Your Chromebook has built-in support for VPNs that use Internet Key Exchange version 2 (IKEv2). It'll either use a pre-shared key (PSK), user certificates, or Extensible Authentication Protocol (EAP) with a username and password to set up the secure tunnel.
- At the bottom right, select the time.
- Select Settings .
- In the “Network” section, select Add connection.
- Next to "Add built-in VPN," select Add .
- In the box that opens, fill in the info. If you use your Chromebook at work or school, you might need to get this information from your administrator.
- Server name: You can name your connection whatever you’d like. For example, "Work VPN."
- Provider type: Select IPsec (IKEv2).
- Server hostname: Either the IP address or the full server hostname.
- Authentication type: Choose either Pre-shared key, User certificate, or Username and password.
- Username, Password: For EAP connections only. Each VPN user should have their own unique username and password.
- Pre-shared key: For PSK connections only. This key isn't your personal password, but a passphrase or key used in the IPsec configuration. In a typical set-up, everyone who connects to the same VPN server uses the same PSK.
- Server CA certificate: For user certificate connections and EAP connections only. From the list, select your installed certificate authority certificate. The server's certificate gets checked to make sure that it was signed by the correct certificate authority (CA).
- User certificate: For user certificate connections only. From the list, select your installed user VPN certificate. If you don't have any certificates installed, you'll receive an error message. Learn how to install a certificate.
- Local identity and Remote identity: If your VPN provider has instructions for these fields, fill them in here. If you’re not sure, leave these fields empty.
- Select Connect.
Your Chromebook has built-in support for VPNs that use L2TP over IPsec. The IPsec layer will either use a pre-shared key (PSK) or user certificates to set up the secure tunnel. The L2TP layer requires a username and password.
Tip: Cisco ASA devices can be set up to support L2TP over IPSec. Learn how to set up a Cisco ASA device.
- At the bottom right, select the time.
- Select Settings .
- In the “Network” section, select Add connection.
- Next to “Add built-in VPN,” select Add .
- In the box that opens, fill in the info. If you use your Chromebook at work or school, you might need to get this information from your administrator.
- Service name: You can name your connection whatever you like. For example, "Work VPN."
- Provider type: Select L2TP/IPsec.
- Server hostname: Enter either the IP address or the full server hostname.
- Authentication type: Select Pre-shared key or User certificate.
- Username and Password: Your L2TP/PPP credentials. Each VPN user should have their own unique username and password.
- Group name: The client's IPsec identity field, which some VPN servers use to set up the Tunnel Group or User Realm. If you’re not sure, leave this field empty.
- Pre-shared key: For PSK connections only. This key isn't your personal password, but a passphrase or key used in the IPsec configuration. In a typical set-up, everyone who connects to the same VPN server uses the same PSK.
- Server CA certificate: For user certificate connections only. From the list, select your installed certificate authority certificate. The server's certificate gets checked to make sure that it was signed by the correct certificate authority (CA).
- User certificate: For user certificate connections only. From the list, select your installed user VPN certificate. If you don't have any certificates installed, you receive an error message. Learn how to install a certificate.
- Select Connect.
Your Chromebook has basic support for OpenVPN servers. OpenVPN connections can use username/password authentication, client certificate authentication, or a combination of both.
If you need to set up more advanced features of OpenVPN or import an ".ovpn" configuration file, and your Chromebook supports the Play Store, consider installing OpenVPN for Android instead of using the built-in OpenVPN client.
- At the bottom right, select the time.
- Select Settings .
- In the “Network” section, select Add connection.
- Next to OpenVPN / L2TP, select Add .
- In the box that opens, fill in the info. If you use your Chromebook at work or school, you might need to get this information from your administrator.
- Service name: You can name your connections whatever you’d like. For example, "Work VPN."
- Provider type: Select OpenVPN.
- Server hostname: Enter either the IP address or the full server hostname.
- Username and password: Your VPN credentials. This can be left blank if your server only uses client certificate authentication.
- OTP: If you have a one-time password (OTP) card or VPN token that generates one-time passwords, get a password and enter it here. In most cases, leave it blank.
- Server CA certificate: From the list, select your installed certificate authority certificate. The server's certificate gets checked to make sure that it was signed by the correct certificate authority (CA). If you have trouble with your server certificate, you can select Don’t check to skip CA validation, but this skips an important security measure.
- User certificate: If your VPN server requires client certificate authentication, select your installed user VPN certificate from the list. Learn how to install a certificate.
- Select Connect.
Some Chromebooks have basic built-in support for the WireGuard protocol.
- At the bottom right, select the time.
- Select Settings .
- In the “Network” section, select Add connection.
- Next to "OpenVPN / L2TP," select Add .
- In the box that opens, fill in the info.
- Service name: You can name your connection whatever you’d like. For example: "Work VPN."
- Provider type: Select WireGuard.
- Client IP address: This is the IP address you use with the Chromebook.
- Name servers: The name server IPs for the network.
- Key: Select I have a keypair if you have a keypair from the provider, or Generate random keypair if you want to generate them. You can find the generated public key in the network details page after the WireGuard network connects.
- Peer public key, pre-shared key, endpoint, allowed IPs, and persistent keepalive interval: Fill in the corresponding information of the WireGuard server.
