Re: Issue 217624 in chromium: Chrome OS OpenVPN does not support various configurations options such as tlsauth

[chro...@googlecode.com]

Comment #26 on issue 217624 by redc...@gmail.com: Chrome OS OpenVPN does
not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

the the very least it would be nice to have some easy way to stop shill
from eating my tun devices if I manually run openvpn (which I prefer to do).

currently I had to checkout the source to shill, see that
a "--device-black-list" option exists, realize I cannot change the settings
shill is launched with /etc because it is ro, then write a shell script to
stop the system shill and relaunch with with --device-black-list=tun0


--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

[chro...@googlecode.com]

Comment #27 on issue 217624 by anomaly...@gmail.com: Chrome OS OpenVPN does

not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

This seems like a fairly simple problem to fix. Why is it taking so long?
Just make username/password/otp not-mandatory and let openvpn do its thing
with the cert-based auth when a user cert is provided. This is how 99.9%
of the openvpn setups I've used at several employers have all operated.
Correct or not ChromeOS should allow this and again it seems like a really
simple thing to fix.

[chro...@googlecode.com]

Updates:
Cc: benc...@chromium.org stev...@chromium.org

Comment #28 on issue 217624 by su...@chromium.org: Chrome OS OpenVPN does

not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

So I see two different requests here:
1. tlsauth support in the UI
2. Ability to have only cert based auth (without username/password/otp)

Are there any other requests?

Trond, can we consider these in the upcoming networking UI changes since
both of these seem to be UI changes only iiuc?

[chro...@googlecode.com]

Comment #29 on issue 217624 by jmason...@gmail.com: Chrome OS OpenVPN does

not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

Any possibility of directly reading a .ovpn file directly from the UI
(without conversion) so that a random user can just download it from their
OpenVPN provider and install it?

[chro...@googlecode.com]

Comment #30 on issue 217624 by su...@chromium.org: Chrome OS OpenVPN does

not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

Re:#29, thanks, we will look into the feature request for uploading
an .ovpn.

[chro...@googlecode.com]

Comment #31 on issue 217624 by tim.dick...@aubergeresorts.com: Chrome OS

OpenVPN does not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

Native OVPN support is the last hurdle in widespread deployment in our
enterprise.
We use OpenVPN for all our connections and need the ability to import
multiple.
So I second the support request!

[chro...@googlecode.com]

Comment #32 on issue 217624 by t...@meyersbc.com: Chrome OS OpenVPN does

not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

I also support this request. I have several clients who want chrome books
and this is the last issue holding us back. If this were a standard open
source project I would pay (or write it myself) for this to be done.

Mark Meyer
Ma...@MeyerSBC.com

This message was sent from my Droid.

[chro...@googlecode.com]

Comment #33 on issue 217624 by chris.to...@gmail.com: Chrome OS OpenVPN

does not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

I second third fourth and fifth this. I find it astonishing that a company
that gets so many things right can get OpenVPN interoperability so wrong.
Private TLS from the interface is basic. Importing ovpn configurations
would be excellent. Pretending that ONC is a better future answer to a
problem we all have now both arrogant and stupid.

And it is absolutely a show stopper as far as recommending Chrome machines
to clients. Which is unfortunate for both parties. Us and you.

Please excuse my anger.

-cpt

[chro...@googlecode.com]

Comment #34 on issue 217624 by corv...@gmail.com: Chrome OS OpenVPN does

not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

Fully agree. The simplest thing is to allow importation of .ovpn config
files in the UI. The OS has no trouble with these. The decision not to not
allow them can only be a policy choice that Google is not being transparent
with users about. A perverse choice, in my opinion.

[chro...@googlecode.com]

Comment #35 on issue 217624 by corv...@gmail.com: Chrome OS OpenVPN does

not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

Fully agree. The simplest thing is to allow importation of .ovpn config
files in the UI. The OS has no trouble with these. The decision not to

[chro...@googlecode.com]

Comment #36 on issue 217624 by ad...@titlewrite.net: Chrome OS OpenVPN does

not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

The idea of it being a policy choice is something I've wondered about but
the only possible advantage there that I have imagined (I have a limited
imagination) is that private TLS (the most obvious feature to me) deeply
inhibits some other behviours that providers might engage in.

I prefer to regard it as an oversight that will be corrected.

