pfSense

OpenVPN

Note: In some of the screenshots below, the page was edited to only show settings that should be changed

  1. The first thing you should do is update to the latest pfSense. You can do that from the main page near the "Version" section.

  2. After you've updated, you need to add the cryptostorm Certificate Authority (CA) to the system.
    To do that, go to System -> Certificates, then click the green Add button.
    pfsense openvpn screenshot 1
  3. In the "Descriptive name" section, type in "cryptostorm CA".
    For the "Method" drop down list, select "Import an existing Certificate Authority"
    In "Certificate data", copy/paste our CA for whichever config type you're using.

    for ECC (the default) or RSA configs, use

    -----BEGIN CERTIFICATE-----
    MIICCzCCAW2gAwIBAgIUMRTTJ6nuPjmSxaRfbw5f+dZ9d/gwCgYIKoZIzj0EAwQw
    GTEXMBUGA1UEAwwOY3J5cHRvc3Rvcm0gQ0EwHhcNMTgwOTE3MjAwODU4WhcNMzgw
    OTE3MjAwODU4WjAZMRcwFQYDVQQDDA5jcnlwdG9zdG9ybSBDQTCBmzAQBgcqhkjO
    PQIBBgUrgQQAIwOBhgAEARKu20PBrr226TP6mQQGtzCqQqBKfGaA05Ml5nrGSV6w
    zBQDQga4/cPepGrE/tpzRX72KSfZD6nJfQLYen7kdc3PAEvWFBhCovq7e4L6xJ5q
    V5aMf89QjNhJ/xn//dlxE8Z6UfIx63dJX9q3EHNxateU84lDkbCrqckkckcZF4C1
    a9Ooo1AwTjAdBgNVHQ4EFgQUdaVDaoi48Yf2RugXqJ4yJ4Z4utgwHwYDVR0jBBgw
    FoAUdaVDaoi48Yf2RugXqJ4yJ4Z4utgwDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQD
    BAOBiwAwgYcCQVcCw/8OVpNqltDYczqHmX4sMRsZTY0iIzl1rYY/0/ZPIvzjlMFn
    ouHwb8asJZRMBNECq7u9PCbG3jdu6lYtcCm+AkIB3IYYKuXLKW7ucdttNODBqH2R
    ail+9oBWTV2ZFKVVwELlKadHx9UvAcpAaV1alkN80CgI2tad2/qVdpSIQpfVvTI=
    -----END CERTIFICATE-----

    for Ed25519 configs, use

    -----BEGIN CERTIFICATE-----
    MIIBQzCB9qADAgECAhRxK434IpBdQkPdP0FAMwwlaE5DfTAFBgMrZXAwGTEXMBUG
    A1UEAwwOY3J5cHRvc3Rvcm0gQ0EwHhcNMTgwOTEzMjIyNjUwWhcNMzgwOTEzMjIy
    NjUwWjAZMRcwFQYDVQQDDA5jcnlwdG9zdG9ybSBDQTAqMAUGAytlcAMhAJpm1F7S
    7RTeeZAt+r5RVld8fCYcdDQvvN1pC78IHZVwo1AwTjAdBgNVHQ4EFgQUM4JiTZ5i
    /lRSAaV8dUZNB1Agen4wHwYDVR0jBBgwFoAUM4JiTZ5i/lRSAaV8dUZNB1Agen4w
    DAYDVR0TBAUwAwEB/zAFBgMrZXADQQCCquddpWkigpUXpjVOQI7iNdUwvdHtjwr+
    DKMPIK57Uhfnm9I0iPf1yDQLsylC5ADmK24uVqAWc7mGLU7V8s4G
    -----END CERTIFICATE-----

    for Ed448 configs, use

    -----BEGIN CERTIFICATE-----
    MIIBjzCCAQ+gAwIBAgIUOz+MeeEanz/VGdpMlIHS6gV5/HMwBQYDK2VxMBkxFzAV
    BgNVBAMMDmNyeXB0b3N0b3JtIENBMB4XDTE4MDkxNzE1NTM0NFoXDTM4MDkxNzE1
    NTM0NFowGTEXMBUGA1UEAwwOY3J5cHRvc3Rvcm0gQ0EwQzAFBgMrZXEDOgAareVW
    a0mq2TH0jZUxBuO7NKHbkzZNdNVXKLygG2AQfwRjyIFBUH/gfVj7iT054X+WfweO
    tPKbNwCjUDBOMB0GA1UdDgQWBBQ2348+oHdeg1VtYZuxQ8LUWLiXZjAfBgNVHSME
    GDAWgBQ2348+oHdeg1VtYZuxQ8LUWLiXZjAMBgNVHRMEBTADAQH/MAUGAytlcQNz
    AMc4GrTEKEmPIJrnGjT3x8BYueg+ES1uNK7TR+ii3b52uQAYP8qT+FVh0XpAxgyP
    GfShjhVpfxU4gJM8LBKSJ+NbBr6BP15rmPgIwsOq7lOw9LxdEs86+lwK4z+I0WLb
    7EMlvo1vNkMA+bmWwqbuCysbAA==
    -----END CERTIFICATE-----

