Chromebooks with Openvpn on EC2

Chromebooks are perfect companions for travel. They are light, secure and one generally doesn't have to worry about data theft in case they loose the device.  But surfing from hotels and coffee shops is another story. While most sites are in SSL, there are enough websites which are not... and even the ones which support SSL sometimes forget to use SSL connectivity for sensitive data. Which is why extensions like "HTTPS everywhere" is highly recommended.

If I could, I'd pay a few cents for extra level of privacy when using these public wifi networks. In this post I'll document how you could quickly setup an openvpn server on EC2 instance to do exactly this for your chromebook.


  1. A working EC2 account
  2. A working key-pair (required to ssh into the EC2 instance)
  3. Chromebook with R23 or later 

Step 1 - Launch Amazon Linux AMI ( I used 32 bit for my setup.. its the cheapest). Pick all the defaults options and pay attention to which "Security Group" you would be selecting. It would most probably be called "default"

Step 2 - Edit the security group used by the instance and make sure 1194 udp is added to "inbound" port list.

Step 3 - Ssh into the EC2 instance using your key ( you could also use this extension if you have the 'identity' file instead of the .pem)

ssh -i my_key.pem

Step 4 - Add a user, set password and update the server

sudo bash 
useradd temp 
echo 'my_password' | passwd temp --stdin 
yum -y update

Step 5 - Install/start openvpn server with basic options

# Install  

yum -y install openvpn

yum -y install mailx  

# Create fresh keys

mkdir -p /etc/openvpn/easy-rsa/

cp /usr/share/openvpn/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
cd /etc/openvpn/easy-rsa/
source vars
export KEY_CITY="test-city"
export KEY_ORG="Example Company"
export KEY_EMAIL=""
export KEY_CN=changemenow
export KEY_NAME=changemenow
export KEY_OU=changemenow
./pkitool --initca
./pkitool --server server
./build-key-pkcs12 --pkcs12 hostname 

# Send a copy of ca cert by mail
mail -s ca.cert -a /etc/openvpn/easy-rsa/keys/ca.crt <<EOF
This is the cert file for this setup. Install this in the authorities tab in the chrome os device from where vpn needs to be initiated.

# Create a server.conf file
cat > /etc/openvpn/server.conf <<EOF
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key  
# This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
keepalive 10 120
status openvpn-status.log/proc/sys/net/ipv4/ip_forward 

verb 6
plugin /usr/lib/openvpn/plugin/lib/ login
push "dhcp-option DNS"
push "dhcp-option DNS"

#Start the service
/etc/init.d/openvpn start

    Step 6 - Setup basic source nat

    echo 1 > /proc/sys/net/ipv4/ip_forward 
    IP=`ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | cut -d':' -f2`  
    iptables -F; iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to $IP

    Step 7 - Install cert
    • In step 5 we sent the ca.cert to the user's email address. The user should download that cert and install it under authorities tab of chromebook [ chrome://chrome/settings/certificates#cert ]
    • There is a known issue that new certs of this type don't take effect until user logs out and logs in again
    • After logging in again add the new vpn
      • chrome://chrome/settings/
      • Click on "Add connection"
      • Click on "Add private network"
      • In "Server hostname:" put in the external IP address or the name of your EC2 instance. For example
      • in "Server CA certificate" you should see a new certificate called "chagemenow"
      • For Username/Password use the credentials you setup in step 4

    Step 8 - Done

      • You should be able to test by pinging from the crosh terminal

      Certificate based authentication

        • If your goal is to setup certificate based authentication you will have to do a few extra steps
          • Along with installing ca.cert in authorities tab, you would also have to install  the hostname.p12 certificate you created in "Step 5" onto your chromebook ( look in the keys directory )
          • In "server.conf" file comment out  both of the  lines below. The first one disables PAM based authentication, and second one enables certificate based authentication.
            • plugin /usr/lib/openvpn/plugin/lib/ login
            • client-cert-not-required
          • When you specify client configuration make sure you specify both "Server CA certificate" and "User certificate".
          • Type something into username to keep the UI satisfied... if you haven't enabled PAM based authentication it would have no effect in the login process.

        Next steps

        • Note that this is the simplest Openvpn setup. There are many different ways you can improve on this, which I highly recommend if you plan to keep this instance running for more than a few minutes or hours.
          • You could use client certificates instead of just username/password
          • You should consider tightening firewall rules on the server  
          • If openvpn is running as root on the server, please switch it to something less privileged like 'nobody'.
        • You should replace passwords and names I used as example above.
        • It should be trivial for someone to write a script to do this... if you do, please let me know and I'll gladly link it from here
        • While EC2 instances costs only a few cents per hour... please do remember to shutdown when you are done, else you will get an unexpected bill at the end of the month.


        Frank Ansari said…
        cool. working.

        comp-lzo should be disabled on server side as in the config shown above.

        Also the push dns entries are important because dns requests are also directed through the tunnel.

        Popular posts from this blog

        Chrome Frame - How to add command line parameters

        Brewers CAP Theorem on distributed systems

        Creating your first chrome app on a Chromebook