OpenVPN on pfSense with Chrome OS

Do you need to connect a Chromebook to an OpenVPN running on pfSense? Here’s how you need to configure your OpenVPN server to be compatible with Chrome OS.

Under VPN / OpenVPN edit the server configuration as follows

Server mode: Remote Access (SSL/TLS + User Auth)

TLS Configuration: Unchecked

DH Parameter Length: 2048 bit

Encryption Algorithm: BF-CBC (128 bit key by default, 64 bit block)

Auth digest algorithm: SHA1 (160-bit)

Compression: Omit Preference (Use OpenVPN Default)

Setup the VPN on Chrome OS

See instructions from Google Support

To get the user and server certificates, from the pfSense UI go to System / Cert. Manager.

  1. Under the CAs tab,  find the certificate used for the OpenVPN server and click the certificate export icon  to export the certificate authority.
  2. Under the Certificates tab find the User Certificate for the VPN user you want to setup. Click the box icon  to export it as a P12 file.
  3. These files need to be available on the Chrome device, you can add them to the users Google Drive, or use some other method as desired.

Install the certificates using the steps listed under “Install certificates” via the Google Support link above.
Essentially in Chrome, you need to go to chrome://settings/certificates and import the CA certificate under the Authorities tab and the user certificate under the Your Certificates tab. When it asks for a password to install the .p12 file just leave it empty.

Add the OpenVPN connection to Chrome OS

  1. From the Chrome OS settings screen, click on Add connection, Add OpenVPN / L2TP…
  2. Enter the server hostname, for example or the public IP address.
  3. Under service name just give it any friendly name that makes sense, such as Acme. VPN.
  4. For Provider Type select OpenVPN.
  5. Select the CA certificate that you imported under Authorities.
  6. Select the user certificate you imported under Your Certificates.
  7. Enter the VPN username and password, and click Connect.

For larger deployments see which talks about deploying using a Chrome extension which can be deployed using the Chrome Management Console.