-cpt

[chro...@googlecode.com]

Comment #37 on issue 217624 by jasonrhi...@gmail.com: Chrome OS OpenVPN

does not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

Agree with all the other comments on supporting ovpn file. This it the
only major feature that is keeping me from recommending Chromebooks as a
primary choice for user at our company.

My Samsung Chromebook is GREAT! When this issue is fixed it will finally
give me an excuse to upgrade to a Pixel. Come on Google fix this. I
really want a Pixel!

[chro...@googlecode.com]

Comment #38 on issue 217624 by sgha...@stevengharms.com: Chrome OS OpenVPN

does not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

+1 to all others. Certificate management, debugging, OVPN file. This has
just been a huge pain point all around. It's close, but just not *quite*
right.

[chro...@googlecode.com]

Comment #40 on issue 217624 by bugdro...@chromium.org: Chrome OS OpenVPN

does not support various configurations options such as tlsauth

http://code.google.com/p/chromium/issues/detail?id=217624#c40

Project: chromiumos/platform/shill
Branch : master
Author : Paul Stewart <ps...@chromium.org>
Commit : b26347a48e976a890210bb5fcc28892ac7df42e9

Code Review +2: Paul Stewart
Verified +1: Paul Stewart
Change-Id : I6424ccafb5764428b1ee8fc2ad41177a6d2b3c52
Reviewed-at : https://gerrit.chromium.org/gerrit/64368

shill: OpenVPNDriver: Write a configuration file

Instead of passing configuration to OpenVPN using command line
options, write out a configuration file instead. This config
file is owned by root created in a run directory that is not
readable by any other users. Although OpenVPN drops privileges,
it reads its configuration before doing so. The configuration
file is removed with the regular OpenVPNDriver cleanup process.

As a side effect of this, all added options in the OpenVPNDriver
and OpenVPNManagementServer now lose their "--" prefix.

BUG=chromium:217624
TEST=Unit tests, network_VPNConnect.openvpn_user_pass

Commit-Queue: Paul Stewart <ps...@chromium.org>

M openvpn_driver.cc
M openvpn_driver.h
M openvpn_driver_unittest.cc
M openvpn_management_server.cc
M openvpn_management_server_unittest.cc

[chro...@googlecode.com]

Comment #44 on issue 217624 by jas...@gmail.com: Chrome OS OpenVPN does not

support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

I have a working onc that allows me to connect to my home VPN cert-only
(still have to put in dummy l/p values, but they are ignored). I was never
able to get tls-auth working correctly, but from the May 2013 ONC spec, it
looks like it is supported (keys TLSAuthContents and KeyDirection).
Connecting to dd-wrt server.

For anyone who needs it, here's a skeleton ONC to setup a cert-only
connection:
https://gist.github.com/jashsu/7978665
I inlined the certs into my ONC, but you can also try excluding it and
import a P12 file separately using the certificate import GUI. If you are
going to inline the certs in the ONC, parts of this script will be useful:
https://github.com/royans/ec2_chromeos_openvpn/blob/master/openvpn_config.sh

[chro...@googlecode.com]

Comment #45 on issue 217624 by nhen...@google.com: Chrome OS OpenVPN does

not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

you might also check my write up at: go/ChromeOS-OpenVPN
If you need more instructions on how to install the ONC block etc..

[chro...@googlecode.com]

Comment #46 on issue 217624 by jas...@gmail.com: Chrome OS OpenVPN does not

support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

@nhen: Could you make that writeup available to us external users?

[chro...@googlecode.com]

Comment #48 on issue 217624 by qui...@chromium.org: Chrome OS OpenVPN does

not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

@nhendin: publish to web?
https://support.google.com/drive/answer/183965?hl=en

[chro...@googlecode.com]

Comment #50 on issue 217624 by jas...@gmail.com: Chrome OS OpenVPN does not

support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

@nhen...: Thanks! It's a nice all-inclusive write up. By the way if you
inline the CA cert (and optionally client pkcs12) by putting their
ascii-armored blocks in the Certificates section of the json, there is no
need to use the Chrome certificate import GUI.

On tls-auth: it looks like I was missing the escaped newline chars in my
TLSAuthContents. I'll give it another shot tonight.

I built spigots from current chromium source and ran it on my link, and I
didn't see any way for it to take an ovpn input file.

[chro...@googlecode.com]

Comment #51 on issue 217624 by nhen...@google.com: Chrome OS OpenVPN does

not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

@jas,

Wasn't sure that the inline certs would import correctly, so I did that
manually first.

