OpenVPN on pfSense with Chrome OS

Do you need to connect a Chromebook to an OpenVPN running on pfSense? Here’s how you need to configure your OpenVPN server to be compatible with Chrome OS.

Under VPN / OpenVPN edit the server configuration as follows

Server mode: Remote Access (SSL/TLS + User Auth)

TLS Configuration: Unchecked

DH Parameter Length: 2048 bit

Encryption Algorithm: BF-CBC (128 bit key by default, 64 bit block)

Auth digest algorithm: SHA1 (160-bit)

Compression: Omit Preference (Use OpenVPN Default)

Setup the VPN on Chrome OS

See instructions from Google Support

To get the user and server certificates, from the pfSense UI go to System / Cert. Manager.

  1. Under the CAs tab,  find the certificate used for the OpenVPN server and click the certificate export icon  to export the certificate authority.
  2. Under the Certificates tab find the User Certificate for the VPN user you want to setup. Click the box icon  to export it as a P12 file.
  3. These files need to be available on the Chrome device, you can add them to the users Google Drive, or use some other method as desired.

Install the certificates using the steps listed under “Install certificates” via the Google Support link above.
Essentially in Chrome, you need to go to chrome://settings/certificates and import the CA certificate under the Authorities tab and the user certificate under the Your Certificates tab. When it asks for a password to install the .p12 file just leave it empty.

Add the OpenVPN connection to Chrome OS

  1. From the Chrome OS settings screen, click on Add connection, Add OpenVPN / L2TP…
  2. Enter the server hostname, for example or the public IP address.
  3. Under service name just give it any friendly name that makes sense, such as Acme. VPN.
  4. For Provider Type select OpenVPN.
  5. Select the CA certificate that you imported under Authorities.
  6. Select the user certificate you imported under Your Certificates.
  7. Enter the VPN username and password, and click Connect.

For larger deployments see which talks about deploying using a Chrome extension which can be deployed using the Chrome Management Console.

3 Replies to “OpenVPN on pfSense with Chrome OS”

  1. In January 2018, these directions mostly worked for me with pfsense 2.4.2.
    I had to set
    Comp-Lzo: No LZO Compression [Legacy style, comp-lzo no]

    I also had to add an option to “Custom Options”
    push “comp-lzo no”

    Without those changes, I was getting an error on the firewall:
    Bad LZO decompression header byte: 69

  2. This doesn’t work at all. I get an immediate failure when trying to connect after following this directions with the error: Failure to connect: Internal error.

    If you got it to work, then something is missing from your directions above.

    The failure is immediate when hitting the connect button on the chromebook which tells me something is wrong with the connection definition.

    Also, my pfSense logs show no inbound connection attempts when I try to connect. Meaning the Chromebook configured as shown above is not even attempting to connect to the OpenVPN server in the first place.

Leave a Reply

Your email address will not be published. Required fields are marked *