to process the ovpn file came from here, although more was needed to get it all working as in the previously referenced source. Without both of these, and Google's Open Network Configuration documentation, I'd still be wandering in the dark.
Enjoy.
The steps to configure the router and the Chromebook are as follows and please refer to the links for some more background, context, and direction.
Generally, the process is to set up the OpenVPN server on the router, import user and authority certificates into the Chromebook, create an ONC block file and import that into the Chromebook. Then: Connect, QED.
1. Configure the ASUS Router OpenVPN server
Here's how my VPN Server is set up for the Chromebook:
General:
- RSA: 2048 encryption
- Client will use VPN to access: Both
- Interface: TUN
- Protocol: UDP
- Server Port: 1194
- Auth Mode: TLS
- UserName/Password: No (although it will work with username and PWD)
- TLS Control...: Incoming Auth (0)
- HMAC Authentication: SHA1
- VPN/Subnet: Your choice, I used 10.8.0.0 and 255.255.255.0
- Advertise DNS: Your choice, I used "Yes."
- Cipher Negotiation: Enable
- Negotiable Ciphers: Default list
- Compression: LZO Adaptive
- Log: 6 for debugging
- Manage Client specific: No
- Log into your router using PUTTY or equivalent.
- Create a directory on the USB drive for the following script and resultant files e.g., : /tmp/mnt/data/chromebook
- Put the script below in the directory your create. (You can paste it from Windows into vi on the router with SHIFT-INSERT after opening a new line in vi with "o"). Or, use your favorite editor.
- Save the file and make it executable with chmod +x
- Run the script to create the files
Code:
#!/bin/sh
#
# Creates certs and keys and inline text needed for the chromebook ONC file
# from the router's client.ovpn and static.key files.
#
# Set the ASUS openvpn server number (1 or 2) below. Edit as required
servernum=1
pth=/tmp/etc/openvpn/server$servernum
#
# parse the client.ovpn file for keys and certs and then create the p12 file
awk '/<ca>/{flag=1;next}/<\/ca>/{flag=0}flag' $pth/client.ovpn | tr -d '\r' > ca.crt
awk '/<cert>/{flag=1;next}/<\/cert>/{flag=0}flag' $pth/client.ovpn | tr -d '\r' > client.crt
awk '/<key>/{flag=1;next}/<\/key>/{flag=0}flag' $pth/client.ovpn | tr -d '\r' > client.key
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12
#
# delete newlines from ca.crt. This is the format required by the Chromebook ONC file for
# the X509 parameter.
cat ca.crt | tr -d '\n' > caoneline.txt
#
# Convert static key to single line with \n string instead of newlines.
# This is the format required by chromebook ONC file for the TLSAuthContents parameter.
grep -v '#' $pth/static.key | sed 's/$/\\n/' | tr -d '\n' > TLSAuth.txt
#
# Cleanup since we don't need these once the p12 file is created.
rm client.crt client.key- On a Windows machine, execute the following code as a batch file, replacing the <> parameters with your local configuration. (Put the code into a new text file and save it with a .bat extension and run it from a command line prompt).
- Make sure the target directory exists....
- Then, email or otherwise get the files onto your chromebook.
Code:
@ECHO OFF
SET RouterUser=<YourUserName>
REM e.g., admin
SET RouterPWD=<YourPWD>
REM e.g., ABadPassword
SET RouterIP=<YourRouterIP>
REM e.g., 192.168.1.1
SET LocalDirectory=<WindowsPathName>
REM e.g., C:\TEMP
SET RouterDirectory=<ProcessedFilesDir>
REM e.g., /tmp/mnt/data/chromebook
@ECHO ON
"C:\Program Files (x86)\PuTTY\pscp.exe" -scp -pw %RouterPWD% %RouterUser%@%RouterIP%:%RouterDirectory%/caoneline.txt %LocalDirectory%
"C:\Program Files (x86)\PuTTY\pscp.exe" -scp -pw %RouterPWD% %RouterUser%@%RouterIP%:%RouterDirectory%/ca.crt %LocalDirectory%
"C:\Program Files (x86)\PuTTY\pscp.exe" -scp -pw %RouterPWD% %RouterUser%@%RouterIP%:%RouterDirectory%/client.p12 %LocalDirectory%
"C:\Program Files (x86)\PuTTY\pscp.exe" -scp -pw %RouterPWD% %RouterUser%@%RouterIP%:%RouterDirectory%/TLSAuth.txt %LocalDirectory%- See this reference.
- Skip down to "Import the User and Authority" certs. Follow the directions and import both the user (client.p12) and authority (ca.crt) certificates that you have copied to the Chromebook remembering the password you set on the P12 file.
- Install a text editor on your chromebook. Makes life easier.
- Refer to this same reference again
- Skip down to and read the "Create the ONC Block." Mine is slightly different than the one in the reference as shown below. Pay attention to creating the two GUIDS you will need and to where they go in the ONC file. You will need to provide your two GUIDS, a friendly name for the VPN to select on the Chromebook, your DDNS address for connection, and the contents of the caoneline.txt and TLSAuth.txt files.
- GUIDS can be created at http://www.uuidgenerator.net/ as noted in the reference.
- Save this file onto the Chromebook as <AnyNameYouLike>.ONC
Code:
{
"Type":"UnencryptedConfiguration",
"Certificates": [ {
"GUID": "{<Your GUID1>}",
"Type": "Authority",
"X509": "<Contents of the caoneline.txt>"
} ],
"NetworkConfigurations": [ {
"GUID": "{<Your GUID2>}",
"Name": "<Chromebook VPN Name that will Display>",
"Type": "VPN",
"VPN": {
"Type": "OpenVPN",
"Host": "<Your DDNS>",
"OpenVPN": {
"ServerCARef": "{<YourGUID1>}",
"AuthRetry": "interact",
"Auth": "SHA1",
"ClientCertType": "Pattern",
"ClientCertPattern": {
"IssuerCARef": [ "{<Your GUID1>}" ]
},
"CompLZO": "adaptive",
"Port": 1194,
"Proto": "udp",
"RemoteCertTLS": "server",
"RemoteCertEKU": "TLS Web Server Authentication",
"KeyDirection": "1",
"TLSAuthContents":"<Contents of the TLSAuth.txt file>"
}
}
} ]- After you've saved the ONC file, import it to create the VPN entity in Chrome's Network items.
- In the Chromebook, enter chrome://net-internals in the browser, and select ChromeOS from the list. This is found again in the same reference under "Importing the ONC file."
- Browse to and select the ONC file you've created and Open it to import it.
6. Testing and Caveats
- I put my phone into hotspot mode and connected the Chromebook to the hotspot. VPN won't work in your local network.
- Despite the options in the Chromebook VPN configuration it will not save the password if you provide one and ask it to save (at least in my Chromebook).
- When you ask the VPN to connect, you will or may be asked for a passphrase. Enter any string, like "x" in the OTP field. Again, my Chromebook is not good at null requirements.
- If you want to use a username/password, change the username/password to yes in OpenVPN server, create a user and password, and then add the following to the ONC file (say, after the KeyDirection parameter):
Code:
"Username": "<YourUserName>",
"Password": "<YourPassword>",
"SaveCredentials": True,The awk verbiage to process the ovpn file came from here, although more was needed to get it all working as in the previously referenced source. Without both of these, and Google's Open Network Configuration documentation, I'd still be wandering in the dark.
Enjoy.
Last edited:
