New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 217624 link

Starred by 263 users

Issue metadata

Status: Assigned
Owner:
Last visit > 30 days ago
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Feature

Restricted
  • Only users with EditIssue permission may comment.


Show other hotlists

Hotlists containing this issue:
Hotlist-1


Sign in to add a comment

Chrome OS OpenVPN does not support various configurations options such as tlsauth

Project Member Reported by dgarr...@chromium.org, Oct 19 2012

Issue description

Most consumer level OpenVPN products are based on the open source project, and have loosly standardized ways of talking about keys and configurations.

The following file list is what one will commonly end up with when trying to setup OpenVPN to a router or NAS. 

Foo.ovpn   (sometimes named .config instead)
ca.crt
client.crt
client.key

Of this list, ChromeOS can import the ca.crt, but can't read the .ovpn file, or import the client.crt or client.key. Instead we expect the client crt/key to be in pkcs12 format.

Since we don't support the .ovpn configuration format, users must read it, and translate the settings into the options that we do support.

The two client key files can be converted to pkcs12 format, but doing so is not easy, and may require access to tools that many consumer users don't have.

 

Comment 1 by quiche@chromium.org, Nov 13 2012

Cc: trond@chromium.org
Labels: -Type-Bug Type-Feature
Owner: xiaowenx@chromium.org
Feature Request -> PM

Comment 2 by regis@google.com, Nov 15 2012

You will find lots of complaints in different forums about this lack of support. Directly supporting the above set of files in the UI will boost acceptance of ChromeOS in school/enterprise environments using such openvpn solutions. Alternate firmware for consumer routers (openwrt, gargoyle, dd-wrt, tomato, etc...) also support this form of openvpn. You could use such a cheap router for testing.

Comment 3 by trond@google.com, Nov 19 2012

Labels: -Pri-2 Pri-1 Mstone-26

Comment 4 by ddrew@chromium.org, Nov 19 2012

Status: Assigned
Labels: -Pri-1 Pri-2
P2 => we need to rethink VPN, which won't happen in this iteration.
In the meantime, something in the help pages stating the text munging and the openssl subcommands needed to convert the .ovpn file would be helpful.
I'll try to dig up the openssl commands and at least add them here.

That would also let me test a ChromeBook against my tomato OpenVPN server.
Glad this issue ticket exists, At first I was exited to see openvpn support and then I was sad when I saw the config page. Should the pkcs12 include the ta.key too ?
I forgot to figure out how to generate the pkcs12 when I got home (setting reminder now), but I believe all they need are the client.key and client.crt.

Comment 10 by Deleted ...@, Dec 7 2012

You can generate the pkcs12 from the client certificate & key using this command:

openssl pkcs12 -export -out client.pfx -inkey clientkey -in client.crt -certfile ca.crt

Comment 11 by jac...@gmail.com, Dec 8 2012

This thread is very helpful. I just got a new Samsung Chromebook primarily so I could VPN to work for remote admin. I was able to generate the pkcs12 using the openssl commands that robert posted. I was then able to successfully import the ca.crt as well as import and bind my client cert (see attached screenshot).

But the connection silently fails every time. Other clients (Ubuntu box and mac via tunnelblick) work, so I'm certain the credentials are correct and the server is functioning properly. Any suggestions on how to diagnose this further? I'm new to ChromeOS, so I'm not sure how I might inspect log files or enable more logging.
Screenshot 2012-12-08 at 13.12.15.png
27.4 KB View Download
What am I supposed to set as login and password ? My openvpn server doesn't require one. Also this is what I'm seeing on the server when I try to connect :
TLS Error: cannot locate HMAC in incoming packet from [AF_INET]xx.xx.xx.xx:58968

If you ever try to improve the configuration page please allow us to configure all the options. Attached is the openvpn.conf file I use
nico.ovpn
285 bytes View Download

Comment 13 by r...@evool.com, Dec 21 2012

I'd like to suggest directly suppoting ovpn files the same as there is an ONC parser.

Should enforce script-security 0 and disallow any parameters that need to call an external script. (See OpenVPN man page and search for 'cmd')

ovpn files can integrate certificates using tags <ca></ca><key></key><cert></cert>
I definitely agree. I see thst being widely utilized feature in the future.
Cc: apps-tses-bugs@chromium.org
Labels: Hotlist-Enterprise
I tried using openvpn_as on ec2 instance and wasn't successfull. Hit all kinds of issues. I wish we could document how to setup openvpn server for chromeos users from scratch.

The HMAC issue mentioned in #12 may be related to tls-auth I think being enabled on server side. And in the opensource version of openvpn server there is a way to disable it (just # out the config line). I couldn't find the same option on openvpn_as unfortunately.



Comment 16 by jo...@draaisma.nl, Dec 27 2012

Greetings from OpenVPN Technologies Inc.

I have just tested Chrome OS with OpenVPN and I have to say that the interface for OpenVPN in Chrome OS seems to be pretty much unusable for your average user. If I couldn't figure it out, how must an average user, towards which Chrome OS appears to be targeted, ever get it to work?

Now on to constructive feedback. 

ChromeOS appears to have OpenVPN 2.1.12 present. Since 2.1 and up the HMAC/TLS key was added. While not strictly necessary, it is wise to use this as this makes the OpenVPN server less prone to DDoS (drops any packets that don't match immediately) and it also enhances security overall. I do not see an HMAC/TLS key field in the UI of the ChromeOS system.