    All the other options should be left blank or at their defaults, so just click the blue "Save" button at the bottom.

    pfsense openvpn screenshot 2

  4. Now you can begin with the OpenVPN settings. Click the "VPN" menu at the top and select "OpenVPN".
    That puts you in the "Servers" section by default, so click the "Clients" section then click the green "Add" button in the bottom right. pfsense openvpn screenshot 3

  5. Under "General Information", type in whatever description you want ("CS Singapore UDP", etc.).
    Leave everything in "Mode Configuration" at it's defaults.
    Under "Endpoint Configuration", for Protocol select "UDP on IPv4 only". If UDP is blocked by your ISP, use "TCP on IPv4 only".
    If you want to route both IPv6 and IPv4 through the VPN, select "UDP IPv4 and IPv6 on all interfaces (multihome)".

  6. For "Server host or address", you can view a list of our server hosts at https://cryptostorm.nu/nodes.txt
    If you plan on using IPv6, you first need to do a DNS lookup of the host from nodes.txt and copy the IPv6 address.
    You can do this from Diagnostics -> DNS Lookup. The IPv6 address is the one with the colons instead of periods, and a record type of AAAA.

    As for the "Server port", the default 1194 will work, but you can change it to anything from 1-29999
    (except for the Ed25519 configs, those are limited to port 5060, and the Ed448 configs to port 5061)

  7. Under "User Authentication Settings", put your cryptostorm token (or it's SHA512 hash) in the username field, and any text in the password field.

  8. pfsense openvpn screenshot 4

  9. In the "Cryptographic Settings" section, deselect "Automatically generate a TLS Key".
    In the "TLS Key" section, copy/paste the following:

    For ECC, Ed25519, and Ed448 configs, use:

    -----BEGIN OpenVPN Static key V1-----
    4875d729589689955012a2ee77f180ec
    b815c4a336c719c11241a058dafaae00
    806bbc21d5f1abad085341a3fca4b4f9
    3949151c2979b4ee4390e8d9443acb00
    61d537f1e9157e45f542c3648f563305
    05f3eaff97ef82ee063b9d88bb9d5aa0
    060428455b51a2a4fd929d9af4b94adc
    b0a4acaa14ff62a9b0f4f9f0b3f01e71
    fc98a6c60e8584f4deb3de793a5a7bc2
    7014c9369f9724bc810ef0d191b30204
    78eead725b3ae6aaef2e1030a197e417
    421f159ed54eb2629afcfb337cf9a002
    5bf1d5c0d820fffb219d0b4214043d2d
    f27ed367b522945a5dadc748e2ca379e
    3971789dbdf609b3d9bfe866361b28e3
    c90589baa925157ad833093a5a7bede5
    -----END OpenVPN Static key V1-----

    For the RSA configs, use:

    -----BEGIN OpenVPN Static key V1-----
    5de9814eb021477ce3b58638031072c5
    b20f34a9f3c417bc95df950ae37bdbf4
    12aa255734184171a9c46f8251cf9207
    6c1d352ddcd7c71a411d7872d8d50090
    b06fd70801dda425cd4ee474a81d2367
    a372a22db2baeee2ef7ac1c4a9dd4867
    32bd978244db2ae2dbfcb5ab3b8669bc
    9c35e0a48e298109e9acff687d5698db
    7a864247b38e036187cfdf81feefc388
    411767b66891056abef9ffc6a2464428
    e0ccbf8130536473a71b10263c7dafdb
    160da61d4402be6a10d47c9fe08e57dd
    121c6b7d2e6d767c1a18dc0aa6567d56
    26e020308ed197b5bfc7374b3d135085
    31afcf87e1ae90ec20ee072100daf478
    5aaa3bce8db5d6eabef2495752c849b6
    -----END OpenVPN Static key V1-----
    and for the "TLS Key Usage Mode", set it to "TLS Encryption and Authentication" if you're using the ECC, Ed25519, or Ed448 configs.
    If you're using the RSA configs, set it to "TLS Authentication".

