pfSense users can connect to cryptostorm using the web interface

Updated in 2021

web UI


  • The first thing you should do is update to the latest pfSense.
    You can do that from the main page near the "Version" section.
    As of writing this, the latest is 2.5.1
    Most of these instructions were written for 2.4.4-RELEASE-p2, but the majority of it still applies to 2.5.1

  • After you've updated, you need to add the cryptostorm CA certificate to the system.
    To do that, go to System -> Cert. Manager
    On the default "CAs" page, click the green "Add" button in the bottom right

  • In the "Descriptive name" section, write in "cryptostorm CA".
    For the "Method" drop down list, select "Import an existing Certificate Authority"
    In "Certificate data" copy/paste the following:
    -----BEGIN CERTIFICATE-----
    MIICCzCCAW2gAwIBAgIUMRTTJ6nuPjmSxaRfbw5f+dZ9d/gwCgYIKoZIzj0EAwQw
    GTEXMBUGA1UEAwwOY3J5cHRvc3Rvcm0gQ0EwHhcNMTgwOTE3MjAwODU4WhcNMzgw
    OTE3MjAwODU4WjAZMRcwFQYDVQQDDA5jcnlwdG9zdG9ybSBDQTCBmzAQBgcqhkjO
    PQIBBgUrgQQAIwOBhgAEARKu20PBrr226TP6mQQGtzCqQqBKfGaA05Ml5nrGSV6w
    zBQDQga4/cPepGrE/tpzRX72KSfZD6nJfQLYen7kdc3PAEvWFBhCovq7e4L6xJ5q
    V5aMf89QjNhJ/xn//dlxE8Z6UfIx63dJX9q3EHNxateU84lDkbCrqckkckcZF4C1
    a9Ooo1AwTjAdBgNVHQ4EFgQUdaVDaoi48Yf2RugXqJ4yJ4Z4utgwHwYDVR0jBBgw
    FoAUdaVDaoi48Yf2RugXqJ4yJ4Z4utgwDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQD
    BAOBiwAwgYcCQVcCw/8OVpNqltDYczqHmX4sMRsZTY0iIzl1rYY/0/ZPIvzjlMFn
    ouHwb8asJZRMBNECq7u9PCbG3jdu6lYtcCm+AkIB3IYYKuXLKW7ucdttNODBqH2R
    ail+9oBWTV2ZFKVVwELlKadHx9UvAcpAaV1alkN80CgI2tad2/qVdpSIQpfVvTI=
    -----END CERTIFICATE-----
    If you're using pfSense 2.5.x and your OpenVPN version is => 2.4.3 and OpenSSL is => 1.1.1, then you can also use our Ed25519 or Ed448 instances.
    With Ed25519, the only port you can connect to is 5061. With Ed448, it's 5062.
    If you want to use our Ed25519 instances, replace the above certificate with the one here.
    If you want to use our Ed448 instances, replace the above certificate with the one here.
    All the other options should be left blank or at their defaults, so just click the blue "Save" button at the bottom.

  • Now you can begin with the OpenVPN settings.
    Click the "VPN" menu at the top and select "OpenVPN".
    That puts you in the "Servers" section by default, so click the "Clients" section
    since we're setting up OpenVPN as a client, not a server.
    On the "Clients" page, click the green "Add" button in the bottom right.

  • Under "General Information", most of the defaults can stay as they are.
    If you want to use TCP, change "Protocol" to "TCP on IPv4 only", but keep in mind TCP should only be used if UDP is blocked.
    The settings that must be changed are "Server host or address" and "Server port".
    For "Server host or address", you can view a list of our server hosts at https://cryptostorm.nu/nodes.txt
    Use something from the list if you want to connect to a specific region, or use the balancer if you don't care where you connect to.
    Also, if for any reason you don't want to use the default "cstorm.is" domain, you can also replace the domain for any node in that list with any of the following:
    cryptostorm.ch, cryptostorm.pw, or cstorm.net
    So if for example you wanted to use the London node and the cryptostorm.ch domain, you would put in "england.cryptostorm.ch".