It is possible to use OpenVPN without the HMAC/TLS key. To set this up on an OpenVPN Access Server, go to the Admin web UI, then to Advanced VPN, and in both the "Server Config Directives" and the "Client Config Directives" place the parameter:

auth none

That will remove the need/check for HMAC/TLS and allow it to work with only a client certificate and a server certificate. It's still a bit crude though because I don't see a field to put a configuration file so you just have to take what the ChromeOS UI thinks it should do and live with it. Pretty annoying. Also, putting these parameters in will kill the connection to any currently installed clients, they'll need a reinstall of the OpenVPN Connect Client or a reinstall of the configuration profile (.ovpn file) to get connected again. So all in all, pretty bad.

One 'solution' I have found is to take a standard OpenVPN Access Server, and download an 'autologin' or 'user-locked' profile and load it manually on the console like so:

login as chronos/chronos, then:
sudo bash
openvpn --config autologin.ovpn
Et voila.

Or in case of user-locked profile (requires username/password):
sudo bash
openvpn --config --auth-user-pass
Enter username, enter password, voila.

So yeah, if there's a way to get a better interface in ChromeOS for this, that would be great. You don't even have to parse an .ovpn file or anything - you just save it somewhere and run the above commands on it and voila. Does require rights to create the TUN/TAP device though.

Hopefully this helps get this issue resolved.

Kind regards,
Johan Draaisma

Comment 17 by sumit@chromium.org, Dec 28 2012

Cc: kuscher@chromium.org petkov@chromium.org davidroche@chromium.org
Owner: sumit@chromium.org
Summary: Chrome OS OpenVPN does not support various configurations options such as tlsauth (was: ChromeOS OpenVPN is not consumer friendly)
(coming late to the discussion here)

Chrome OS currently does not support configuring HMAC/TLS key as Johan noted in comment 16. We started with very minimal options in the Chrome OS UI as well as our enterprise settings for VPN and understand that it's very limited currently. We hope to add this and many other configuration options for OpenVPN next year.

For network configurations, Chrome OS does support the ONC spec defined here (http://www.chromium.org/chromium-os/chromiumos-design-docs/open-network-configuration). While not a practical solution to solve the tls-auth issue mentioned in this thread, only for testing purposes, users can setup a network configuration via ONC directly from chrome://net-internals/#chromeos. We do plan to add an easier way to specify and import VPN configurations.

Changing the title of this bug to reflect the issue being discussed. Assigning it to myself so that I can divide this issue into various small feature requests and/or link to existing feature requests.

Comment 18 by Deleted ...@, Jan 2 2013

I generated the pkcs12 file from openssl. Loaded both that and the certificate authority cert through the gui as per the chromeos vpn instructions. Using "openvpn --config blah.conf" from the shell works for both the .pem format and .p12 format files. However, when kicking off vpn from the gui, it times out and I see the following in /var/log/messages:

TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

So something is getting lost in translation between the gui and openvpn. If I have time later I'll try to dig into the source.

Comment 19 by Deleted ...@, Jan 2 2013

Re:17, Please ensure we can import raw PEM format certificates and also make sure username/password/OTP are not required as some configurations do not use these.
@17 : could you provide a working openvpn ONC file as an exemple ?
FYI, @18: I was also getting tls errors so I disabled tls per Johan's instructions and re-exported/converted the client.crt to client.p12 and then imported and bound that on my test chromebook. Now I get the following:

2013-01-02T13:06:51.652611-06:00 localhost openvpn[17679]: OpenVPN 2.1.12 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Dec 18 2012
2013-01-02T13:06:51.653331-06:00 localhost shill: [0102/130651:INFO:openvpn_management_server.cc(185)] Processing info message.
2013-01-02T13:06:51.653681-06:00 localhost shill: [0102/130651:INFO:openvpn_management_server.cc(327)] Processing hold message.
2013-01-02T13:06:51.653701-06:00 localhost shill: [0102/130651:INFO:openvpn_management_server.cc(133)] Releasing hold.
2013-01-02T13:06:51.655801-06:00 localhost shill: [0102/130651:WARNING:openvpn_management_server.cc(177)] OpenVPN management message ignored: SUCCESS: real-time state notification set to ON
2013-01-02T13:06:51.695305-06:00 localhost shill: [0102/130651:WARNING:openvpn_management_server.cc(177)] OpenVPN management message ignored: SUCCESS: hold release succeeded
2013-01-02T13:06:51.695344-06:00 localhost shill: [0102/130651:INFO:openvpn_management_server.cc(194)] Processing need-password message.
2013-01-02T13:06:51.695356-06:00 localhost shill: [0102/130651:INFO:openvpn_management_server.cc(260)] Perform authentication: Auth
2013-01-02T13:06:51.697074-06:00 localhost openvpn[17679]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2013-01-02T13:06:51.697496-06:00 localhost shill: [0102/130651:WARNING:openvpn_management_server.cc(177)] OpenVPN management message ignored: SUCCESS: 'Auth' username entered, but not yet verified
2013-01-02T13:06:51.697522-06:00 localhost shill: [0102/130651:WARNING:openvpn_management_server.cc(177)] OpenVPN management message ignored: SUCCESS: 'Auth' password entered, but not yet verified
2013-01-02T13:06:51.725592-06:00 localhost openvpn[17679]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
2013-01-02T13:06:51.725621-06:00 localhost openvpn[17679]: Attempting to establish TCP connection with 204.180.235.229:443 [nonblock]
2013-01-02T13:06:51.734917-06:00 localhost shill: [0102/130651:INFO:openvpn_management_server.cc(311)] Processing state message.
2013-01-02T13:06:52.727177-06:00 localhost openvpn[17679]: TCP connection established with xxx.xxx.xxx.xxx:443
2013-01-02T13:06:52.727218-06:00 localhost openvpn[17679]: TCPv4_CLIENT link local: [undef]
2013-01-02T13:06:52.727230-06:00 localhost openvpn[17679]: TCPv4_CLIENT link remote: xxx.xxx.xxx.xxx:443
2013-01-02T13:06:52.727241-06:00 localhost shill: [0102/130652:INFO:openvpn_management_server.cc(311)] Processing state message.
2013-01-02T13:06:52.762085-06:00 localhost openvpn[17679]: Connection reset, restarting [0]
2013-01-02T13:06:52.762126-06:00 localhost openvpn[17679]: SIGUSR1[soft,connection-reset] received, process restarting
2013-01-02T13:06:52.762541-06:00 localhost shill: [0102/130652:INFO:openvpn_management_server.cc(311)] Processing state message.
2013-01-02T13:06:52.764719-06:00 localhost shill: [0102/130652:INFO:service.cc(293)] In SetState(): Service uwms_test_3 state Configuring -> Associating
2013-01-02T13:06:52.764754-06:00 localhost shill: [0102/130652:INFO:manager.cc(822)] Service 45 updated; state: Associating failure: Unknown
2013-01-02T13:06:52.764766-06:00 localhost shill: [0102/130652:INFO:openvpn_management_server.cc(327)] Processing hold message.
2013-01-02T13:06:52.764776-06:00 localhost shill: [0102/130652:INFO:openvpn_management_server.cc(133)] Releasing hold.
2013-01-02T13:06:52.764786-06:00 localhost shill: [0102/130652:INFO:service.cc(254)] Suppressed autoconnect to uwms2 (connected)
2013-01-02T13:06:52.765441-06:00 localhost openvpn[17679]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2013-01-02T13:06:52.765463-06:00 localhost openvpn[17679]: Attempting to establish TCP connection with xxx.xxx.xxx.xxx:443 [nonblock]
2013-01-02T13:06:52.765782-06:00 localhost shill: [0102/130652:WARNING:openvpn_management_server.cc(177)] OpenVPN management message ignored: SUCCESS: hold release succeeded
2013-01-02T13:06:52.805194-06:00 localhost shill: [0102/130652:INFO:openvpn_management_server.cc(311)] Processing state message.
2013-01-02T13:06:53.766421-06:00 localhost openvpn[17679]: TCP connection established with xxx.xxx.xxx.xxx:443
2013-01-02T13:06:53.766462-06:00 localhost openvpn[17679]: TCPv4_CLIENT link local: [undef]
2013-01-02T13:06:53.766474-06:00 localhost openvpn[17679]: TCPv4_CLIENT link remote: xxx.xxx.xxx.xxx:443
2013-01-02T13:06:53.766970-06:00 localhost shill: [0102/130653:INFO:openvpn_management_server.cc(311)] Processing state message.
2013-01-02T13:06:53.804520-06:00 localhost openvpn[17679]: Connection reset, restarting [0]

LOG CONTINUES (through multiple connection attempts and then dies:

2013-01-02T13:07:51.160082-06:00 localhost shill: [0102/130751:INFO:openvpn_management_server.cc(311)] Processing state message.
2013-01-02T13:07:51.285480-06:00 localhost shill: [0102/130751:ERROR:vpn_driver.cc(184)] VPN connection timeout.
2013-01-02T13:07:51.285524-06:00 localhost shill: [0102/130751:ERROR:openvpn_driver.cc(718)] VPN connection disconnected.
2013-01-02T13:07:51.286564-06:00 localhost shill: [0102/130751:INFO:rpc_task.cc(30)] RPCTask 0 destroyed.
2013-01-02T13:07:51.286595-06:00 localhost shill: [0102/130751:INFO:device.cc(165)] Device destructed: tun0 index 5
2013-01-02T13:07:51.286606-06:00 localhost openvpn[17679]: SIGTERM[soft,management-exit] received, process exiting
2013-01-02T13:07:51.286617-06:00 localhost shill: [0102/130751:INFO:process_killer.cc(32)] Killing pid 17679
2013-01-02T13:07:51.286627-06:00 localhost shill: [0102/130751:INFO:service.cc(293)] In SetState(): Service uwms_test_3 state Associating -> Failure
2013-01-02T13:07:51.286637-06:00 localhost shill: [0102/130751:INFO:manager.cc(822)] Service 45 updated; state: Failure failure: Unknown
2013-01-02T13:07:51.287998-06:00 localhost shill: [0102/130751:INFO:service.cc(254)] Suppressed autoconnect to uwms2 (connected)
2013-01-02T13:07:51.588974-06:00 localhost shill: [0102/130751:INFO:process_killer.cc(44)] pid 17679 died, status 0
2013-01-02T13:07:51.589019-06:00 localhost shill: [0102/130751:INFO:process_killer.cc(52)] Running callback for dead pid 17679
2013-01-02T13:07:51.589032-06:00 localhost shill: [0102/130751:INFO:openvpn_driver.cc(266)] Deleting interface 5

In my testing, I am connecting a macbookair with opvn client at the same time as the chromebook attempts and the macbook connects fine, while the chromebook dies...

Also attached what the openvpn-as server is seeing during the connection attempts. It  appears to be trying to see responses to the chromebook...
chromebook vpn error image.png
20.7 KB View Download
Labels: -Mstone-26 Mstone-27 MovedFrom-26
Moving all non essential bugs to the next Milestone.
Labels: OS-Chrome
Project Member

Comment 24 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Area-Network -Mstone-27 Cr-OS-Systems-Network M-27
Labels: -M-27 MovedFrom-27
Bulk edit to remove milestone from issues that are Pri-2 or lower and have already been moved at least once.

Comment 26 by redc...@gmail.com, May 13 2013

the the very least it would be nice to have some easy way to stop shill from eating my tun devices if I manually run openvpn (which I prefer to do).

currently I had to checkout the source to shill, see that a "--device-black-list" option exists, realize I cannot change the settings shill is launched with /etc because it is ro, then write a shell script to stop the system shill and relaunch with with --device-black-list=tun0

This seems like a fairly simple problem to fix.  Why is it taking so long?  Just make username/password/otp not-mandatory and let openvpn do its thing with the cert-based auth when a user cert is provided.  This is how 99.9% of the openvpn setups I've used at several employers have all operated.  Correct or not ChromeOS should allow this and again it seems like a really simple thing to fix.

Comment 28 by sumit@chromium.org, Jul 14 2013

Cc: benchan@chromium.org steve...@chromium.org
So I see two different requests here:
1. tlsauth support in the UI
2. Ability to have only cert based auth (without username/password/otp)

Are there any other requests?

Trond, can we consider these in the upcoming networking UI changes since both of these seem to be UI changes only iiuc?
Any possibility of directly reading a .ovpn file directly from the UI (without conversion) so that a random user can just download it from their OpenVPN provider and install it?

Comment 30 by sumit@chromium.org, Jul 14 2013

Re:#29, thanks, we will look into the feature request for uploading an .ovpn.
Native OVPN support is the last hurdle in widespread deployment in our enterprise. 
We use OpenVPN for all our connections and need the ability to import multiple.
So I second the support request!

Comment 32 by t...@meyersbc.com, Jul 14 2013

I also support this request.  I have several clients who want chrome books
and this is the last issue holding us back.  If this were a standard open
source project I would pay (or write it myself) for this to be done.

Mark Meyer
Mark@MeyerSBC.com

This message was sent from my Droid.
I second third fourth and fifth this.  I find it astonishing that a company
that gets so many things right can get OpenVPN interoperability so wrong.
 Private TLS from the interface is basic.  Importing ovpn configurations
would be excellent.  Pretending that ONC is a better future answer to a
problem we all have now both arrogant and stupid.

And it is absolutely a show stopper as far as recommending Chrome machines
to clients.  Which is unfortunate for both parties.  Us and you.

Please excuse my anger.

-cpt

Comment 34 Deleted

Comment 35 by corv...@gmail.com, Jul 14 2013

Fully agree. The simplest thing is to allow importation of .ovpn config files in the UI. The OS has no trouble with these. The decision not to allow them can only be a policy choice that Google is not being transparent with users about. A perverse choice, in my opinion.


 

Comment 36 by Deleted ...@, Jul 14 2013

The idea of it being a policy choice is something I've wondered about but the only possible advantage there that I have imagined (I have a limited imagination) is that private TLS (the most obvious feature to me) deeply inhibits some other behviours that providers might engage in.

I prefer to regard it as an oversight that will be corrected.

-cpt
Agree with all the other comments on supporting ovpn file.  This it the only major feature that is keeping me from recommending Chromebooks as a primary choice for user at our company.  

My Samsung Chromebook is GREAT!  When this issue is fixed it will finally give me an excuse to upgrade to a Pixel.  Come on Google fix this.  I really want a Pixel!
+1 to all others.  Certificate management, debugging, OVPN file.  This has just been a huge pain point all around.  It's close, but just not *quite* right.
Project Member

Comment 39 by bugdroid1@chromium.org, Aug 3 2013

Project: chromiumos/platform/shill
Branch : master
Author : Paul Stewart <pstew@chromium.org>
Commit : 406c473d5680f42b067dbda0a9b011b162130eff

Code Review +2: mukesh agrawal
Verified    +1: Paul Stewart
Change-Id     : I7d2973792372d43df6c3a3ebe3728debd09e1e68
Reviewed-at   : https://gerrit.chromium.org/gerrit/64292

shill: OpenVPNDriver: Use double vector of strings for arguments

Restructure the code that creates command-line arguments for the
openvpn process.  Instead of building a flat vector of strings,
each logical option supplied to openvpn is itself a vector of
strings.  Thus, it is possible to output either a command line
argument list for OpenVPN (as is still done here) or a configuration
file which will contain each multi-word option on a separate line.

This structure also allows testing to be more rigorous since
expectations won't conflate the flag with its arguments.

BUG=chromium:217624
TEST=Unit tests, network_VPNConnect.openvpn_user_pass

Commit-Queue: Paul Stewart <pstew@chromium.org>

M  mock_openvpn_management_server.h
M  openvpn_driver.cc
M  openvpn_driver.h
M  openvpn_driver_unittest.cc
M  openvpn_management_server.cc
M  openvpn_management_server.h
M  openvpn_management_server_unittest.cc
Project Member

Comment 40 by bugdroid1@chromium.org, Aug 5 2013

Project: chromiumos/platform/shill
Branch : master
Author : Paul Stewart <pstew@chromium.org>
Commit : b26347a48e976a890210bb5fcc28892ac7df42e9

Code Review +2: Paul Stewart
Verified    +1: Paul Stewart
Change-Id     : I6424ccafb5764428b1ee8fc2ad41177a6d2b3c52
Reviewed-at   : https://gerrit.chromium.org/gerrit/64368

shill: OpenVPNDriver: Write a configuration file

Instead of passing configuration to OpenVPN using command line
options, write out a configuration file instead.  This config
file is owned by root created in a run directory that is not
readable by any other users.  Although OpenVPN drops privileges,
it reads its configuration before doing so.  The configuration
file is removed with the regular OpenVPNDriver cleanup process.

As a side effect of this, all added options in the OpenVPNDriver
and OpenVPNManagementServer now lose their "--" prefix.