Yeah the TLS auth "\n" caused a bit of head scratching. Eventually I
contacted the internal author of the ONC import blob and he pointed me in
the right direction.

It looks like spigots was not ever completed to a level where it would do
what we need it to.

Good luck.

--Neil.

[chro...@googlecode.com]

Comment #52 on issue 217624 by scarfey....@gmail.com: Chrome OS OpenVPN

does not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

Guys, I'm impressed by your progress but envious at the same time as it's
all a bit over my head.

Are we any closer to connecting to my NAS server via the UI (or at least
just a couple of extra steps only from it)?

Thanks and well done!

[chro...@googlecode.com]

Comment #53 on issue 217624 by roxannalugtigheid: Chrome OS OpenVPN does

not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

While I'm not afraid to switch on developer mode and to use ovpn files from
the terminal, I'm just not eager to have to watch the boot warning every
time I start up.

If this is mostly a UI issue (as openvpn itself supports all we need), I
find it bewildering that it's been left in this state for so long. :/

[chro...@googlecode.com]

Comment #54 on issue 217624 by prat...@condorcapital.com: Chrome OS OpenVPN

does not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

I followed the document in comment #49, but I am getting the following
error in my logs:

TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I am using OpenVPN AS and pulled the necessary certificates/keys from the
user-locked ovpn file, can anyone point me in the right direction from
here? What does this error mean exactly?

[chro...@googlecode.com]

Comment #55 on issue 217624 by prat...@condorcapital.com: Chrome OS OpenVPN

does not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

In case anyone else experienced the issue I did, I had to set the following
in my ONC configuration file to get it working:

"RemoteCertTLS": "none",

By default, the Chromebook was trying to set this value to "Server" and my
OpenVPN AS installation was not generating the correct certificates to
support this mode of signing/authentication.

[chro...@googlecode.com]

Comment #57 on issue 217624 by wilderc...@gmail.com: Chrome OS OpenVPN does

not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

Preamble: I struggled for several months with getting the OpenVPN client
configured on a Chromebook and a Chromebox, and eventually gave up. (Though
I can make it work within the Crouton environment.)

Request: Please provide an officially-supported Chrome extension that takes
a *.opvn file and spits out everything that Chrome OS needs to configure
its OpenVPN client. So we copy-and-paste our *.opvn file and certificates
into that extension, and it spits out all the needed configuration data and
exact instructions to make OpenVPN work.

No changes into Chromium OS would then be needed.

[chro...@googlecode.com]

Comment #58 on issue 217624 by mjwestfi...@gmail.com: Chrome OS OpenVPN

does not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

This is almost unforgivable to omit use of ovpn files. I would never use a
chromebook in a business evironnment The vpn methods they allow are not as
secure as openvpn. Tho omission make the chromebook nothing more than a toy.

[chro...@googlecode.com]

Comment #59 on issue 217624 by tarynbut...@gmail.com: Chrome OS OpenVPN

does not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

$1499 with "native OpenVPN support" bla bla hogwash

[chro...@googlecode.com]

Updates:
Cc: pneu...@chromium.org

Comment #60 on issue 217624 by ps...@chromium.org: Chrome OS OpenVPN does

not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

(No comment was entered for this change.)

[chro...@googlecode.com]

Comment #61 on issue 217624 by je...@heiselman.com: Chrome OS OpenVPN does

not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

I am getting the following error when I try to connect to my VPN.

"Failed to connect to network 'MyVPN': Failed to configure network"

I used the Spigots utility to create the initial .onc file and then edited
it to include the TLSAuthContents and the KeyDirection parameters and a few
other things that needed tweaked (port, cipher).

I have attached the .conf file and the output from "connectivity show
services" with sensitive information removed. Everything looks correct.

It looks like others may have gotten this to work. Can someone tell me what
I may have done wrong.

FYI - My VPN doesn't require a client cert. It relies on the TLS Auth key
and a username/password combo.

Attachments:
net_config.txt 1.1 KB
openvpn.conf 375 bytes

[chro...@googlecode.com]

Comment #65 on issue 217624 by ps...@chromium.org: Chrome OS OpenVPN does

not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

If you clear a property that is not set, you get
Error::kNotFound, "Property is not set". This has always been the case.

[chro...@googlecode.com]

Comment #66 on issue 217624 by stev...@chromium.org: Chrome OS OpenVPN

does not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

I don't doubt that this has always been the case, it just hasn't come up
before.

Unfortunately we don't track in Chrome whether or not a Shill property has
been set, so I think we will have to ignore this error and treat it as a
warning. That should be a pretty easy change to make.

