Dealing with VPNs on a Chromebook running Android apps

Yesterday I tried running Android apps on a Chromebook for the first time. By and large it was a pleasant experience.

First, I had to upgrade the operating system, Chrome OS, to version 53.somethinglong. There was no need to change anything else, Android apps are now supported on the stable (normal) channel.

Installing Firefox, shown below, was a bit of a nerd thrill, somewhat akin to the first time I ran Linux in a VM under Windows.

I purchased a touchscreen Chromebook specifically to experience Android, and it turns out that a touchscreen may not really be necessary. Almost everything I tried in Android (granted, I didn't do all that much) could be done with the mouse. The only thing that stumped me was the default Firefox home page which displays big boxes for websites that I do not use. Long pressing on a box lets you delete it, I could not figure out how to delete these boxes with the mouse.

The Android subsystem (is that the right term?) is version 6.0.1 (above) at a Security Patch Level of Sept 5, 2016. The good news is how up-to-date this is. The bad news is that I own a number of Android devices, running version 4, 5 and 6, and the only way I can get bug fixes is to use a Chromebook. Even my Google Nexus tablet, also running Android 6.0.1, is missing the September patches.

The installation of Android is tied to a Google account. On a Chromebook with multiple Google accounts, one can be using Android apps, while another is not.

VPN

The most interesting aspect of Android on Chrome OS, to me, is VPNs. It's interesting, because the Chromebook is now running two operating systems, Chrome OS and Android. A VPN connection typically lives in the fish bowl of an operating system (some live within a web browser). So, how does this hybrid system deal with VPNs?

I had read somewhere that VPN connections made from the Android side are seen by other Android apps, but are not seen on the Chrome OS side. I verified this was true using the TunnelBear Android app.

As you can see above, we are warned ahead of time that "This is an experimental feature and it does not currently handle traffic for all apps."

After making the VPN connection, a visit to one of the many websites that displays your public IP address (checkip.dyndns.com, IP Chicken, unix.com/what-is-my-ip.php) showed that Firefox on Android was connected through the TunnelBear VPN while the native Chrome browser was not. 

To be doubly sure, I asked Google, and was told that yes, VPN connections made on the Android side are only visible to Android apps.

This strikes me as data leakage waiting to happen, so its hard to recommend Android VPNs on a Chromebook.

Interestingly, the reverse it not true. I was told by Google that VPN connections made on the Chrome OS side should be visible to Android apps. I was not able to test this.

In the past, I once defined a VPN on a Chromebook and forgot to check the box to share the definition. The laptop was shared amongst multiple Google users. Because of my initial mistake, only the Google user that created the VPN definition could use it. 

A regular Chromebook (no Android) has limited VPN options. While Chrome OS supports the two most popular types of VPN, L2TP/IPsec and OpenVPN, many VPN providers do not support Chromebooks. I suppose, these companies want you to use their software, so they don't provide the technical information needed to configure a Chromebook to work their service. None of the VPN providers I currently use, supports their service on a Chromebook.

So, from a Defensive Computing standpoint, the safest approach, whether Android is involved or not, is to connect a Chromebook to a router that functions as a VPN client.

This way, data from both the Chrome OS side and the Android side will be sent through the VPN tunnel created by the router. And, this applies to all users of the Chromebook. 

For more about routers that can function as VPN clients, see my previous blog A Defensive Computing term paper on privacy: VPNs, Tor and VPN routers.