Creating an OpenVPN Sandbox for Chromium

Chromium in Oz using OpenVPN

Have you ever wanted to have just a single app use an OpenVPN based VPN, exclusively? Including for DNS resolutions?

Subgraph Oz with multi-bridge support brings (experimental) support for OpenVPN sandbox network transports to Subgraph OS. This means that you can configure specific sandboxed applications so that all traffic from the sandboxed process exits through a specific OpenVPN-based VPN. This guide will explain how to do that for Chromium, while keeping the "regular" Chromium configured for clearnet. All other traffic will continue to exit over Tor.

To accomplish this we rely on bridges and policy routing, both great features supported by the Linux kernel. Bridges can be configured for any sandbox, and Oz will dynamically create a new sandbox-specific routing table and create routing policy rules when OpenVPN brings the tun interface up. System firewall rules also get dynamically reloaded to enable forwarding between the interfaces. We'll write a detailed blog post soon about this - it's still under major development.

This can be configured for any Oz sandbox. A coming guide will explain how to do this for Transmission, a Bittorrent client, so that Bittorrent downloads only happen via VPN.

Choosing an OpenVPN provider

For this guide we are going to use Private Internet Access as the example OpenVPN provider, as they supplied us with free access during testing. If you want to try them, you can use our affiliate link and this will help support the project.

VyprVPN also provided Subgraph with access during testing and we have an affiliate link for them as an alternate provider.

If you aren't using Private Internet Access, these steps change only slightly for most VPN providers. The next tutorial will cover VyprVPN, and ExpressVPN will follow (we have tested and currently use all three).


Note that you must first have clearnet support configured in Oz. We haven't yet sent this down as an update yet, so it needs to be done manually. If you haven't set this up yet, follow these steps here first.

Also - OpenVPN is not production / release ready. It works, but it's a little brittle and hasn't been audited yet. We need help testing it for now.

Getting started

The commands in this guide will need to be run as root. To escalate to root, type the following:

$ sudo -i

Or you can open the "Root Terminal" from the applications list. The root prompt will be a hash: #, rather than a $.

System update

First you will need to update your Subgraph OS system's package databases:

# apt-get update

Install OpenVPN

You need to install OpenVPN, as it is not included by default with Subgraph OS (yet):

# apt-get install openvpn

Download the PIA OpenVPN files

There is a bundle of files you need to download from Private Internet Access that contain the .ovpn files and key material. You need to unpack the file, and then copy them into some specific locations where Oz can find them:

# cd ~

# mkdir pia

# cd pia

# wget

# unzip

Copy the cert and CRL files into /var/lib/oz/openvpn/:

# cp ca.rsa.2048.crt /var/lib/oz/openvpn/

# cp crl.rsa.2048.pem /var/lib/oz/openvpn/

# mkdir /var/lib/oz/openvpn/pia/

# cp *.ovpn /var/lib/oz/openvpn/pia/

Credentials - username and password only (for now)

For now Oz only supports username/password OpenVPN client authentication. These should be placed in a textfile in /var/lib/oz/openvpn/pia. With your favorite editor, make a textfile at /var/lib/oz/openvpn/pia/auth.txt, it should be two lines: username and then password. The contents should be like so:

# cat /var/lib/oz/openvpn/pia/auth.txt

..and you might want to restrict access to that file:

# chmod 600 /var/lib/oz/openvpn/pia/auth.txt

Resolv.conf for the OpenVPN sandbox

Processes inside the sandbox will have network connectivity through a bridge configured to route traffic through the OpenVPN tunnel. It will need its own DNS configuration. That's easy, create a resolv.conf file outside of the sandbox with the appropriate DNS servers recommended for use by your OpenVPN provider. With your favorite text editor, create the following file at /var/lib/oz/openvpn/pia/pia.resolv.conf:

If you're using Private Internet Access, the contents should be:


You can also download the file and place it there from our support server:

# wget
# cp pia.resolv.conf /var/lib/oz/openvpn/pia/

You can see in the Oz profile below that this file is mapped into the sandbox at filesystem location /run/resolvconf/resolv.conf.

