pfSense users can connect to cryptostorm using the web interface

Updated in 2021

web UI

  • The first thing you should do is update to the latest pfSense.
    You can do that from the main page near the "Version" section.
    As of writing this, the latest is 2.5.1
    Most of these instructions were written for 2.4.4-RELEASE-p2, but the majority of it still applies to 2.5.1

  • After you've updated, you need to add the cryptostorm CA certificate to the system.
    To do that, go to System -> Cert. Manager
    On the default "CAs" page, click the green "Add" button in the bottom right

  • In the "Descriptive name" section, write in "cryptostorm CA".
    For the "Method" drop down list, select "Import an existing Certificate Authority"
    In "Certificate data" copy/paste the following:
    -----END CERTIFICATE-----
    If you're using pfSense 2.5.x and your OpenVPN version is => 2.4.3 and OpenSSL is => 1.1.1, then you can also use our Ed25519 or Ed448 instances.
    With Ed25519, the only port you can connect to is 5061. With Ed448, it's 5062.
    If you want to use our Ed25519 instances, replace the above certificate with the one here.
    If you want to use our Ed448 instances, replace the above certificate with the one here.
    All the other options should be left blank or at their defaults, so just click the blue "Save" button at the bottom.

  • Now you can begin with the OpenVPN settings.
    Click the "VPN" menu at the top and select "OpenVPN".
    That puts you in the "Servers" section by default, so click the "Clients" section
    since we're setting up OpenVPN as a client, not a server.
    On the "Clients" page, click the green "Add" button in the bottom right.

  • Under "General Information", most of the defaults can stay as they are.
    If you want to use TCP, change "Protocol" to "TCP on IPv4 only", but keep in mind TCP should only be used if UDP is blocked.
    The settings that must be changed are "Server host or address" and "Server port".
    For "Server host or address", you can view a list of our server hosts at
    Use something from the list if you want to connect to a specific region, or use the balancer if you don't care where you connect to.
    Also, if for any reason you don't want to use the default "" domain, you can also replace the domain for any node in that list with any of the following:,, or
    So if for example you wanted to use the London node and the domain, you would put in "".

    For the "Server port", that can be anything from 1 to 29999.
    The default is 443, but some people might get better speeds with port 53, or 5060, or 123. It all depends on whether your ISP is doing port-based QoS
    If you've chosen to use our Ed25519 instances, the port MUST be 5061. If you're using Ed448, it MUST be 5062.

  • For the "User Authentication Settings" section, your cryptostorm token goes into the "Username" field.
    You can also use the SHA512 hash of your cryptostorm token.
    The password and retry options can both be blank.

  • In the "Cryptographic Settings" section, first select "Use a TLS key".
    Then, deselect "Automatically generate a TLS Key."
    In the "TLS Key" section, copy/paste the following:
    -----BEGIN OpenVPN Static key V1-----
    -----END OpenVPN Static key V1-----
    For "TLS Key Usage Mode", choose "TLS Encryption and Authentication"
    If there's a "TLS keydir direction" option, leave that to the default.
    The "Peer Certificate Authority" section should already have "cryptostorm CA" in it if you followed the pevious steps correctly.
    The "Peer Certificate Revocation list" isn't needed, so that can be left as is.
    Same goes for "Client Certificate".

    "Encryption Algorithm" should be set to "AES-256-GCM (256 bit key, 128 bit block)", but if you're on a newer pfSense you might see a "CHACHA20-POLY1305 (256 bit key, stream cipher)" listed. Choose that one if it's there.
    The "Enable Negotiable Cryptographic Parameters" option should be only be checked if you're on pfSense 2.5.x
    Click the algorithms in "Allowed Data Encryption Algorithms" until it only contains CHACHA20-POLY1305.
    If you're on an older pfSense, or you just don't want to use CHACHA20-POLY1305, you can skip the "NCP Algorithms" section and just select "AES-256-GCM" for the algorithm.

    "Auth digest algorithm" can be left as is since it's ignored anyways, because we're using an AEAD algorithm.
    "Hardware Crypto" can probably be left at "No Hardware Crypto Acceleration", unless your device supports it.

  • Everything the "Tunnel Settings" section should be left as is.

  • In the "Advanced Configuration" section, "Custom options" should be set to:
    remote-cert-tls server
    tls-version-min 1.2
    Otherwise pfSense won't do anything to verify the remote server certificates (which would mean man-in-the-middle attacks could happen)
    and it would default to TLSv1, which isn't as secure as v1.2.

  • If you're on pfSense 2.4.x AND you're using UDP to connect, you should also add to the "Custom options":
    explicit-exit-notify 3
    If you're on pfSense 2.5.x, that feature is available in the web interface as "Exit Notify".
    So if you see an "Exit Notify" option, select from it's dropdown "Retry 3x" (and don't put explicit-exit-notify in custom options).
    Remember, only use explicit-exit-notify if you're using UDP. It's not supported (or necessary) in TCP.

  • Once you've done all of the above, click the blue "Save" button at the bottom of the page.
    After that, pfSense should automatically start OpenVPN to connect to cryptostorm, so you're done!
    Load up to make sure you're connected.

  • This last step only applies if your network or gateway router or ISP supports IPv6.
    To prevent IPv6 leaks, go to System -> Advanced -> Networking and deselect the first "Allow IPv6" option, then click the blue "Save" button at the bottom.