I created a separate issue to track this particular problem: issue 362303.

Thanks jerry@ for including a log, that made it pretty straightforward to
track down the problem.

[chro...@googlecode.com]

Comment #67 on issue 217624 by je...@heiselman.com: Chrome OS OpenVPN does

not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

stevejb@ glad I could help. Resolving this issue will clear the path for me
to use my Chromebook as my primary development workstation. I will follow
issue 362303 and hope for a quick turn around.

[chro...@googlecode.com]

Comment #68 on issue 217624 by chris.to...@gmail.com: Chrome OS OpenVPN

does not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

I have a working config on a chromebook pixel with TLS. It took a hell of
a lot of hints, many hours in a text editor, lotta logfile staring, and
ignoring the occasional GOOG wrongheaded answer (e.g. "open source" doesn't
always play nice). Will post. It does actually work, at least the last
time I charged up.

[chro...@googlecode.com]

Comment #70 on issue 217624 by mpe...@gmail.com: Chrome OS OpenVPN does not

support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

Hello!

I am trying to setup OpenVPN with client, CA certificates + TLS auth
certificate, but also user name and password is required. I included all 3
certificates in ONC file. Client and CA certificates looks the same as if I
would import them manually. TLS certificate looks good at service listing.
From logs is seems like the client certificate is omitted and Pkcs11.*
properties are set and PassphraseRequired is set to false.
I am using Chromebook in normal user mode and wish to keep it this way.

Any idea what might be wrong?

(I attached original OVPN file, my ONC file, how the service looks just
after import and after connection attempt and finally netlog.)

Attachments:
client.ovpn 336 bytes
client.onc 1.1 KB
service_after_import.txt 1.1 KB
service_after_connect_attempt.txt 1.4 KB
netlog.txt 4.8 KB

[chro...@googlecode.com]

Comment #73 on issue 217624 by rachel.a...@synchroresearch.com: Chrome OS

OpenVPN does not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

@Prat #55, My setup sounds identical to yours.
Server: OpenVPN-AS 2.0.8 on debian 7.5.
Client is a chromebook acer c10

After combing this thread and this document goo.gl/pCxvvC, and trying
various changes like "RemoteCertTLS": "none", I continue to get the error:

LS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:
SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

2014-06-28T09:08:41.113486-07:00 localhost openvpn[23290]: TLS Error: TLS
object -> incoming plaintext read error
2014-06-28T09:08:41.113492-07:00 localhost openvpn[23290]: TLS Error: TLS
handshake failed.



Note that in trying to get this work, I have setup a dev box with a stock
openvpnas install with no config changes.

Here is my ONC ( have altered the sensitive bits).

Any insight would be so much appreciated. This is the final hurdle in
rolling out chromebooks to all our staff. And this is a showstopper
unfortunately...

Thanks a bunch!

{
"Type":"UnencryptedConfiguration",
"Certificates": [ {
"GUID": "{hsdfgh45ljh456kjh456jhk45}",
"Type": "Authority",
"X509": "MIICuDCCAaCgAwxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxIQ/Mn3swQ=="
} ],
"NetworkConfigurations": [ {
"GUID": "{hsdfgh45ljh456kjh456jhk45hsdfgh45ljh456kjh456jhk45}",
"Name": "openvpn",
"Type": "VPN",
"VPN": {
"Type": "OpenVPN",
"Host": "23.239.0.124",
"OpenVPN": {
"ServerCARef": "{hsdfgh45ljh456kjh456jhk45}",
"AuthRetry": "interact",
"ClientCertType": "Pattern",
"ClientCertPattern": {
"IssuerCARef": [ "{hsdfgh45ljh456kjh456jhk45}" ]
},
"CompLZO": "true",
"Port": 1194,
"Proto": "udp",
"RemoteCertTLS":"none",
"RemoteCertEKU": "TLS Web Server Authentication",
"SaveCredentials": true,
"ServerPollTimeout": 10,
"Username": "openvpn",
"KeyDirection":"1",
"TLSAuthContents":"-----BEGIN OpenVPN Static key V1-----
\nxxxxxxxxxxx9b753baf9032d63\nf42caaab7bf0a114cc94b5ae1876f4c7\na5cdec122db8935e3bb0ba26edb797c2\n2c88a5e9096f045c4aab3f37de70b86a\n046b5ce1b9c449b86261dee0cfed75bd\ncb5a66xxxxxxxxxxxxxxxxx62ddd\n032b4d31733c7286e68cc94f97788442\nc19xxxxxxxxxxxx38385193f3f6\ndb689d4b704c1655790c2fd285b3601a\n9502b03fc1139f37c7c2d77c7a43d74a\nf941f14ed591b923b5c36b581cb60094\nf6540eaed871502ee680c49a4a345164\n3efbxxxxxxxxxxxxxxxxbffaf63\n3d2bf67539a1e3f64d7eea6685f20560\n3b1188d567xxxxxxxxxxxxx3220fa\n736a26cafc51ff0d7aae01cce56aa19e\n
-----END OpenVPN Static key V1-----\n"
},
"Recommended": [ "Host" ]
}
} ]