  10. pfsense openvpn screenshot 5

    "Peer Certificate Authority" should already be set to the "cryptostorm CA" you imported earlier.
    Under "Data Encryption Algorithms", make sure only AES-256-GCM and CHACHA20-POLY1305 are in the list to the right.
    The only thing that should be changed under "Tunnel Settings" is the last entry, "Add server provided DNS" should be checked.
    On some WiFi networks, mssfix 1400 is also needed under Custom options, at least for the UDP configs.
    Leave everything else as is, and click the blue Save button at the bottom.
    pfsense openvpn screenshot 6

  11. Double check that OpenVPN was able to connect to the server correctly by going to Status -> System Logs -> OpenVPN.
    Scroll down to the very bottom of the page. If the connection was successful, you should see "Initialization Sequence Completed".
    pfsense openvpn screenshot 7

    You can also verify by going to Diagnostics -> Command Prompt and running the command:
    curl -s https://cryptostorm.is/test -4
    To test IPv6, if you connected to the IPv6 VPN IP, use:
    curl -s https://cryptostorm.is/test -6

    pfsense openvpn screenshot 8

    pfsense openvpn screenshot 9
    If you're not using the IPv6 VPN IP and this second command shows a leak, it shouldn't be an issue if the devices connected aren't routing IPv6.

  12. Routing won't work on the devices connected to pfSense until an outbound NAT rule is added.
    Before you do that, if you're using an IPv6 VPN IP, and your LAN interface has no IP6 network assigned to it, then add one by going to Interfaces -> LAN
    and change IPv6 configuration to "Static IPv6", then pick an address pool under "Static IPv6 Configuration" (I.e., fd00:20:20::/64)

  13. Go to Firewall -> NAT -> Outbound. Select "Manual Outband NAT rule generation", then click the Save button, then Accept Changes.
    Afterwards, click the the first Add button at the bottom.
    Set Interface to OpenVPN, Address Family to IPv4 (or if using the IPv6 VPN IP, to IPv4+IPv6).
    Set Source to LAN Subnets, leave every other option at their defaults, then click the Save button at the bottom, then the Apply Changes button.

  14. The last step is stopping DNS leaks. Go to Firewall -> NAT, and on the default page (Port Forward) click the first Add button.
    Set Interface to LAN, Address Family to IPv4, Protocol to TCP/UDP, Destination to Any, the Destination Port range to DNS,
    and for Redirect target IP, select Address or Alias, and for Address type in 10.31.33.7 (or 10.31.33.8 if you don't want ad/tracker blocking).
    For Redirect target port, also set it to DNS. Filter rule association can be set to None.

    If using IPv6, repeat the previous step, but select IPv6 for Address Family, and 2001:db8::7 for the Address (or 2001:db8::8 if you don't want ad/tracker blocking).

    These rules should force all DNS requests to get redirected to the VPN's DNS servers. The page should look like this:
    pfsense openvpn screenshot 10

  15. The devices connected to your pfSense router should now be using the VPN.
    Go to https://cryptostorm.is/test on those devices to verify.

    For more complex network scenarios, see the pfSense documentation.

WireGuard

  1. First, go to System -> Package Manager -> Available Packages, then type in "WireGuard" and change "Both" to "Name", then click "Search".
    Click the Install button, then Confirm.
    pfsense wg screenshot 1

  2. Once the install is finished, you should see a new WireGuard option under VPN in the menu at the top, so click on that.
    On the WireGuard/Tunnels page, click Add Tunnel.
    Under Tunnel Configuration, click the Generate button to the right to generate a new key pair, then copy the public key.
    pfsense wg screenshot 2

  3. Open a new browser tab and go to https://cryptostorm.is/wireguard
    Paste the public key into the Advanced box, and put your cryptostorm access token into the box before it, then click the ADD button.
    pfsense wg screenshot 3

  4. Leave this cryptostorm.is/wireguard tab open, and switch back to the pfSense WireGuard Tunnels page.
    Leave everything else on this page as is, then click the Save tunnel button at the bottom
    pfsense wg screenshot 4

  5. You will see "The WireGuard service is not running", but ignore that for now. Click the Peers section, then the green Add Peer button.
    pfsense wg screenshot 5

