Android/Chrome OS VPN Integration

finjanmobileBlog, Mobile Security

Android/Chrome OS VPN Integration

In their push to establish Chromebooks and Chrome OS as a market-leading alternative to popular desktop and laptop computer systems, Google has adopted a number of measures. One of these was to develop a Chrome extension which allowed Android apps to run on any device on which Chrome was installed – but this approach ran into some problems. Google’s alternative solution was to simply provide support for Android applications on devices running the Chrome OS software.

Piggy-backing a version of the Android environment on top of Chrome OS has resulted in greater compatibility and a tighter integration of Android features. But there’s still some way to go – particularly in resolving the issue of how Virtual Private Networks (VPNs) and their associated software and services function on both platforms.

Achieving a seamless integration of VPNs into the Android-Chrome OS environment remains a challenge, but steps are being taken to resolve the matter.

Android/Chrome OS VPN Integration – Defining Terms

Just to recap, a little: Chromebooks are proprietary hardware, developed by Google, Inc. Coming in a range of sizes, they’re built to cater for both personal and business users. Some Chromebooks are fitted with touchscreen monitors, making them a kind of mid-way solution between a tablet and a traditional laptop.

Chrome OS is the Linux-based operating system which Google has designed for its Chromebooks and compatible hardware. As its name suggests, the environment has the Google Chrome web browsing experience at its core – and as a foundational element of the way its applications function and interact.

Since most Chromebook applications and documents are stored or hosted in the cloud, a secure and continuous internet connection is essential for Chrome OS operations. Which makes a VPN or Virtual Private Network capability such an important tool, in this context.

VPN Activation in Chrome OS

Without the added option of an Android sub-system, the VPN options available on a regular installation of Chrome OS are somewhat limited. Though there’s native support for the two most popular types of VPN, namely OpenVPN and L2TP/IPsec, many VPN providers don’t support Chromebooks.

So while VPN applications and services based on the OpenVPN or L2TP/IPsec standards may be run without installing programs, VPN software from other vendors requires a full installation of their proprietary applications, and any supplementary programs required to keep them running.

The actual procedure for setting up a VPN connection in Chrome OS is fairly straightforward. Assuming that your VPN service doesn’t have an app in the Chrome Web Store (you should check this, beforehand) you should:

  1. Download the Certificate Authority certificate (CA Certificate) provided by your VPN service, if they require one to be used to make a connection – and if theirs isn’t already installed. Your Chromebook should already have a pre-installed list of recognized and trusted CA Certificates from popular web services. The certificate should be stored as a file on your local storage.
  2. Import the CA server certificate which applies to everyone in your organization, through the Authorities tab of Chrome. When prompted to fill out information on how this certificate should be trusted, leave all the options unchecked. The certificate should then open and install itself on your Chromebook.
  3. If your network requires you to install an individual user certificate for yourself, download the certificate according to your administrator’s instructions, and follow the procedure to import, open and enter your password under the Your Certificates tab.

That’s the tricky part. As for setting up the VPN, you’ll need to sign into your Chromebook (if you haven’t, already), click on your account photo, Settings, Network, Add connection, then Add OpenVPN / L2TP. In the box which then appears, you’ll need to fill in the following:

  • Server hostname: The IP address or full name of the server you must connect with to access your VPN service.
  • Provider type: You’ll need to input a pass code or key, or specify that you’ll be using a User certificate (depending on your network).
  • Pre-shared key: A pass code or key used to connect to the VPN.
  • Server CA certificate: The server VPN certificate you imported earlier.
  • User certificate: The individual CA certificate you imported earlier.
  • Your Username and Password for the VPN service.
  • OTP: Any One Time Password or digital token required by your network.
  • Group name: If your VPN configuration has a name.

Then click Connect.

VPN Activation via Android

The Android operating system used on a major portion of the world’s smartphones and mobile devices, is also a Google property. So it’s not surprising that ways are being developed of integrating Android applications and processes within the Chrome OS environment. There have been challenges, in making this work as intended.

Greater compatibility and support, and the tighter integration of Android app features may in theory be achieved by running a version of Android on top of Chrome OS. With what are essentially two different operating environments running in parallel with each other, VPN apps and services must also run in a special way.

Google maintains that VPN connections made on the Chrome OS side should be visible to Android apps. Enabling a VPN within the Chrome OS settings routes your online activities on both Android and Chrome OS apps through the same encrypted connection.

But if you make your VPN connection via an Android application, only other Android apps will be able to use that connection to securely access the internet. This state of affairs has (according to Google) been deliberately designed – but steps are under way to help resolve this issue.

The Chromium Gerrit Commit

A new commit (permanent change) to the Chromium Gerrit database indicates that Google has recently added some new APIs (Application Programming Interfaces) for integrating the Android VPN connection into Chrome OS.

According to this new commit, the new APIs add calls to report whether an Android VPN client has been connected or disconnected in Chrome OS, and to let users terminate their Android VPNs through the user interface of Chrome OS.

In addition, the new code makes it possible for web browser traffic in Google Chrome to be routed through an Android VPN. And if an ARC VPN is connected, the default network will route web traffic through that VPN, with Android assuming that the physical network is still the default.

Android/Chrome OS VPN Integration – Workaround Options

A final thought on the security implications of the current (non-integrated) state of affairs.

Writing under the Defensive Computing banner at Computerworld, security analyst Michael Horowitz observes that the current situation (in which VPN connections made in the Android sub-system are only visible to Android apps) is “data leakage waiting to happen.”

Horowitz seems to suggest that there’s a potential for determined eavesdroppers to target Android/Chrome OS systems running an Android VPN, and siphon off data passing to and from the native Chrome OS applications. As Chromebooks are often issued to their users by institutional bodies such as schools or contained working environments, this could (potentially) reap some dividends for the hackers.

So in the current market where most VPN providers don’t specifically cater for Chromebooks or Chrome OS, users may exercise the safer option of connecting their Chromebooks to a router that functions as a VPN client, rather than relying on the Android sub-system for protection.

Share this Post