[chro...@googlecode.com]

Comment #74 on issue 217624 by rachel.a...@synchroresearch.com: Chrome OS

OpenVPN does not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

@chris #72 I wonder if you would be so kind as to detail how you got this
to work for you with the openvpn-as? I continue to get the darn TLS SSL3
errors detailed above...

[chro...@googlecode.com]

Comment #75 on issue 217624 by prat...@condorcapital.com: Chrome OS OpenVPN

does not support various configurations options such as tlsauth
http://code.google.com/p/chromium/issues/detail?id=217624

@rachel.a #73: Here is my skeleton ONC file that works on my setup (you
will want to remove the Static Challenge if you don't use one):

{
"Type":"UnencryptedConfiguration",
"Certificates": [ {
"GUID": "{cacert}",
"Type": "Authority",
"X509": "<REMOVED>"
},
{
"GUID": "{servercert}",
"Type": "Server",
"X509": "<REMOVED>"
},
{
"GUID": "{clientcert}",
"Type": "Client",
"PKCS12": "<REMOVED>"
} ],
"NetworkConfigurations": [ {
"GUID": "{vpnconfig}",
"Name": "<name>",

"Type": "VPN",
"VPN": {
"Type": "OpenVPN",

"Host": "<address>",
"OpenVPN": {
"ServerCARef": "{cacert}",
"ServerCertRef": "{servercert}",
"ClientCertRef": "{clientcert}",
"AuthRetry": "interact",
"ClientCertType": "Ref",

"Port": 1194,
"Proto": "udp",

"CompLZO": "false",
"NsCertType": "server",
"PushPeerInfo": true,
"SaveCredentials": false,
"ServerPollTimeout": 4,
"RemoteCertTLS": "none",
"Username": "<user>",
"StaticChallenge": "Enter Google Authenticator Code",
"KeyDirection":"1",
"TLSAuthContents":"<REMOVED>"
},
"Recommended": [ "Host" ]
}
} ]

[chro...@googlecode.com]

Comment #77 on issue 217624 by lukasfor...@gmail.com: Chrome OS OpenVPN

does not support various configurations options such as tlsauth

https://code.google.com/p/chromium/issues/detail?id=217624

has there been any progress or a proper tutorial to add opvn files to
chromeos?

[chro...@googlecode.com]

Comment #78 on issue 217624 by offenme...@gmail.com: Chrome OS OpenVPN does

not support various configurations options such as tlsauth
https://code.google.com/p/chromium/issues/detail?id=217624

yes! buy windows laptop

[chro...@googlecode.com]

Comment #79 on issue 217624 by nhen...@google.com: Chrome OS OpenVPN does

not support various configurations options such as tlsauth
https://code.google.com/p/chromium/issues/detail?id=217624

Re: c#77, Have you started with goo.gl/pCxvvC ? Admittedly, it's not a
turnkey solution, unfortunately, but this followed by the comments in this
bug should get you working.

[chro...@googlecode.com]

Comment #80 on issue 217624 by hamish.r...@hardwired.net.nz: Chrome OS

OpenVPN does not support various configurations options such as tlsauth
https://code.google.com/p/chromium/issues/detail?id=217624

Went to chrome shell, type openvpn --config client.ovpn (downloaded via
web openvpn access server that most people can setup easily enough) and
done, no cert config, no file converting, no muddling around with above
average user technical garbage...
If its so damn easy todo via the commandline why WONT google make it easy
for users to import worlwide standard ovpn config files simply via the gui
on a chromebook.
There is obviously something going on at google that they are trying to
disable VPN usage for the non tech user.