    For the "Server port", that can be anything from 1 to 29999.
    The default is 443, but some people might get better speeds with port 53, or 5060, or 123. It all depends on whether your ISP is doing port-based QoS
    If you've chosen to use our Ed25519 instances, the port MUST be 5061. If you're using Ed448, it MUST be 5062.

  • For the "User Authentication Settings" section, your cryptostorm token goes into the "Username" field.
    You can also use the SHA512 hash of your cryptostorm token.
    The password and retry options can both be blank.

  • In the "Cryptographic Settings" section, first select "Use a TLS key".
    Then, deselect "Automatically generate a TLS Key."
    In the "TLS Key" section, copy/paste the following:
    -----BEGIN OpenVPN Static key V1-----
    4875d729589689955012a2ee77f180ec
    b815c4a336c719c11241a058dafaae00
    806bbc21d5f1abad085341a3fca4b4f9
    3949151c2979b4ee4390e8d9443acb00
    61d537f1e9157e45f542c3648f563305
    05f3eaff97ef82ee063b9d88bb9d5aa0
    060428455b51a2a4fd929d9af4b94adc
    b0a4acaa14ff62a9b0f4f9f0b3f01e71
    fc98a6c60e8584f4deb3de793a5a7bc2
    7014c9369f9724bc810ef0d191b30204
    78eead725b3ae6aaef2e1030a197e417
    421f159ed54eb2629afcfb337cf9a002
    5bf1d5c0d820fffb219d0b4214043d2d
    f27ed367b522945a5dadc748e2ca379e
    3971789dbdf609b3d9bfe866361b28e3
    c90589baa925157ad833093a5a7bede5
    -----END OpenVPN Static key V1-----
    For "TLS Key Usage Mode", choose "TLS Encryption and Authentication"
    If there's a "TLS keydir direction" option, leave that to the default.
    The "Peer Certificate Authority" section should already have "cryptostorm CA" in it if you followed the pevious steps correctly.
    The "Peer Certificate Revocation list" isn't needed, so that can be left as is.
    Same goes for "Client Certificate".

    "Encryption Algorithm" should be set to "AES-256-GCM (256 bit key, 128 bit block)", but if you're on a newer pfSense you might see a "CHACHA20-POLY1305 (256 bit key, stream cipher)" listed. Choose that one if it's there.
    The "Enable Negotiable Cryptographic Parameters" option should be only be checked if you're on pfSense 2.5.x
    Click the algorithms in "Allowed Data Encryption Algorithms" until it only contains CHACHA20-POLY1305.
    If you're on an older pfSense, or you just don't want to use CHACHA20-POLY1305, you can skip the "NCP Algorithms" section and just select "AES-256-GCM" for the algorithm.

    "Auth digest algorithm" can be left as is since it's ignored anyways, because we're using an AEAD algorithm.
    "Hardware Crypto" can probably be left at "No Hardware Crypto Acceleration", unless your device supports it.

  • Everything the "Tunnel Settings" section should be left as is.

  • In the "Advanced Configuration" section, "Custom options" should be set to:
    remote-cert-tls server
    tls-version-min 1.2
    Otherwise pfSense won't do anything to verify the remote server certificates (which would mean man-in-the-middle attacks could happen)
    and it would default to TLSv1, which isn't as secure as v1.2.

  • If you're on pfSense 2.4.x AND you're using UDP to connect, you should also add to the "Custom options":
    explicit-exit-notify 3
    If you're on pfSense 2.5.x, that feature is available in the web interface as "Exit Notify".
    So if you see an "Exit Notify" option, select from it's dropdown "Retry 3x" (and don't put explicit-exit-notify in custom options).
    Remember, only use explicit-exit-notify if you're using UDP. It's not supported (or necessary) in TCP.

  • Once you've done all of the above, click the blue "Save" button at the bottom of the page.
    After that, pfSense should automatically start OpenVPN to connect to cryptostorm, so you're done!
    Load up https://cryptostorm.is/test to make sure you're connected.

  • This last step only applies if your network or gateway router or ISP supports IPv6.
    To prevent IPv6 leaks, go to System -> Advanced -> Networking and deselect the first "Allow IPv6" option, then click the blue "Save" button at the bottom.