Prepping VyOS + OpenVPN for use with a Chromebook

First, you need to create the certificates. Use EasyRSA for this. Follow the instructions at the OpenVPN site for that.

To build the CA certificate, use the command:
./easyrsa build-ca

To build the server certificate, use the command:
./easyrsa build-server-full server

To build a client, use the command:
./easyrsa build-client-full client

You may want to remove the password for the private keys for the server and client certificates. To do that, use these commands.

cd private
openssl rsa -in server.key -out server-nopass.key
openssl rsa -in client.key -out client-nopass.key
cd ..

Now copy the ./issued/server.crt, the ./ca.crt, and the ./private/client-nopass.key to the VyOS server. Create a new folder called /config/auth/openvpn and store them there.

The OpenVPN connection for VyOS should look like this:

 openvpn vtun0 {
     local-port 1194
     mode server
     openvpn-option --persist-tun
     protocol udp
     replace-default-route {
     server {
         max-connections 10
         topology subnet
     tls {
         ca-cert-file /config/auth/openvpn/ca.crt
         cert-file /config/auth/openvpn/server.crt
         dh-file /config/auth/openvpn/dh.pem
         key-file /config/auth/openvpn/server-nopass.key

Now we have to prep the Chromebook certificate.

openssl pkcs12 -export -out client.pfx -inkey private/client-nopass.key -in issued/client.crt -certfile ca.crt

Now upload the ca.crt and the client.pfx files to the Chromebook (You can use the SCP addon for the file manager to transfer them there.)

Navigate to chrome://certificate-manager.
Click on Authorities and then click Import.
Navigate to the ca.crt and import it.
Now click back to “Your certificates” and click “Import and Bind to Device”.
Navigate to the client.pfx and import it. When it asks for a password, hit enter without one if you did not set one.
Now navigate to chrome://settings and click “Add Connection”. Choose OpenVPN.
Set the “Provider Type” to be OpenVPN.
Set the CA certificate to be the one that we uploaded.
Set the client certificate to be the client.pfx. Note: It will show up with the common name of the certificate, not the file name.
Now type in any username and password. It doesn’t matter since we are using certificate based authentication. Save the user/pass so that you do not have to type it every time. Again, it does not matter what you type here.

Now you should be able to connect!