OpenVPN with ChromeOS and Sophos UTM

I’m going to save a bunch of yak and discussion about things I’m not qualified to discuss. Instead, below is a step-by-step to get a Chromebook or other ChromeOS device connecting to a Sophos UTM.

A couple of notes:

  • I was able to do this without enabling Developer Mode on the Chromebook
  • I did require access to a Linux box to create the .p12 file. I used an Ubuntu server running 14.04.

Step 1: Download your certificates and keys from the Sophos UTM. This is normally accomplished by logging into the UTM UserPortal and selecting the option under Remote Access to download the ZIP archive containing all necessary. Sophos if your listening – including .p12 and .onc files would make this process much easier.

Step 2: Since (as of ChromeOS 53) ChromeOS cannot read client certificates, you need to create a .p12 file for import. Execute the following:

  1. From the list of files downloaded in Step 1, copy over the client certificate (ex. client.crt), the client key (ex. client.key), and the sg appliance ca certificate (ex. utm.ca.crt)
  2. Run the OpenSSL command to generate a p12 file (note: substitute MyClient for whatever name you wish to add to the p12 file and substitute the last parameter for the name of your .p12 file):
    openssl pkcs12 -export -in client.crt -inkey client.key -certfile utm.ca.crt -name MyClient -out client.p12

Step 3: Next, you will need to create and .onc file. I believe someone at Sophos could create a program to generate this from the settings or from the .ovpn file. But until they do that, you will need to create one yourself.

Using this template and follow the substitutions listed below:

{
 "Type": "UnencryptedConfiguration",
 "NetworkConfigurations": [
 {
 "GUID": "{<guid>}",
 "Name": "<connection name>",
 "Type": "VPN",
 "VPN": {
 "Type": "OpenVPN",
 "Host": "<host name>",
 "OpenVPN":
 {
 "Auth": "SHA1",
 "ClientCertType": "Ref",
 "CompLZO": "false",
 "Cipher": "AES-128-CBC",
 "Port": 443,
 "Proto": "udp",
 "SaveCredentials": true,
 "ServerCARef": "{cacert}",
 "ClientCertRef": "{clientcert}",
 "IgnoreDefaultRoute": true,
 "Verb": "3",
 "RemoteCertTLS": "none",
 "ServerPollTimeout": 360
 }
 }
 }
 ],
 "Certificates": [
 {
 "GUID": "{cacert}",
 "Type": "Authority",
 "X509": "-----BEGIN CERTIFICATE-----
 <details of the ca cert go here>
 -----END CERTIFICATE-----"
 },
 {
 "GUID": "{clientcert}",
 "Type": "Client",
 "X509": "-----BEGIN CERTIFICATE-----
 <details of the client cert go here>
 -----END CERTIFICATE-----"
 }
 ]
 }

Substitutions:

  • <guid> – use this site and generate your own guid
  • <connection name> – this will be the name that appears in ChromeOS for the connection
  • <host name> – use either the IP address for FQDN. You do not have to put http or https in front
  • compLZO – in the example, I have this set to “false.” If you use compression, this setting will need to be set to “true”
  • port number – in the example, I have 443 listed. Many OpenVPN implementations will use 1194 and you need to specify the proper port number here.
  • protocol – same goes for protocol. In the example, I am showing udp. You may need to use tcp.
  • ca cert – this is where you will need to copy and paste the ca certificate
  • client cert – this is where you will need to copy and paste the client certificate. I have seen lots of different ways to do this including embedding \n for newlines and making one page and other suggestions. All I can share is that I simply copied and pasted the text from the files downloaded in Step 1 above and all worked as expected.

Okay, now you should have the following resources:

  • A valid ca certificate (somefile.ca.crt)
  • A valid client certificate (somefile.p12)
  • A proper formatted .onc file (somefile.one)

Once you have those three assets, copy them to your Google Drive.

Step 4: Import the ca certificate into the Chromebook:

  1. Navigate to chrome://settings/certificates
  2. Click the Authorities tab
  3. Click Import…
  4. Choose the ca certificate from your Google Drive

Step 5: Import the client certificate

  1. Navigate to chrome://settings/certificates
  2. Click the Your Certificates tab
  3. Click Import and Bind to Device…
  4. Choose the .p12 file you create on the Linux box. Remember, you will need your password when importing.

Step 6: Import the settings

  1. Navigate to chrome://net-internals
  2. Choose the left menu option, ChromeOS
  3. Select the Choose File button to Import ONC file
  4. Select your .onc file created above
  5. You probably will not see anything change. It’s okay, the VPN connection should now be created.

Once finished with Step 6, you should be able to click the user tray in the lower right, choose VPN, and select your new VPN connection.

Hope this works for you!

,

Comments are closed.