[chro...@googlecode.com]

Comment #81 on issue 217624 by lukasfor...@gmail.com: Chrome OS OpenVPN

does not support various configurations options such as tlsauth
https://code.google.com/p/chromium/issues/detail?id=217624

I'm selling my Toshiba Chromebook 2

[chro...@googlecode.com]

Updates:
Labels: Restrict-AddIssueComment-Commit

Comment #82 on issue 217624 by ps...@chromium.org: Chrome OS OpenVPN does

not support various configurations options such as tlsauth
https://code.google.com/p/chromium/issues/detail?id=217624

The "thing" that's going on is that we want VPN status to be visible in the
UI so that users can tell that their traffic is being re-directed. If
you're running OpenVPN directly from the command line (or someone has done
so on your behalf in dev mode), there is no way to tell from the UI if it
is on or off. The current owner of the issue (sumit@) is prioritizing the
setup of a tool to allow users to import .ovpn setups in a way that will
allow either conversion to ONC or direct setup. This way you'll be able to
setup and tear down multiple OpenVPN configurations from the UI.

[chro...@googlecode.com]

Comment #85 on issue 217624 by ps...@chromium.org: Chrome OS OpenVPN does

not support various configurations options such as tlsauth
https://code.google.com/p/chromium/issues/detail?id=217624

Issue 527063 has been merged into this issue.

[chro...@googlecode.com]

Comment #86 on issue 217624 by dian...@chromium.org: Chrome OS OpenVPN

does not support various configurations options such as tlsauth
https://code.google.com/p/chromium/issues/detail?id=217624

BTW: just because I was poking with this trying to get OpenVPN to work with
the OpenVPN server builtin to an RT-AC66U router. That router happens to
provide you an "ovpn" file and the instructions I found based on comment
@84 all assume an "onc" file. For me, it wasn't totally obvious how to
convert everything.

Here's extra stuff I needed:

---

Instructions I found all had the line:
openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.crt
-name MyClient -out client.p12

...but I didn't have a "client.crt", "client.key", and "ca.crt" file. I
had an "ovpn" file. Luckily these are easy to create text files.
* The "client.crt" is just all the stuff between "<cert>" and "</cert>" in
your ovpn file, including the "-----BEGIN CERTIFICATE-----" and "-----END
CERTIFICATE-----" but not including the "<cert>" and "</cert>".
* The "client.key" is the same, but the stuff between "<key>" and "</key>"
* If you couldn't guess, "ca.crt" is between "<ca>" and "</ca>".

I ran openssl on a Chromebook in dev mode, but presumably you could also
find it on various other Linux machines.

---

I needed to go to the Advanced Settings in the Asus Router to get things in
a way that matched all the config instructions I found. I also wanted the
VPN to go over TCP/443 to have the best chance of it make its way over
pesky networks. Overall I used these options on the Asus Router:
* Interface Type: TUN
* Protocol: TCP
* Server Port: 443 (AKA the https port)
* Firewall: Auto
* Authorization Mode: TLS
* Username / Password Auth. Only: No
* Extra HMAC authorization: Incoming (0)
* VPN Subnet / Netmask: 10.8.0.0 (255.255.255.0)
* Poll Interval: 0
* Push LAN to clients: yes
* Direct clients to redirect Internet traffic: yes
* Respond to DNS: yes
* Advertise DNS to clients: yes
* Encryption cipher: default
* Compression: adaptive
* TLS Renegotiation Time: -1
* Manage Client-Specific: no

I won't promise those are all ideal, but they did seem to work. Note that
until I chose "Extra HMAC authorization: Incoming (0)" the ovpn file that
was exported by the router (if you go back to "General") didn't contain
the "OpenVPN Static key" and that tripped me up for a while, since that
wasn't the default.

---

In the ".onc" file you might wonder about where you get the X509 cert.
Yeah, it really is the same one you used in making the .p12 file, but with
all the newlines stripped off and also with the "-----BEGIN
CERTIFICATE-----" and "-----END CERTIFICATE-----" removed.

I also made a few changes from what was generally suggested:
"CompLZO": "adaptive",
"Port": 443,
"Proto": "tcp",

...the port/protocol were because of my own choices. I don't know if the
CompLZO change was strictly necessary, but it matched the default server
config that Asus provided and seemed sane.

I also happened to get tripped up because some instructions I found online
provided a sample file and one of the quotes in there was a "smart" quote
and tripped up the import. Sigh.

---

Anyway, figured I'd add to this bug in case it was useful to anyone...
Maybe everything is terribly obvious to everyone but me. ;)