BUG=chromium:217624
TEST=Unit tests, network_VPNConnect.openvpn_user_pass

Commit-Queue: Paul Stewart <pstew@chromium.org>

M  openvpn_driver.cc
M  openvpn_driver.h
M  openvpn_driver_unittest.cc
M  openvpn_management_server.cc
M  openvpn_management_server_unittest.cc
Since the openvpn configuration file will only contain a subset of possible configuration options there's still a large gap to be filled to enable broad adoption of openvpn.
Presumably the GUI options will follow over time.
But in the mean time would it be possible for a userdefined blob of other configuration options that aren't in the UI, which could be secured with a whitelist?
Cc: -petkov@chromium.org
I love my Chromebook, but being a typical non-technical user that surely Chromebooks are aimed at please just let me connect to my NAS on my home network via the UI.  I can download the crt file and the ovpn file from my server.  I just want to use the UI to connect to my NAS using the OpenVPN option.  I don't want to be changing code AS I'M NON-TECHNICAL!

PLEASE!!!!

Comment 44 by jas...@gmail.com, Jan 7 2014

I have a working onc that allows me to connect to my home VPN cert-only (still have to put in dummy l/p values, but they are ignored). I was never able to get tls-auth working correctly, but from the May 2013 ONC spec, it looks like it is supported (keys TLSAuthContents and KeyDirection). Connecting to dd-wrt server.

For anyone who needs it, here's a skeleton ONC to setup a cert-only connection:
https://gist.github.com/jashsu/7978665
I inlined the certs into my ONC, but you can also try excluding it and import a P12 file separately using the certificate import GUI. If you are going to inline the certs in the ONC, parts of this script will be useful:
https://github.com/royans/ec2_chromeos_openvpn/blob/master/openvpn_config.sh
you might also check my write up at:  go/ChromeOS-OpenVPN
If you need more instructions on how to install the ONC block etc..

Comment 46 by jas...@gmail.com, Jan 7 2014

@nhen: Could you make that writeup available to us external users?
@jas...:  Sure, what do you think would be a good way to do that?  Enterprise Drive won't let me make it public.

 
@nhendin: publish to web? https://support.google.com/drive/answer/183965?hl=en
OK, here it is:  goo.gl/pCxvvC

Comment 50 by jas...@gmail.com, Jan 8 2014

@nhen...: Thanks! It's a nice all-inclusive write up. By the way if you inline the CA cert (and optionally client pkcs12) by putting their ascii-armored blocks in the Certificates section of the json, there is no need to use the Chrome certificate import GUI.

On tls-auth: it looks like I was missing the escaped newline chars in my TLSAuthContents. I'll give it another shot tonight.

I built spigots from current chromium source and ran it on my link, and I didn't see any way for it to take an ovpn input file.
@jas,

Wasn't sure that the inline certs would import correctly, so I did that manually first.

Yeah the TLS auth "\n" caused a bit of head scratching.  Eventually I contacted the internal author of the ONC import blob and he pointed me in the right direction.

It looks like spigots was not ever completed to a level where it would do what we need it to.

Good luck.

--Neil.
Guys, I'm impressed by your progress but envious at the same time as it's
all a bit over my head.

Are we any closer to connecting to my NAS server via the UI (or at least
just a couple of extra steps only from it)?

Thanks and well done!
While I'm not afraid to switch on developer mode and to use ovpn files from the terminal, I'm just not eager to have to watch the boot warning every time I start up.

If this is mostly a UI issue (as openvpn itself supports all we need), I find it bewildering that it's been left in this state for so long. :/
I followed the document in comment #49, but I am getting the following error in my logs:

TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I am using OpenVPN AS and pulled the necessary certificates/keys from the user-locked ovpn file, can anyone point me in the right direction from here? What does this error mean exactly?
In case anyone else experienced the issue I did, I had to set the following in my ONC configuration file to get it working:

"RemoteCertTLS": "none",

By default, the Chromebook was trying to set this value to "Server" and my OpenVPN AS installation was not generating the correct certificates to support this mode of signing/authentication.

Comment 56 by nhendin@google.com, Feb 20 2014

Re: c#53, roxannalugtigheld, would the doc in comment #49 help you here? No need to be in dev mode and while it's a bit of a yak shave, it may help you get set up.

regards,
--neil.
Preamble: I struggled for several months with getting the OpenVPN client configured on a Chromebook and a Chromebox, and eventually gave up. (Though I can make it work within the Crouton environment.)

Request: Please provide an officially-supported Chrome extension that takes a *.opvn file and spits out everything that Chrome OS needs to configure its OpenVPN client. So we copy-and-paste our *.opvn file and certificates into that extension, and it spits out all the needed configuration data and exact instructions to make OpenVPN work.

No changes into Chromium OS would then be needed.
This is almost unforgivable to omit use of ovpn files. I would never use a chromebook in a business evironnment The vpn methods they allow are not as secure as openvpn. Tho omission make the chromebook nothing more than a toy.
$1499 with "native OpenVPN support" bla bla hogwash

Comment 60 by pstew@chromium.org, Mar 29 2014

Cc: pneubeck@chromium.org
I am getting the following error when I try to connect to my VPN. 

"Failed to connect to network 'MyVPN': Failed to configure network"

I used the Spigots utility to create the initial .onc file and then edited it to include the TLSAuthContents and the KeyDirection parameters and a few other things that needed tweaked (port, cipher).

I have attached the .conf file and the output from "connectivity show services" with sensitive information removed. Everything looks correct.

It looks like others may have gotten this to work. Can someone tell me what I may have done wrong.

FYI - My VPN doesn't require a client cert. It relies on the TLS Auth key and a username/password combo.
net_config.txt
1.1 KB View Download
openvpn.conf
375 bytes Download
I found the net_event_log in chrome://system. I have attached a log of the relevant lines from that log. It appears as though ChromeOS doesn't support OpenVPN without using client certificates as it complains about the Pkcs11.ID. I'm not sure if this would be considered a defect or a feature request, but either way, it makes the OpenVPN support completely useless for my purposes. I cannot change the configuration of the OpenVPN gateway.

