First, you need to create the certificates. Use EasyRSA for this. Follow the instructions at the OpenVPN site for that.
https://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html
To build the CA certificate, use the command:
./easyrsa build-ca
To build the server certificate, use the command:
./easyrsa build-server-full server
To build a client, use the command:
./easyrsa build-client-full client
You may want to remove the password for the private keys for the server and client certificates. To do that, use these commands.
cd private
openssl rsa -in server.key -out server-nopass.key
openssl rsa -in client.key -out client-nopass.key
cd ..
Now copy the ./issued/server.crt, the ./ca.crt, and the ./private/client-nopass.key to the VyOS server. Create a new folder called /config/auth/openvpn and store them there.
The OpenVPN connection for VyOS should look like this:
openvpn vtun0 { local-port 1194 mode server openvpn-option --persist-tun protocol udp replace-default-route { local } server { domain-name mydomain.com max-connections 10 name-server 10.0.0.1 push-route 10.0.0.0/23 subnet 10.0.1.0/24 topology subnet } tls { ca-cert-file /config/auth/openvpn/ca.crt cert-file /config/auth/openvpn/server.crt dh-file /config/auth/openvpn/dh.pem key-file /config/auth/openvpn/server-nopass.key } }
Now we have to prep the Chromebook certificate.
openssl pkcs12 -export -out client.pfx -inkey private/client-nopass.key -in issued/client.crt -certfile ca.crt
Now upload the ca.crt and the client.pfx files to the Chromebook (You can use the SCP addon for the file manager to transfer them there.)
Navigate to chrome://certificate-manager.
Click on Authorities and then click Import.
Navigate to the ca.crt and import it.
Now click back to “Your certificates” and click “Import and Bind to Device”.
Navigate to the client.pfx and import it. When it asks for a password, hit enter without one if you did not set one.
Now navigate to chrome://settings and click “Add Connection”. Choose OpenVPN.
Set the “Provider Type” to be OpenVPN.
Set the CA certificate to be the one that we uploaded.
Set the client certificate to be the client.pfx. Note: It will show up with the common name of the certificate, not the file name.
Now type in any username and password. It doesn’t matter since we are using certificate based authentication. Save the user/pass so that you do not have to type it every time. Again, it does not matter what you type here.
Now you should be able to connect!