Best practices for deploying WireGuard VPN across managed ChromeOS devices (system-wide or via Admin Console)
Hello, We currently manage a growing fleet of ChromeOS devices (Chromebooks and Chromeboxes) through our Google Workspace domain. All devices are enrolled, updated to the latest ChromeOS version, and centrally configured via the Admin Console. Our VPN of choice is WireGuard, which ChromeOS now supports natively. We followed Google’s official documentation to configure WireGuard per user: Configure VPNs on ChromeOS (Google Support) The challenge we are running into is scalability: configuring WireGuard individually on a per-user basis is becoming increasingly tedious as our organization grows. Ideally, we would like to achieve one of the following: - System-wide tunnel setup - Assign a WireGuard key per device, rather than per user. This would allow the VPN configuration to apply regardless of who logs into the machine. - Admin Console integration - Ability to push or preconfigure WireGuard VPN settings (similar to how Wi-Fi networks or other VPN types can be managed centrally). From what I understand, the Admin Console allows pushing some network settings, but WireGuard does not currently appear as a supported option. We also explored the possibility of using an Android VPN app as a workaround. However, the Android subsystem seems to create its own isolated IP pool, which breaks certain use cases for us — e.g., we need internal VPN IP addresses for DNS resolution and internal resource access, which doesn’t work properly when tunneled through the Android environment. So my questions are: Is there currently any way to enforce or distribute WireGuard VPN configurations via the Admin Console? If not, is there a recommended workaround to achieve system-wide VPN coverage (device-level rather than user-level)? More generally, what is the best practice for deploying WireGuard in centrally-managed ChromeOS environments today? I realize WireGuard support on ChromeOS is still relatively new and limited to certain devices, but we’ve been using it successfully with most of our devices. We’re just looking for the most scalable and officially supported way to roll this out across our managed devices. Thanks in advance for any insights!