Make a copy of the Chromium Oz profile

Next we are going to "fork" the Chromium sandbox profile, and make a new one:

# cd /var/lib/oz/cells.d/

# cp chromium.json chromium-vpn.json

This creates a new 'context' for Chromium to run in - the state won't be the same. It will be like a fresh install of Chromium, with its own local state, just for this OpenVPN configuration.

You can either make the changes yourself, or download the sample from our website:

# wget

The file should look like this - note that we have chosen the 'Brazil.ovpn' config file - choose the one you want. Private Internet Access organizes their .ovpn files as one per country (as many commercial OpenVPN providers do):

"name": "chromium-vpn"
, "path": "/usr/bin/chromium-vpn"
, "reject_user_args": true
, "default_params": [
        , "--disable-device-discovery"
        , "--disable-gpu"
        , "--incognito"
        , "file:///var/lib/sgos/news/news.html"
, "xserver": {
    "enabled": true
    , "audio_mode": "pulseaudio"
    , "enable_tray": false
    , "tray_icon":"/usr/share/icons/hicolor/256x256/apps/chromium.png"
    , "notifications": true
, "networking":{
    ,"vpn": {"type":"openvpn", "configpath":"pia/Brazil.ovpn",
, "whitelist": [
    {"path": "/var/lib/sgos/news/", "ignore":true}
    , {"path": "${XDG_DOWNLOAD_DIR}/ChromiumVPN", "target":"${XDG_DOWNLOAD_DIR}/Chromium", "can_create": true}
    , {"path": "/usr/lib/chromium/chrome-sandbox", "allow_suid": true, "force": true}
    , {"path": "${HOME}/.config/chromiumvpn", "target": "${HOME}/.config/chromium", "can_create": true}
    , {"path": "/var/lib/oz/openvpn/pia/pia.resolv.conf", "target": "/run/resolvconf/resolv.conf", "force":true}
, "blacklist": [

, "environment": [
, "seccomp": {

Make Oz symbolic links for the OpenVPN chromium

All we need to do to make a 'new' Chromium (as far as Oz is concerned) is to setup some symbolic links that correspond to the profile above.

# cd /usr/bin-oz/

# ln -s chromium chromium-vpn

# cd /usr/bin/

# ln -s oz chromium-vpn

Then just re-load oz-daemon using systemctl:

    # systemctl reload oz-daemon.service

Starting OpenVPN Chromium

Drop privileges back to a regular user:

# exit

Now you can run 'chromium-vpn' at the command line - but do not do this as root:

$ chromium-vpn

You can check your IP address by typing the following at the command line from inside the sandbox:

$ oz list
 1) chromium-vpn
$ oz shell 1
Entering interactive shell in 'chromium-vpn'

user@chromium-vpn:~$ dig +short

You can do this in a browser by visiting

Whenever 'chromium-vpn' is run, OpenVPN will start and establish a link just for the app. Keep in mind the number of connections you are allowed to have with a single account! It varies by VPN provider. With the current implementation, one sandbox: one connection to the OpenVPN server. When the application is closed and the sandbox is shutdown, the OpenVPN connection will be terminated.


Browser open but no connectivity?

  • Double check the credentials in the auth file.
  • Look in the log file (as root): /var/log/daemon.log
  • Contact us..

A couple of things to note..

This is a very early and still experimental implementation - very bare bones. We plan to improve its robustness greatly, including:

  • Interfacing Oz daemon with the OpenVPN management interface
  • Implementing the iproute2 configuration / policy routing using netlink directly
  • Building UI support for configuring OpenVPN for sandboxed apps
  • Adding AppArmor policy rules for OpenVPN
  • Further auditing the OpenVPN integration and finding ways to restrict what it can do to a host system
  • Adding DNS leak testing to


We'd like to thank both VyprVPN and PIA for comping us with VPN access for building this feature into Oz.

Coming tutorials will provide steps on configuring other applications (such as Transmission) for use over OpenVPN.

Chromium in Oz using OpenVPN