Set up virtual private networks (VPNs) on your Pixelbook

Your device has built-in support for VPNs that use L2TP over IPsec. The IPsec layer will either use a pre-shared key (PSK) or user certificates to set up the secure tunnel. The L2TP layer requires a username and password.

Tip: Cisco ASA devices can be set up to support L2TP over IPSec. To learn how to set up a Cisco ASA device, see Related articles.

Limitations: Chrome OS devices don't support IKEv2, XAUTH, or "raw" IPsec without L2TP.

1. In the bottom right, select the time open the status area.
2. Select Settings .
3. In the "Network" section, select Add connection.
4. Next to OpenVPN / L2TP, click Add .
5. In the box that appears, fill in the info. If you're using your device with an organization, you might need to get this information from your administrator.
   • Server hostname: This can either be the IP address or the full server hostname.
   • Service name: This can be anything you want to name this connection. For example: "Work VPN."
   • Provider type: Select L2TP/IPsec + Pre-shared key or L2TP/IPsec + User certificate.
   • Username, Password: Your L2TP/PPP credentials. Each VPN user should have their own unique username and password.
   • Group name: The client's IPsec identity field, which some VPN servers use to set up the Tunnel Group or User Realm. If you’re unsure, leave this field empty.
   • Pre-shared key: Used for PSK connections only. This key isn't your personal password, but a passphrase or key used in the IPsec configuration. In a typical set-up, everyone who connects to the same VPN server will use the same PSK.
   • Server CA certificate: Used for user certificate connections only. Select your installed certificate authority certificate from the list. The server's certificate will be checked to ensure that it was signed by the correct certificate authority (CA). If you are having trouble with your server certificate, you can select "Don’t check" to skip CA validation; however, this skips an important security measure.
   • User certificate: Used for user certificate connections only. Select your installed user VPN certificate from the list. If you don't have any certificates installed, you'll see an error message. To install a certificate, see the instructions below.
6. Select Connect.

Your device has basic support for OpenVPN servers. OpenVPN connections can use username/password authentication, client certificate authentication, or a combination of both.

If you need to set up more advanced features of OpenVPN or import an ".ovpn" configuration file, and your device supports the Play Store, consider installing OpenVPN for Android instead of using the built-in OpenVPN client.

1. In the bottom right, select the time to open the status area.
2. Select Settings .
3. In the "Network" section, select Add connection.
4. Next to OpenVPN / L2TP, select Add
5. In the box that appears, fill in the info. If you're using your device with an organization, you might need to get this information from your administrator.
   • Server hostname: This can either be the IP address or the full server hostname.
   • Service name: This can be anything you want to name this connection. For example: "Work VPN."
   • Provider type: Select OpenVPN.
   • Username and password: Your VPN credentials. This can be left blank if your server only uses client certificate authentication.
   • OTP: If you have an OTP card or VPN token that generates one-time passwords, get a password and enter it here. In most cases, you'll leave it blank.
   • Server CA certificate: Select your installed certificate authority certificate from the list. The server's certificate will be checked to ensure that it was signed by the correct certificate authority (CA). If you are having trouble with your server certificate, you can select "Don’t check" to skip CA validation; however, this skips an important security measure.
   • User certificate: If your VPN server requires client certificate authentication, select your installed user VPN certificate from the list. To install a certificate, see the instructions below.
6. Select Connect.

Devices with the Play Store can connect to PPTP VPN services.

1. In the bottom right, select the time to open the status area.
2. Select Settings
3. Scroll down and select Google Play Store.
4. Select Manage Android Preferences.
5. Scroll down and select PPTP VPN.
6. In the upper right, select Add .
7. In the box that appears, fill in the info. If you're using your device with an organization, you might need to get this information from your administrator.
   • Name: This can be anything you want to name this connection. For example: "Work VPN."
   • Server address: The name of the server you need to connect with to access your VPN. This can either be the IP address or the full server hostname.
   • PPP encryption (MPPE): Leave this checked unless your administrator says otherwise.
   • Show advanced options: Leave this unchecked unless your administrator says otherwise.
   • Username and password: Your VPN credentials. Each VPN user should have their own unique username and password.
8. Select Save.

To connect to a PPTP VPN, go to the PPTP VPN menu and click the name of the VPN connection.

Available VPN apps

Several VPN apps are available in the Chrome Web Store, including:

• Pulse Secure VPN
• SonicWALL Mobile Connect
• Cisco AnyConnect
• F5 Access
• GlobalProtect

Install a VPN app

You can install VPN apps from the Chrome Web Store. Learn more about downloading apps.

If you’re an administrator, you can force install a VPN app using the Admin console. If allowed, you can upload a config file. The app uses the chrome.storage API to read the configuration file and apply it.

Create a new connection

1. In the bottom right, select the time to open the status area.
2. Select Settings .
3. In the "Network" section, select Add connection.
4. Next to the VPN app, select Add .
5. Follow the instructions on the screen.

Connect to a VPN

1. In the bottom right, select the time to open the status area.
2. Select Settings .
3. In the "Network" section, select the connection name.

To create a new connection or to connect to a VPN provided by an Android app:

1. In the bottom right, select the time to open the status area.
2. Select Settings .
3. In the "Network" section, select Add connection.
4. Next to the app, select Add .
5. Follow any onscreen instructions.

Some VPNs let you stay connected all the time, unless your VPN connection stops working.

If your always-on VPN connection stops working, you'll get a notification that stays until you reconnect. To clear that notification, turn off always-on for that VPN.

If you've set up a VPN through an Android app, you won't see the always-on option.

1. Open the Android VPN app.
2. Next to the VPN you want to change, select Settings .
3. Turn on Always-on VPN.
4. If needed, select Save.

Typically VPNs implement a full tunnel, which means that all traffic from all Chrome windows, Chrome apps, and Android apps will pass through the VPN connection. Sometimes you'll want to use a split tunnel so that only certain sites will be accessed through the tunnel, while other traffic will skip the VPN and use your device's physical network connection instead. This is useful if:

• Your VPN only provides access to internal sites, but not full internet access.
• You need to communicate with devices on your local network, such as printers, while connected to the VPN.

Many Chrome and Android VPN apps, and the built-in OpenVPN client, can be set up to use split tunnel mode. For help setting this up, ask your administrator.

1. Download your server certificate, according to the steps your administrator gives you.
2. Open a new tab in Chrome .
3. In the address bar, enter chrome://settings/certificates
4. Select the Authorities tab.
5. Select Import and choose the X.509 certificate file, which is usually a file with a .pem, .der, .crt, or .p7b extension.
6. In the box that appears, fill out the info. None of these settings need to be turned on, so we recommend that you leave these unchecked.
7. The certificate will open and install itself on your device.

1. Download your user certificate, according to the steps your administrator gives you. Your certificate filename should end with .pfx or .p12. 
2. Open a new tab in Chrome .
3. In the address bar, enter chrome://settings/certificates
4. Select Your certificates.
5. Select Import and bind.
6. In the box that opens, select the certificate file and select Open.
7. When prompted, enter the password for your certificate. If you don't know the password, contact your network administrator. If you don't have a password, select OK.
8. The certificate will open and install itself on your device.

Your device only support RSA client certificates for authenticating to VPNs or EAP wireless networks. ECC client certificates aren't supported.