Note, this configuration works just fine from my Mac OS X workstation using Tunnelblick.
net_event_log.txt
904 bytes View Download

Comment 63 by pstew@chromium.org, Apr 10 2014

WRT comment #62 -- looks like an issue within Chrome.  The underlying connection manager does not require a certificate to connect.
pstew@ - Shill is failing to clear the Pkcs11.ID property:

network_configuration_handler.cc:416 ClearProperties Failed: OpenVPN.Pkcs11.ID: /service/84

Chrome is clearing that property because the ID is empty. We don't expect the clear to fail. What does Shill expect in this case?

Comment 65 by pstew@chromium.org, Apr 10 2014

If you clear a property that is not set, you get Error::kNotFound, "Property is not set".  This has always been the case.
I don't doubt that this has always been the case, it just hasn't come up before.

Unfortunately we don't track in Chrome whether or not a Shill property has been set, so I think we will have to ignore this error and treat it as a warning. That should be a pretty easy change to make.

I created a separate issue to track this particular problem:  issue 362303 .

Thanks jerry@ for including a log, that made it pretty straightforward to track down the problem.

stevejb@ glad I could help. Resolving this issue will clear the path for me to use my Chromebook as my primary development workstation. I will follow  issue 362303  and hope for a quick turn around.
I have a working config on a chromebook pixel with TLS.  It took a hell of
a lot of hints, many hours in a text editor, lotta logfile staring, and
ignoring the occasional GOOG wrongheaded answer (e.g. "open source" doesn't
always play nice).  Will post.  It does actually work, at least the last
time I charged up.
We just resolved  issue 362303  for those affected by spurious ClearProperty errors. It should be available in the Dev channel in a few days.

Comment 70 by mpe...@gmail.com, Jun 8 2014

Hello!

I am trying to setup OpenVPN with client, CA certificates + TLS auth certificate, but also user name and password is required. I included all 3 certificates in ONC file. Client and CA certificates looks the same as if I would import them manually. TLS certificate looks good at service listing.
From logs is seems like the client certificate is omitted and Pkcs11.* properties are set and PassphraseRequired is set to false.
I am using Chromebook in normal user mode and wish to keep it this way.

Any idea what might be wrong?

(I attached original OVPN file, my ONC file, how the service looks just after import and after connection attempt and finally netlog.)
service_after_connect_attempt.txt
1.4 KB View Download
client.onc
1.1 KB Download
service_after_import.txt
1.1 KB View Download
netlog.txt
4.8 KB View Download
client.ovpn
336 bytes Download
c#70 is very likely not related to this issue and should be posted as a separate issue. Please do so in the future.

Nonetheless:
IIRC, then configuring any network with client certs through ONC is currently neither working nor supported (note, that the manual import of ONC is meant for debugging/testing only). The import of the cert itself should work.

You could instead try to set the client cert manually in the network dialog, and my guess is that with your configuration it doesn't show the client cert correctly selected and that you can't edit it.
Therefore add to the client.onc:
... "OpenVPN": {
  ...
  "Recommended": [ "Username", "Password", "ClientCertRef" ],
  ...
} ...
Afik you cannot import certs in normal user.  The whole process is super
buggy and essentially broken.

Sent from a phone.  Please excuse brevity and errors.

Comment 73 by Deleted ...@, Jun 28 2014

@Prat #55, My setup sounds identical to yours.  
Server: OpenVPN-AS 2.0.8 on debian 7.5.  
Client is a chromebook acer c10

After combing this thread and this document goo.gl/pCxvvC, and trying various changes like "RemoteCertTLS": "none", I continue to get the error:  
LS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2014-06-28T09:08:41.113486-07:00 localhost openvpn[23290]: TLS Error: TLS object -> incoming plaintext read error
2014-06-28T09:08:41.113492-07:00 localhost openvpn[23290]: TLS Error: TLS handshake failed.



Note that in trying to get this work, I have setup a dev box with a stock openvpnas install with no config changes.

Here is my ONC ( have altered the sensitive bits).

Any insight would be so much appreciated.  This is the final hurdle in rolling out chromebooks to all our staff.  And this is a showstopper unfortunately...

Thanks a bunch!

{
 "Type":"UnencryptedConfiguration",
      "Certificates": [ {
      "GUID": "{hsdfgh45ljh456kjh456jhk45}",
      "Type": "Authority",
      "X509": "MIICuDCCAaCgAwxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxIQ/Mn3swQ=="
   } ],
    "NetworkConfigurations": [ {
      "GUID": "{hsdfgh45ljh456kjh456jhk45hsdfgh45ljh456kjh456jhk45}",
      "Name": "openvpn",
      "Type": "VPN",
      "VPN": {
          "Type": "OpenVPN",
          "Host": "23.239.0.124",
          "OpenVPN": {
                        "ServerCARef": "{hsdfgh45ljh456kjh456jhk45}",
                    "AuthRetry": "interact",
                    "ClientCertType": "Pattern",
                    "ClientCertPattern": {              
                          "IssuerCARef": [ "{hsdfgh45ljh456kjh456jhk45}" ]
                         },
                    "CompLZO": "true",
                    "Port": 1194,
                    "Proto": "udp",
                    "RemoteCertTLS":"none",
                    "RemoteCertEKU": "TLS Web Server Authentication",
                    "SaveCredentials": true,
                    "ServerPollTimeout": 10,
                    "Username": "openvpn",
                    "KeyDirection":"1",                    
                    "TLSAuthContents":"-----BEGIN OpenVPN Static key V1-----
\nxxxxxxxxxxx9b753baf9032d63\nf42caaab7bf0a114cc94b5ae1876f4c7\na5cdec122db8935e3bb0ba26edb797c2\n2c88a5e9096f045c4aab3f37de70b86a\n046b5ce1b9c449b86261dee0cfed75bd\ncb5a66xxxxxxxxxxxxxxxxx62ddd\n032b4d31733c7286e68cc94f97788442\nc19xxxxxxxxxxxx38385193f3f6\ndb689d4b704c1655790c2fd285b3601a\n9502b03fc1139f37c7c2d77c7a43d74a\nf941f14ed591b923b5c36b581cb60094\nf6540eaed871502ee680c49a4a345164\n3efbxxxxxxxxxxxxxxxxbffaf63\n3d2bf67539a1e3f64d7eea6685f20560\n3b1188d567xxxxxxxxxxxxx3220fa\n736a26cafc51ff0d7aae01cce56aa19e\n
-----END OpenVPN Static key V1-----\n"
                     },
         "Recommended": [ "Host" ]
             }
                               } ]
}