- Select Connect.
Chromebooks with the Play Store can connect to PPTP VPN services.
- At the bottom right, select the time.
- Select Settings .
- Scroll down and select Manage Google Play preferences.
- Select Android Settings.
- Scroll down and select PPTP VPN.
- In the upper right, select Add .
- In the box that appears, fill in the info. If you're using your Chromebook with an organization, you might need to get this information from your administrator.
- Name: This can be anything you want to name this connection. For example: "Work VPN."
- Server address: The name of the server you need to connect with to access your VPN. This can either be the IP address or the full server hostname.
- PPP encryption (MPPE): Leave this checked unless your administrator says otherwise.
- Show advanced options: Leave this unchecked unless your administrator says otherwise.
- Username and password: Your VPN credentials. Each VPN user should have their own unique username and password.
- Select Save.
To connect to a PPTP VPN, go to the PPTP VPN menu and select the name of the VPN connection.
Note: Currently, the Manage Google Play preferences is only available for some Chromebooks. Learn which Chromebooks support Android apps.
Available VPN apps
Several VPN apps are available in the Chrome Web Store, including:
Install a VPN app
You can install VPN apps from the Chrome Web Store. Learn more about downloading apps.
If you’re an administrator, you can force install a VPN app using the Admin console. If allowed, you can upload a config file. The app uses the chrome.storage API to read the configuration file and apply it.
Create a new connection
- At the bottom right, select the time.
- Select Settings .
- In the “Network” section, select Add connection.
- Next to the VPN app, select Add .
- Follow the instructions on the screen.
Connect to a VPN
- At the bottom right, select the time.
- Select Settings .
- In the "Network" section, select the connection name.
Chromebooks with the Play Store can install Android VPN apps.
Important: Currently, the Manage Google Play preferences is only available for some Chromebooks. Learn which Chromebooks support Android apps.
To create a new connection or to connect to a VPN provided by an Android app:
Step 1: Install an Android VPN app on your Chromebook
- In the corner of your screen, select the Launcher .
- Select Play Store .
- Search for the VPN app you want to install.
- Select the VPN app.
- On the right, select Install.
Step 2: Configure the VPN app to your Chromebook
- At the bottom right, select the time.
- Select Settings .
- In the “Network” section, select Add connection.
- Next to a connection, select Add [app name]... .
- Follow the onscreen instructions.
Step 3: Keep your VPN connection on
Some VPNs can always stay connected unless your VPN connection stops.
- Make sure you configured a VPN app to your Chromebook.
- At the bottom right, select the time.
- Select Settings .
- On the left panel, select Apps.
- Under “Apps,” select Manage Google Play preferences.
- Select Android Settings.
- In the window that appears, select Network & internet.
- Select VPN. Your VPN app should now be listed.
- To the right of your app, select Settings .
- Turn on Always-on VPN. If your Always-on VPN connection stops, you get a notification that stays on until you reconnect. To clear the notification, turn off that specific Always-on VPN.
Tip: If your VPN connection stops and you don’t want to connect directly to the internet, turn on Block connections without VPN.
Typically VPNs implement a full tunnel, which means that all traffic from all Chrome windows, Chrome apps, and Android apps will pass through the VPN connection. Sometimes you'll want to use a split tunnel so that only certain sites will be accessed through the tunnel, while other traffic will skip the VPN and use your Chromebook's physical network connection instead. This is useful if:
- Your VPN only provides access to internal sites, but not full internet access.
- You need to communicate with devices on your local network, such as printers, while connected to the VPN.
Many Chrome and Android VPN apps, and the built-in OpenVPN client, can be set up to use split tunnel mode. For help setting this up, ask your administrator.
Install certificates
You might need certificates to connect to a VPN, WPA2 Enterprise network, like EAP-TLS, or a website that requires mutual TLS authentication. If so, your administrator might ask you to visit a special website while connected directly to your organization's network, or download and install the certificates directly yourself.
You'll need:
- A server certificate that's for everyone at your organization
- A user certificate that is specific to you
- Download your server certificate, according to the steps your administrator gives you.
- Open a new tab in Chrome .
- In the address bar, enter
chrome://settings/certificates
- Select the Authorities tab.
- Select Import and choose the X.509 certificate file, which is usually a file with a .pem, .der, .crt, or .p7b extension.
- In the box that appears, fill out the info. None of these settings need to be turned on, so we recommend that you leave these unchecked.
- The certificate will open and install itself on your Chromebook.
- Download your user certificate, according to the steps your administrator gives you. Your certificate filename should end with .pfx or .p12.
- Open a new tab in Chrome .
- In the address bar, enter
chrome://settings/certificates
- Select Your certificates.
- Select Import and Bind.
- In the box that opens, select the certificate file and select Open.
- When prompted, enter the password for your certificate. If you don't know the password, contact your network administrator. If you don't have a password, select OK.
- The certificate will open and install itself on your Chromebook.
Chromebooks only support RSA client certificates for authenticating to VPNs or EAP wireless networks. ECC client certificates aren’t supported.
Related resources
- If you're a network administrator, help your users install user certificates at scale with an extension.
- Set up VPN on a Cisco ASA device
- Fix DNS issues