Set up virtual private networks (VPNs)

Your Chromebook can connect to a private network, like the network at your work or school, using a Virtual Private Network (VPN) connection.

Note: If you're using your Chromebook at work or school and have problems setting up your VPN, contact your administrator for more help.

L2TP/IPsec VPN support

Your Chromebook has built-in support for VPNs that use L2TP over IPsec. The IPsec layer will either use a pre-shared key (PSK) or user certificates to set up the secure tunnel. The L2TP layer requires a username and password.

Tip: Cisco ASA devices can be set up to support L2TP over IPSec. Learn how to set up a Cisco ASA device.

Limitations: Chromebooks don’t support IKEv2, XAUTH, or "raw" IPsec without L2TP.

  1. Click your account photo.
  2. Click VPN disconnected.
  3. Next to OpenVPN / L2TP, click Add Add.
  4. In the box that appears, fill in the info. If you're using your Chromebook with an organization, you might need to get this information from your administrator.
    • Server hostname: This can either be the IP address or the full server hostname.
    • Service name: This can be anything you want to name this connection. For example: "Work VPN."
    • Provider type: Select L2TP/IPsec + Pre-shared key or L2TP/IPsec + User certificate.
    • Username, Password: Your L2TP/PPP credentials. Each VPN user should have their own unique username and password.
    • Group name: The client's IPsec identity field, which some VPN servers use to set up the Tunnel Group or User Realm. If you’re unsure, leave this field empty.
    • Pre-shared key: Used for PSK connections only. This key isn't your personal password, but a passphrase or key used in the IPsec configuration. In a typical set-up, everyone who connects to the same VPN server will use the same PSK.
    • Server CA certificate: Used for user certificate connections only. Select your installed certificate authority certificate from the list. The server's certificate will be checked to ensure that it was signed by the correct certificate authority (CA). If you are having trouble with your server certificate, you can select "Don’t check" to skip CA validation; however, this skips an important security measure.
    • User certificate: Used for user certificate connections only. Select your installed user VPN certificate from the list. If you don't have any certificates installed, you'll see an error message. To install a certificate, see the instructions below.
  5. Click Connect.
OpenVPN support

Your Chromebook has basic support for OpenVPN servers. OpenVPN connections can use username/password authentication, client certificate authentication, or a combination of both.

If you need to set up more advanced features of OpenVPN or import an ".ovpn" configuration file, and your Chromebook supports the Play Store, consider installing OpenVPN for Android instead of using the built-in OpenVPN client.

  1. Click your account photo.
  2. Click VPN disconnected.
  3. Next to OpenVPN / L2TP, click Add Add.
  4. In the box that appears, fill in the info. If you're using your Chromebook with an organization, you might need to get this information from your administrator.
    • Server hostname: This can either be the IP address or the full server hostname.
    • Service name: This can be anything you want to name this connection. For example: "Work VPN."
    • Provider type: Select OpenVPN.
    • Username and password: Your VPN credentials. This can be left blank if your server only uses client certificate authentication.
    • OTP: If you have an OTP card or VPN token that generates one-time passwords, get a password and enter it here. In most cases, you'll leave it blank.
    • Server CA certificate: Select your installed certificate authority certificate from the list. The server's certificate will be checked to ensure that it was signed by the correct certificate authority (CA). If you are having trouble with your server certificate, you can select "Don’t check" to skip CA validation; however, this skips an important security measure.
    • User certificate: If your VPN server requires client certificate authentication, select your installed user VPN certificate from the list. To install a certificate, see the instructions below.
  5. Click Connect.
PPTP VPN support

Chromebooks with the Play Store can connect to PPTP VPN services.