Comment 74 by Deleted ...@, Jun 28 2014

@chris #72 I wonder if you would be so kind as to detail how you got this to work for you with the openvpn-as?  I continue to get the darn TLS SSL3 errors detailed above... 
@rachel.a #73: Here is my skeleton ONC file that works on my setup (you will want to remove the Static Challenge if you don't use one):

{
 "Type":"UnencryptedConfiguration",
      "Certificates": [ {
      "GUID": "{cacert}",
      "Type": "Authority",
      "X509": "<REMOVED>"
   },
      {
      "GUID": "{servercert}",
      "Type": "Server",
      "X509": "<REMOVED>"
   },
    {
    "GUID": "{clientcert}",
    "Type": "Client",
    "PKCS12": "<REMOVED>"
    } ],
    "NetworkConfigurations": [ {
      "GUID": "{vpnconfig}",
      "Name": "<name>",
      "Type": "VPN",
      "VPN": {
          "Type": "OpenVPN",
          "Host": "<address>",
          "OpenVPN": {
                    "ServerCARef": "{cacert}",
                    "ServerCertRef": "{servercert}",
                    "ClientCertRef": "{clientcert}",
                    "AuthRetry": "interact",
                    "ClientCertType": "Ref",
                    "Port": 1194,
                    "Proto": "udp",
                    "CompLZO": "false",
                    "NsCertType": "server",
                    "PushPeerInfo": true,
                    "SaveCredentials": false,
                    "ServerPollTimeout": 4,
                    "RemoteCertTLS": "none",
                    "Username": "<user>",
                    "StaticChallenge": "Enter Google Authenticator Code",
                    "KeyDirection":"1",                    
                    "TLSAuthContents":"<REMOVED>"
                     },
         "Recommended": [ "Host" ]
             }
                               } ]
}
The lack of tls-auth support is critical: I cannot imagine any non-ISP environment supporting openvpn without it. It's so easy and adds so much security that anyone would be mad not to use it

Also, I think you need to increase the version to 2.3.X - for one thing we actually refuse connections from older clients by looking for specific UV_ headers (not IV_ - UV_) - which only the newer clients support

has there been any progress or a proper tutorial to add opvn files to chromeos?
yes! buy windows laptop

Comment 79 by nhendin@google.com, Nov 29 2014

Re: c#77, Have you started with goo.gl/pCxvvC  ?  Admittedly, it's not a turnkey solution, unfortunately, but this followed by the comments in this bug should get you working.

  

Comment 80 by Deleted ...@, Dec 5 2014

Went to chrome shell, type openvpn --config client.ovpn  (downloaded via web openvpn access server that most people can setup easily enough)  and done, no cert config, no file converting, no muddling around with above average user technical garbage...
If its so damn easy todo via the commandline why WONT google make it easy for users to import worlwide standard ovpn config files simply via the gui on a chromebook.
There is obviously something going on at google that they are trying to disable VPN usage for the non tech user.
I'm selling my Toshiba Chromebook 2
Labels: Restrict-AddIssueComment-Commit
The "thing" that's going on is that we want VPN status to be visible in the UI so that users can tell that their traffic is being re-directed.  If you're running OpenVPN directly from the command line (or someone has done so on your behalf in dev mode), there is no way to tell from the UI if it is on or off.  The current owner of the issue (sumit@) is prioritizing the setup of a tool to allow users to import .ovpn setups in a way that will allow either conversion to ONC or direct setup.  This way you'll be able to setup and tear down multiple OpenVPN configurations from the UI.

Comment 83 by laforge@google.com, Apr 16 2015

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Please note the documentation mentioned in comments numbered 45,49 and 77. Has a new, easier to find home.

It is now at:
http://dev.chromium.org/chromium-os/how-tos-and-troubleshooting/openvpn-manual-setup


 Issue 527063  has been merged into this issue.
BTW: just because I was poking with this trying to get OpenVPN to work with the OpenVPN server builtin to an RT-AC66U router.  That router happens to provide you an "ovpn" file and the instructions I found based on comment @84 all assume an "onc" file.  For me, it wasn't totally obvious how to convert everything.

Here's extra stuff I needed:

---

Instructions I found all had the line:
  openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.crt -name MyClient -out client.p12

...but I didn't have a "client.crt", "client.key", and "ca.crt" file.  I had an "ovpn" file.  Luckily these are easy to create text files.  
* The "client.crt" is just all the stuff between "<cert>" and "</cert>" in your ovpn file, including the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" but not including the "<cert>" and "</cert>".
* The "client.key" is the same, but the stuff between "<key>" and "</key>"
* If you couldn't guess, "ca.crt" is between "<ca>" and "</ca>".

I ran openssl on a Chromebook in dev mode, but presumably you could also find it on various other Linux machines.

