Forum Discussion
Best practices for deploying WireGuard VPN across managed ChromeOS devices (system-wide or via Admin Console)
Hello,
We currently manage a growing fleet of ChromeOS devices (Chromebooks and Chromeboxes) through our Google Workspace domain. All devices are enrolled, updated to the latest ChromeOS version, and centrally configured via the Admin Console. Our VPN of choice is WireGuard, which ChromeOS now supports natively. We followed Google’s official documentation to configure WireGuard per user:
Configure VPNs on ChromeOS (Google Support)
The challenge we are running into is scalability: configuring WireGuard individually on a per-user basis is becoming increasingly tedious as our organization grows.
Ideally, we would like to achieve one of the following:
- System-wide tunnel setup - Assign a WireGuard key per device, rather than per user. This would allow the VPN configuration to apply regardless of who logs into the machine.
- Admin Console integration - Ability to push or preconfigure WireGuard VPN settings (similar to how Wi-Fi networks or other VPN types can be managed centrally).
From what I understand, the Admin Console allows pushing some network settings, but WireGuard does not currently appear as a supported option.
We also explored the possibility of using an Android VPN app as a workaround. However, the Android subsystem seems to create its own isolated IP pool, which breaks certain use cases for us — e.g., we need internal VPN IP addresses for DNS resolution and internal resource access, which doesn’t work properly when tunneled through the Android environment.
So my questions are:
- Is there currently any way to enforce or distribute WireGuard VPN configurations via the Admin Console?
- If not, is there a recommended workaround to achieve system-wide VPN coverage (device-level rather than user-level)?
- More generally, what is the best practice for deploying WireGuard in centrally-managed ChromeOS environments today?
I realize WireGuard support on ChromeOS is still relatively new and limited to certain devices, but we’ve been using it successfully with most of our devices. We’re just looking for the most scalable and officially supported way to roll this out across our managed devices.
Thanks in advance for any insights!
4 Replies
Hi Lynda. Thanks a lot for your response.
Right now we have fewer than 20 ChromeOS devices in use, with multiple users across them. Some users log in with different accounts, so at our current scale, setting up the VPN on a per-user basis is still manageable. That said, it does create a few practical issues:
- When a user signs in to a device for the first time, we have to manually configure their VPN settings again.
- A new key pair needs to be generated for that user, which raises questions like: should the same user on two different devices use the same key pair, or should each device always have its own pair?
Of course, this is something we could define internally through policy, but it would be much simpler if ChromeOS worked more like Windows in this regard: a system-wide tunnel tied to the device itself. In our environment, Windows devices already use VPN this way successfully — each machine has its own key pair linked to the hardware, and any user who logs in automatically benefits from the same VPN tunnel and DNS configuration by default. Having the ability to set this up and deploy it centrally through the Admin Console would truly be the cherry on top.
For context: all of our devices support WireGuard natively, and we’re generally not having any problems using it. The only recurring issue is with DNS — sometimes internal domains don’t resolve properly. From what I understand, this is already a known ChromeOS issue, so I won’t go into detail here.
Thanks again for looking into this.
If we’re moving a bit into speculation, another approach that would completely solve this issue would be the ability to map the Android subsystem’s internal IP pool directly to local network devices or, in this case, to VPN-assigned IPs. That would unlock a lot of enterprise use cases: we could rely on existing Android VPN clients (which can already be deployed and managed through the Admin Console) and still take full advantage of the VPN IP pool. This would mean proper DNS resolution for internal domains, seamless access to internal services, and consistent network identity for devices inside the VPN. In practice, that would give us the benefits of system-wide VPN coverage without needing native ChromeOS support, since the Android VPN environment is already available out of the box.
Hi maciej I do understand your concern and decided to open a Feature Request to see if this could be changed. It has a low priority for now as this is not something that we have heard about from other customers/partners.
However if you ever want to seek an update from the support team you can raise a ticket with them and reference FR 447317671 in future discussions to get updates over time.
