1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Success: Chromebook VPN Client with Merlin

Discussion in 'Asuswrt-Merlin' started by noworries, Aug 20, 2018.

  1. noworries

    noworries Occasional Visitor

    Joined:
    Nov 27, 2017
    Messages:
    26
    I finally got the OpenVPN Server on my RT-88U router to host my Chromebook (ASUS C300) now that I'm running Merlin V384.6. That Chromebook does not (yet, anyway) support Android apps, so you're on your own with VPN.

    The steps to configure the router and the Chromebook are as follows and please refer to the links for some more background, context, and direction.

    Generally, the process is to set up the OpenVPN server on the router, import user and authority certificates into the Chromebook, create an ONC block file and import that into the Chromebook. Then: Connect, QED.

    1. Configure the ASUS Router OpenVPN server
    Here's how my VPN Server is set up for the Chromebook:
    General:
    • RSA: 2048 encryption
    • Client will use VPN to access: Both
    Advanced:
    • Interface: TUN
    • Protocol: UDP
    • Server Port: 1194
    • Auth Mode: TLS
    • UserName/Password: No (although it will work with username and PWD)
    • TLS Control...: Incoming Auth (0)
    • HMAC Authentication: SHA1
    • VPN/Subnet: Your choice, I used 10.8.0.0 and 255.255.255.0
    • Advertise DNS: Your choice, I used "Yes."
    • Cipher Negotiation: Enable
    • Negotiable Ciphers: Default list
    • Compression: LZO Adaptive
    • Log: 6 for debugging
    • Manage Client specific: No
    2. Process the OpenVPN configuration to create what Chromebook needs
    • Log into your router using PUTTY or equivalent.
    • Create a directory on the USB drive for the following script and resultant files e.g., : /tmp/mnt/data/chromebook
    • Put the script below in the directory your create. (You can paste it from Windows into vi on the router with SHIFT-INSERT after opening a new line in vi with "o"). Or, use your favorite editor.
    • Save the file and make it executable with chmod +x
    • Run the script to create the files
    Code:
    #!/bin/sh
    #
    # Creates certs and keys and inline text needed for the chromebook ONC file
    # from the router's client.ovpn and static.key files.
    #
    # Set the ASUS openvpn server number (1 or 2) below. Edit as required
    servernum=1
    pth=/tmp/etc/openvpn/server$servernum
    #
    # parse the client.ovpn file for keys and certs and then create the p12 file
    awk '/<ca>/{flag=1;next}/<\/ca>/{flag=0}flag' $pth/client.ovpn | tr -d '\r' > ca.crt
    awk '/<cert>/{flag=1;next}/<\/cert>/{flag=0}flag' $pth/client.ovpn | tr -d '\r' > client.crt
    awk '/<key>/{flag=1;next}/<\/key>/{flag=0}flag' $pth/client.ovpn | tr -d '\r' > client.key
    openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12
    #
    # delete newlines from ca.crt. This is the format required by the Chromebook ONC file for
    # the X509 parameter.
    cat ca.crt | tr -d '\n' > caoneline.txt
    #
    # Convert static key to single line with \n string instead of newlines.
    # This is the format required by chromebook ONC file for the TLSAuthContents parameter.
    grep -v '#' $pth/static.key | sed 's/$/\\n/' | tr -d '\n' > TLSAuth.txt
    #
    # Cleanup since we don't need these once the p12 file is created.
    rm client.crt client.key
    3. Get the Files out of the Router and Onto the Chrombook
    • On a Windows machine, execute the following code as a batch file, replacing the <> parameters with your local configuration. (Put the code into a new text file and save it with a .bat extension and run it from a command line prompt).
    • Make sure the target directory exists....
    • Then, email or otherwise get the files onto your chromebook.
    (This assumes you have PUTTY installed. If not, you will need to figure out how get the referenced files off the router and onto your chromebook).
    Code:
    @ECHO OFF
    
    SET RouterUser=<YourUserName>
    REM e.g., admin
    
    SET RouterPWD=<YourPWD>
    REM e.g., ABadPassword
    
    SET RouterIP=<YourRouterIP>
    REM e.g., 192.168.1.1
    
    SET LocalDirectory=<WindowsPathName>
    REM e.g., C:\TEMP
    
    SET RouterDirectory=<ProcessedFilesDir>
    REM e.g., /tmp/mnt/data/chromebook
    @ECHO ON
    
