NiceRath/openvpn_profile_chromeos.sh

## openvpn_profile_chromeos.sh
#!/bin/bash

# onc file format reference: https://chromium.googlesource.com/chromium/src/+/main/components/onc/docs/onc_spec.md#OpenVPN-connections-and-types
# NOTE: it seems tls-crypt is not supported

# TLSAuth
tlsauth="$(cat tlsauth.key | sed '1,3d' | sed ':a;N;$!ba;s/\n/\\n/g')"

# CA Certificate
ca="$(cat ca.crt | sed '1,1d' | sed '$d' | sed ':a;N;$!ba;s/\n//g')"

# Client Certificate
## Remove password:
openssl pkcs12 -in client.p12 -nodes -out test.pem openssl pkcs12 -export -in test.pem -out cl.p12

## Generate b64 of p12 and strip all line breaks
cert="$(base64 cl.p12 | sed ':a;N;$!ba;s/\n/ /g')"

# paste cert, ca and tlsauth in the onc file and test to import it at 'chrome://net-internals/#chromeos'

# {
#   "Type":"UnencryptedConfiguration",
#   "Certificates": [ {
#     "GUID": "{1e05f740-64ed-603f-3f8a-ebc575d290a0}",
#     "Type": "Authority",
#     "X509": "<CA-CERT>"
#   }, {
#     "GUID": "01312de9-bee4-52e0-8c7e-c41706b50dd0",
#     "PKCS12": "<CLIENT-CERT>",
#     "Type": "Client"
#   } ],
#   "NetworkConfigurations": [ {
#     "GUID": "830dd9ea-fcfc-52ca-ad6c-decd00a2acdd",
#     "Name": "<PRETTY-NAME>",
#     "Type": "VPN",
#     "VPN": {
#       "Type": "OpenVPN",
#       "Host": "<SERVER IP or DNS>",
#       "OpenVPN": {
#         "Port": <SERVER PORT>,
#         "Proto": "<SERVER PROTOCOL>",
#         "CompLZO": "false",
#         "UserAuthenticationType": "Password",
#         "AuthNoCache": true,
#         "AuthRetry": "interact",
#         "SaveCredentials": false,
#         "RemoteCertTLS": "server",
#         "RemoteCertEKU": "TLS Web Server Authentication",
#         "TLSVersionMin": "1.2",
#         "VerifyX509": {
#           "Name": "C=AT, ST=Styria, CN=OpenVPN",
#           "Type": "subject"
#         },
#         "ServerCARefs": ["{1e05f740-64ed-603f-3f8a-ebc575d290a0}"],
#         "ClientCertType": "Ref",
#         "ClientCertRef": "01312de9-bee4-52e0-8c7e-c41706b50dd0",
#         "Cipher": "AES-256-GCM",
#         "Auth": "SHA512",
#         "TLSAuthContents": "<TLS-AUTH>"
#         "RenegSec": 86400
#       }
#     }
#   } ]
# }
	#!/bin/bash

	# onc file format reference: https://chromium.googlesource.com/chromium/src/+/main/components/onc/docs/onc_spec.md#OpenVPN-connections-and-types
	# NOTE: it seems tls-crypt is not supported

	# TLSAuth
	tlsauth="$(cat tlsauth.key \| sed '1,3d' \| sed ':a;N;$!ba;s/\n/\\n/g')"

	# CA Certificate
	ca="$(cat ca.crt \| sed '1,1d' \| sed '$d' \| sed ':a;N;$!ba;s/\n//g')"

	# Client Certificate
	## Remove password:
	openssl pkcs12 -in client.p12 -nodes -out test.pem openssl pkcs12 -export -in test.pem -out cl.p12

	## Generate b64 of p12 and strip all line breaks
	cert="$(base64 cl.p12 \| sed ':a;N;$!ba;s/\n/ /g')"

	# paste cert, ca and tlsauth in the onc file and test to import it at 'chrome://net-internals/#chromeos'

	# {
	# "Type":"UnencryptedConfiguration",
	# "Certificates": [ {
	# "GUID": "{1e05f740-64ed-603f-3f8a-ebc575d290a0}",
	# "Type": "Authority",
	# "X509": "<CA-CERT>"
	# }, {
	# "GUID": "01312de9-bee4-52e0-8c7e-c41706b50dd0",
	# "PKCS12": "<CLIENT-CERT>",
	# "Type": "Client"
	# } ],
	# "NetworkConfigurations": [ {
	# "GUID": "830dd9ea-fcfc-52ca-ad6c-decd00a2acdd",
	# "Name": "<PRETTY-NAME>",
	# "Type": "VPN",
	# "VPN": {
	# "Type": "OpenVPN",
	# "Host": "<SERVER IP or DNS>",
	# "OpenVPN": {
	# "Port": <SERVER PORT>,
	# "Proto": "<SERVER PROTOCOL>",
	# "CompLZO": "false",
	# "UserAuthenticationType": "Password",
	# "AuthNoCache": true,
	# "AuthRetry": "interact",
	# "SaveCredentials": false,
	# "RemoteCertTLS": "server",
	# "RemoteCertEKU": "TLS Web Server Authentication",
	# "TLSVersionMin": "1.2",
	# "VerifyX509": {
	# "Name": "C=AT, ST=Styria, CN=OpenVPN",
	# "Type": "subject"
	# },
	# "ServerCARefs": ["{1e05f740-64ed-603f-3f8a-ebc575d290a0}"],
	# "ClientCertType": "Ref",
	# "ClientCertRef": "01312de9-bee4-52e0-8c7e-c41706b50dd0",
	# "Cipher": "AES-256-GCM",
	# "Auth": "SHA512",
	# "TLSAuthContents": "<TLS-AUTH>"
	# "RenegSec": 86400
	# }
	# }
	# } ]
	# }