---

I needed to go to the Advanced Settings in the Asus Router to get things in a way that matched all the config instructions I found.  I also wanted the VPN to go over TCP/443 to have the best chance of it make its way over pesky networks.  Overall I used these options on the Asus Router:
* Interface Type: TUN
* Protocol: TCP
* Server Port: 443 (AKA the https port)
* Firewall: Auto
* Authorization Mode: TLS
* Username / Password Auth. Only: No
* Extra HMAC authorization: Incoming (0)
* VPN Subnet / Netmask: 10.8.0.0 (255.255.255.0)
* Poll Interval: 0
* Push LAN to clients: yes
* Direct clients to redirect Internet traffic: yes
* Respond to DNS: yes
* Advertise DNS to clients: yes
* Encryption cipher: default
* Compression: adaptive
* TLS Renegotiation Time: -1
* Manage Client-Specific: no

I won't promise those are all ideal, but they did seem to work.  Note that until I chose "Extra HMAC authorization: Incoming (0)" the ovpn file that was exported by the router (if you go back to "General") didn't contain the "OpenVPN Static key" and that tripped me up for a while, since that wasn't the default.

---

In the ".onc" file you might wonder about where you get the X509 cert.  Yeah, it really is the same one you used in making the .p12 file, but with all the newlines stripped off and also with the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" removed.

I also made a few changes from what was generally suggested:
                   "CompLZO": "adaptive",
                   "Port": 443,
                   "Proto": "tcp",

...the port/protocol were because of my own choices.  I don't know if the CompLZO change was strictly necessary, but it matched the default server config that Asus provided and seemed sane.

I also happened to get tripped up because some instructions I found online provided a sample file and one of the quotes in there was a "smart" quote and tripped up the import.  Sigh.

---

Anyway, figured I'd add to this bug in case it was useful to anyone...  Maybe everything is terribly obvious to everyone but me.  ;)


Cc: -pneubeck@chromium.org
 Issue 769788  has been merged into this issue.
 Issue 782106  has been merged into this issue.
Cc: dskaram@chromium.org
 Issue 743709  has been merged into this issue.
Project Member

Comment 91 by sheriffbot@chromium.org, Feb 12 2018

Labels: Hotlist-Recharge-BouncingOwner
Owner: ----
Status: Untriaged (was: Assigned)
The assigned owner "sumit@chromium.org" is not able to receive e-mails, please re-triage.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Owner: cernekee@chromium.org
Status: Assigned (was: Untriaged)
-> cernekee@ - Is there anything actionable here? We have a lot more flexibility in the UI now so if we need to add a field that should be easy, assuming it's supported in ONC.

If not, please go ahead and archive this.

Going back to the requests from the original post:

Other OpenVPN clients allow users to upload .ovpn configuration files.  These files contain a number of free-form fields that are passed down to the `openvpn` daemon.  They can also reference other files (such as certs, or login/password files, or Diffie-Hellman parameters, or tls-auth secrets).

So this gives the user an enormous amount of flexibility in configuring the client side, but it also makes provisioning a cumbersome process.  On Chrome OS it raises a number of logistical issues and security concerns, as we would need to sanitize and translate each of these properties.  Also, our openvpn daemon currently starts up as root, and it regards the .ovpn file as trusted.  Allowing Chrome to pass in arbitrary .ovpn files could facilitate privilege escalation attacks.

Since there are two full-featured Android OpenVPN clients that are actively maintained by third parties, it would be good to see if these clients (combined with the newly-introduced Android VPN integration in M64) would cover most of the relevant use cases:

https://play.google.com/store/apps/details?id=de.blinkt.openvpn
https://play.google.com/store/apps/details?id=net.openvpn.openvpn

Comment 94 by nhendin@google.com, Feb 12 2018

re: c#93,

That would certainly solve the use case I was trying to address in my earlier comments, assuming those clients supported TLS auth (which I think they do).

Cc: jeff@mcneill.io
Project Member

Comment 96 by bugdroid1@chromium.org, Aug 14

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/shill/+/b26347a48e976a890210bb5fcc28892ac7df42e9

commit b26347a48e976a890210bb5fcc28892ac7df42e9
Author: Paul Stewart <pstew@chromium.org>
Date: Mon Aug 05 20:38:44 2013

shill: OpenVPNDriver: Write a configuration file

Instead of passing configuration to OpenVPN using command line
options, write out a configuration file instead.  This config
file is owned by root created in a run directory that is not
readable by any other users.  Although OpenVPN drops privileges,
it reads its configuration before doing so.  The configuration
file is removed with the regular OpenVPNDriver cleanup process.

As a side effect of this, all added options in the OpenVPNDriver
and OpenVPNManagementServer now lose their "--" prefix.

BUG=chromium:217624
TEST=Unit tests, network_VPNConnect.openvpn_user_pass

Change-Id: I6424ccafb5764428b1ee8fc2ad41177a6d2b3c52
Reviewed-on: https://gerrit.chromium.org/gerrit/64368
Commit-Queue: Paul Stewart <pstew@chromium.org>
Reviewed-by: Paul Stewart <pstew@chromium.org>
Tested-by: Paul Stewart <pstew@chromium.org>

[modify] https://crrev.com/b26347a48e976a890210bb5fcc28892ac7df42e9/openvpn_driver_unittest.cc
[modify] https://crrev.com/b26347a48e976a890210bb5fcc28892ac7df42e9/openvpn_driver.cc
[modify] https://crrev.com/b26347a48e976a890210bb5fcc28892ac7df42e9/openvpn_driver.h
[modify] https://crrev.com/b26347a48e976a890210bb5fcc28892ac7df42e9/openvpn_management_server.cc
[modify] https://crrev.com/b26347a48e976a890210bb5fcc28892ac7df42e9/openvpn_management_server_unittest.cc

Sign in to add a comment