    "C:\Program Files (x86)\PuTTY\pscp.exe" -scp -pw %RouterPWD% %RouterUser%@%RouterIP%:%RouterDirectory%/caoneline.txt %LocalDirectory%
    "C:\Program Files (x86)\PuTTY\pscp.exe" -scp -pw %RouterPWD% %RouterUser%@%RouterIP%:%RouterDirectory%/ca.crt        %LocalDirectory%
    "C:\Program Files (x86)\PuTTY\pscp.exe" -scp -pw %RouterPWD% %RouterUser%@%RouterIP%:%RouterDirectory%/client.p12    %LocalDirectory%
    "C:\Program Files (x86)\PuTTY\pscp.exe" -scp -pw %RouterPWD% %RouterUser%@%RouterIP%:%RouterDirectory%/TLSAuth.txt   %LocalDirectory%
    4. Import the Certificates into the ChromeBook
    • See this reference.
    • Skip down to "Import the User and Authority" certs. Follow the directions and import both the user (client.p12) and authority (ca.crt) certificates that you have copied to the Chromebook remembering the password you set on the P12 file.
    5. Create and Import ONC Block
    • Install a text editor on your chromebook. Makes life easier.
    • Refer to this same reference again
    • Skip down to and read the "Create the ONC Block." Mine is slightly different than the one in the reference as shown below. Pay attention to creating the two GUIDS you will need and to where they go in the ONC file. You will need to provide your two GUIDS, a friendly name for the VPN to select on the Chromebook, your DDNS address for connection, and the contents of the caoneline.txt and TLSAuth.txt files.
    • GUIDS can be created at http://www.uuidgenerator.net/ as noted in the reference.
    • Save this file onto the Chromebook as <AnyNameYouLike>.ONC
    Here is the ONC structure I use that works with the OpenVPN Server Configuration above.
    Code:
    {
     "Type":"UnencryptedConfiguration",
          "Certificates": [ {
          "GUID": "{<Your GUID1>}",
          "Type": "Authority",
          "X509": "<Contents of the caoneline.txt>"
          } ],
        "NetworkConfigurations": [ {
          "GUID": "{<Your GUID2>}",
          "Name": "<Chromebook VPN Name that will Display>",
          "Type": "VPN",
          "VPN": {
              "Type": "OpenVPN",
              "Host": "<Your DDNS>",
              "OpenVPN": {
                            "ServerCARef": "{<YourGUID1>}",
                        "AuthRetry": "interact",
                        "Auth": "SHA1",
                        "ClientCertType": "Pattern",
                        "ClientCertPattern": {          
                              "IssuerCARef": [ "{<Your GUID1>}" ]
                             },
                        "CompLZO": "adaptive",
                        "Port": 1194,
                        "Proto": "udp",
                        "RemoteCertTLS": "server",
                        "RemoteCertEKU": "TLS Web Server Authentication",
                        "KeyDirection": "1",
                        "TLSAuthContents":"<Contents of the TLSAuth.txt file>"
                         }
                 }
         } ]
    • After you've saved the ONC file, import it to create the VPN entity in Chrome's Network items.
      • In the Chromebook, enter chrome://net-internals in the browser, and select ChromeOS from the list. This is found again in the same reference under "Importing the ONC file."
      • Browse to and select the ONC file you've created and Open it to import it.

    6. Testing and Caveats
    • I put my phone into hotspot mode and connected the Chromebook to the hotspot. VPN won't work in your local network.
    • Despite the options in the Chromebook VPN configuration it will not save the password if you provide one and ask it to save (at least in my Chromebook).
    • When you ask the VPN to connect, you will or may be asked for a passphrase. Enter any string, like "x" in the OTP field. Again, my Chromebook is not good at null requirements.
    • If you want to use a username/password, change the username/password to yes in OpenVPN server, create a user and password, and then add the following to the ONC file (say, after the KeyDirection parameter):
    Code:
    "Username": "<YourUserName>",
    "Password": "<YourPassword>",
    "SaveCredentials": True,
    However, at least on my Chromebook, the UserName will be saved, but not the password.

    The awk verbiage to process the ovpn file came from here, although more was needed to get it all working as in the previously referenced source. Without both of these, and Google's Open Network Configuration documentation, I'd still be wandering in the dark.

    Enjoy.

     
    Last edited: Aug 22, 2018
    oso2276 and elorimer like this.
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. elorimer

    elorimer Senior Member

    Joined:
    Dec 16, 2013
    Messages:
    449
    Thanks for pulling together the cookbook. This might be good for the wiki. A few things from my experience.

    1. The C300 doesn't support Android apps, but the C300SA does.
    2. This method works on my C302 and C300SA.
    3. The opensource Android OpenVPN client works equally as well, but the official OpenVPN Connect doesn't work well at all--constant disconnects.
    4. I've not been very successful using a second configuration identified with a different GUID2, but I haven't spent much time trying.
    5. As you noted, this method allows you a lot more flexibility with the connection (like--ahem--compression), but if you don't need some of the options I think there might also be a path without the .onc file.
    6. It's been in the bug tracker for years now for ChromeOS to process .ovpn files. But it seems to be the added flexibility that gives people security concerns, since ChromeOS runs OpenVPN with elevated privileges and doesn't sanitize the configuration.
     
    noworries likes this.
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!