pfSense users can connect to cryptostorm using the web interface

web UI

  • The first thing you should do is update to the latest pfSense.
    You can do that from the main page near the "Version" section.
    As of writing this, the latest is 2.4.4-RELEASE-p2

  • After that, you need to add the cryptostorm CA certificate to the system.
    To do that, go to System -> Cert. Manager
    On the default "CAs" page, click the green "Add" button in the bottom right

  • In the "Descriptive name" section, write in "cryptostorm CA".
    For the "Method" drop down list, select "Import an existing Certificate Authority"
    In "Certificate data" copy/paste the following:
    -----END CERTIFICATE-----
    The "Certificate Private Key (optional)" and "Serial for next certificate" parts can be blank,
    so just click the blue "Save" button at the bottom.

  • Now you can begin with the OpenVPN settings.
    Click the "VPN" menu at the top and select "OpenVPN".
    That puts you in the "Servers" section by default, so click the "Clients" section
    since we're setting up OpenVPN as a client, not a server.
    On the "Clients" page, click the green "Add" button in the bottom right.

  • Under "General Information", most of the defaults can stay as they are.
    If you want to use TCP, change "Protocol" to "TCP on IPv4 only", but keep in mind TCP should only be used if UDP is blocked.
    The settings that must be changed are "Server host or address" and "Server port".
    For "Server host or address", you can view a list of our server hosts at
    Use something from the list if you want to connect to a specific region, or use the balancer if you don't care where you connect to.
    Also, if for any reason you don't want to use the default "" domain, you can also replace the domain for any node in that list with any of the following:,, or
    So if for example you wanted to use the London node and the domain, you would put in "".

    For the "Server port", that can be anything from 1 to 29999.
    The default is 443, but some people might get better speeds with port 53, or 5060, or 123. It all depends on whether your ISP is doing port-based QoS

  • For the "User Authentication Settings" section, your cryptostorm token goes into the "Username" field.
    You can also use the SHA512 hash of your cryptostorm token.
    The password and retry options can both be blank.

  • In the "Cryptographic Settings" section, first select "Use a TLS key".
    Then, deselect "Automatically generate a TLS Key."
    In the "TLS Key" section, copy/paste the following:
    -----BEGIN OpenVPN Static key V1-----
    -----END OpenVPN Static key V1-----
    For "TLS Key Usage Mode", choose "TLS Encryption and Authentication"
    The "Peer Certificate Authority" section should already have "cryptostorm CA" in it if you followed the pevious steps correctly.
    The "Peer Certificate Revocation list" isn't needed, so that can be left as is.
    Same goes for "Client Certificate".
    "Encryption Algorithm" must be set to "AES-256-GCM (256 bit key, 128 bit block)" since that's the only one that will work.
    The "Enable Negotiable Cryptographic Parameters" option should be unchecked since there's only one cipher.
    Skip the "NCP Algorithms" section since we're not doing NCP.
    "Auth digest algorithm" can be left as is since it's ignored anyways, because we're using an AEAD algorithm (GCM).
    "Hardware Crypto" can probably be left at "No Hardware Crypto Acceleration", unless your device supports it.

  • Everything the "Tunnel Settings" section should be left as is.

  • In the "Advanced Configuration" section, "Custom options" should be set to:
    remote-cert-tls server
    tls-version-min 1.2
    Otherwise pfSense won't do anything to verify the remote server certificates (which would mean man-in-the-middle attacks could happen)
    and it would default to TLSv1, which isn't as secure as v1.2.

  • Once you've done all of the above, click the blue "Save" button at the bottom of the page.
    After that, pfSense should automatically start OpenVPN to connect to cryptostorm, so you're done!
    Load up to make sure you're connected.

  • This last step only applies if your network or gateway router or ISP supports IPv6.
    To prevent IPv6 leaks, go to System -> Advanced -> Networking and deselect the first "Allow IPv6" option, then click the blue "Save" button at the bottom.