  1. Click your account photo.
  2. Click Settings Settings.
  3. Scroll down and click Google Play Store.
  4. Click Manage Android Preferences.
  5. Scroll down and click PPTP VPN.
  6. In the upper right, click Add Add.
  7. In the box that appears, fill in the info. If you're using your Chromebook with an organization, you might need to get this information from your administrator.
    • Name: This can be anything you want to name this connection. For example: "Work VPN."
    • Server address: The name of the server you need to connect with to access your VPN. This can either be the IP address or the full server hostname.
    • PPP encryption (MPPE): Leave this checked unless your administrator says otherwise.
    • Show advanced options: Leave this unchecked unless your administrator says otherwise.
    • Username and password: Your VPN credentials. Each VPN user should have their own unique username and password.
  8. Click Save.

To connect to a PPTP VPN, go to the PPTP VPN menu and click the name of the VPN connection.

Note: Currently, the Google Play Store is only available for some Chromebooks. Learn which Chromebooks support Android apps.

Chrome VPN apps

Available VPN apps

Several VPN apps are available in the Chrome Web Store, including:

Install a VPN app

You can install VPN apps from the Chrome Web Store. Learn more about downloading apps.

If you’re an administrator, you can force install a VPN app using the Admin console. If allowed, you can upload a config file. The app uses the chrome.storage API to read the configuration file and apply it.

Create a new connection

  1. Click your account photo.
  2. Choose VPN disconnected.
  3. Next to the VPN app, click Add Add.
  4. Follow the instructions on the screen.

Connect to a VPN

  1. Click your account photo.
  2. Choose VPN disconnected.
  3. Click the connection name.
Android VPN apps

Chromebooks with the Play Store can install Android VPN apps.

To create a new connection or to connect to a VPN provided by an Android app:

  1. Click your account photo.
  2. Click VPN disconnected.
  3. Next to the app, click Add Add.
  4. Follow any onscreen instructions.

Note: Currently, the Google Play Store is only available for some Chromebooks. Learn which Chromebooks support Android apps.

Split tunnel and full tunnel

Typically VPNs implement a full tunnel, which means that all traffic from all Chrome windows, Chrome apps, and Android apps will pass through the VPN connection. Sometimes you'll want to use a split tunnel so that only certain sites will be accessed through the tunnel, while other traffic will skip the VPN and use your Chromebook's physical network connection instead. This is useful if:

  • Your VPN only provides access to internal sites, but not full internet access.
  • You need to communicate with devices on your local network, such as printers, while connected to the VPN.

Many Chrome and Android VPN apps, and the built-in OpenVPN client, can be set up to use split tunnel mode. For help setting this up, ask your administrator.

Install certificates

You might need certificates to connect to a VPN, WPA2 Enterprise network, like EAP-TLS, or a website that requires mutual TLS authentication. If so, your administrator might ask you to visit a special website while connected directly to your organization's network, or download and install the certificates directly yourself.

You'll need:

  • A server certificate that's for everyone at your organization
  • A user certificate that is specific to you
Install your server certificate
  1. Download your server certificate, according to the steps your administrator gives you.
  2. Open a new tab in Chrome Chrome.
  3. In the address bar, enter chrome://settings/certificates
  4. Click the Authorities tab.
  5. Click Import and choose the X.509 certificate file, which is usually a file with a .pem, .der, .crt, or .p7b extension.
  6. In the box that appears, fill out the info. None of these settings need to be turned on, so we recommend that you leave these unchecked.
  7. The certificate will open and install itself on your Chromebook.
Install your user certificate
  1. Download your user certificate, according to the steps your administrator gives you. Your certificate filename should end with .pfx or .p12. 
  2. Open a new tab in Chrome Chrome.
  3. In the address bar, enter chrome://settings/certificates
  4. Click Your certificates.
  5. Click Import and Bind to Device.
  6. In the box that opens, select the certificate file and click Open.
  7. When prompted, enter the password for your certificate. If you don't know the password, contact your network administrator. If you don't have a password, click OK.
  8. The certificate will open and install itself on your Chromebook.

Chromebooks only support RSA client certificates for authenticating to VPNs or EAP wireless networks. ECC client certificates aren’t supported.

Related articles

Mel is a Chromebook expert and author of this help page. Help her improve this article by leaving feedback below.

Was this article helpful?
How can we improve it?