  6. In the Peer Configuration section, change Tunnel to tun_wg0, and (optionally) type a name into Description (CS WG, etc.).
    Next to Dynamic Endpoint, deselect the Dynamic checkbox.
    For Endpoint use one of the server host names from https://cryptostorm.nu/nodes.txt
    The default Endpoint Port of 51820 won't work, so that needs to be set to anything between 1 and 29999 (most people use 443).
    Keep Alive should be set to 25, since that's what the server uses.
    Public Key should be set to our server public key for whichever server you picked from nodes.txt
    The server public keys are on that cryptostorm.is/wireguard page, which you should still have open.
    We're using the Singapore node in this example, so public key is set to Hb3Pn2+Q/frHZPiyoonsHOiYzzWSwtFighFIER6T8jQ=
    Pre-shared Key needs to be set to what's shown for "Your preshared key" on the cryptostorm.is/wireguard page.
    pfsense wg screenshot 6

  7. In the "Address Configuration" section, type into Allowed IPs the address 0.0.0.0 and set the dropdown list after it to 0
    Click "Add Allowed IP", then add :: (two colons) and also set the dropdown list after it to 0.
    Now click the blue Save Peer button.
    pfsense wg screenshot 7

  8. Back on the Peers page, click Settings to switch to that page.
    Click the "Enable WireGuard" checkbox under General Settings, then the blue Save button at the bottom, then the Apply Changes button.
    pfsense wg screenshot 8

  9. If you plan on routing IPv6 through the VPN, your LAN interface needs an IPv6 subnet. So if you don't have one, click on Interfaces -> LAN and change
    "IPv6 Configuration Type" to "Static IPv6", then scroll down to "Static IPv6 Configuration" and choose a subnet (I.e., fd00:20:20::/64).

  10. Next, click the Interfaces menu at the top, then Assignments. On this page, next to tun_wg0, click the green Add button, then the blue Save button.
    pfsense wg screenshot 9

  11. Click the Interfaces menu at the top again, and there should now be an OPT1 entry, so click on that.
    Select "Enable interface", then next to "IPv4 Configuration Type" select "Static IPv4", and for "IPv6 Configuration Type" set it to "Static IPv6".
    pfsense wg screenshot 10

    Scroll down to the "Static IPv4 Configuration" section, and in the IPv4 address box, copy/paste the 10.10.x.x IP from the cryptostorm.is/wireguard tab that should still be open.
    After that, click the green "Add a new gateway" button. In this window, set the Gateway IP field to the same 10.10.x.x IP from cryptostorm.is/wireguard then click the Add button
    pfsense wg screenshot 11

    Scroll down to the "Static IPv6 Configuration" section, and in the IPv6 address box, copy/paste the fd00:10:10::xxxx IP from the cryptostorm.is/wireguard tab.
    After that, click the green "Add a new gateway" button. In this window, set the Gateway IP field to the same fd00:10:10::xxxx IP from cryptostorm.is/wireguard then click the Add button
    pfsense wg screenshot 12

    Leave everything else on this page as is, and click the blue Save button at the bottom, then the green Apply Changes button.

  12. Go to Firewall -> NAT -> Outbound. If you select Manual Outbound NAT / Save, it will generate most of the rules needed.
    Then you can switch to "Hybrid Outbound NAT rule generation", then click the Save button, then Accept Changes.
    Next, (optional, but recommended) select all the entries with "500 (ISAKMP)" and delete them, since that's for IPSec and we're using WireGuard.
    If you're using IPv6, add a mapping for the WAN Interface, with source set to fd00:20:20::/64 (or whatever IPv6 network you chose for the LAN interface earlier),
    and Translation set to WAN Address.
    Then add another mapping after that for the OPT1 Interface, with source set to fd00:20:20::/64 (or whatever IPv6 network you chose for the LAN interface earlier),
    and Translation set to OPT1 Address. It should look something like this:
    pfsense wg screenshot 13

  13. To get the devices connected to this pfSense to use the VPN, go to Firewall -> Rules, select the LAN tab, then click the first Add button.
    On this page, interface should be set to LAN, and Address Family to IPv4, but change Protocol to any.
    In the Source section, choose Network and set it to your LAN's network (192.168.1.1/24 by default).
    If you only want certain devices to use the VPN (and not all of them), you can instead use single addresses here (192.168.1.100/32 for example, repeating the rule for each device).
    Scroll down to the bottom and click the "Display Advanced" button. Scroll down some more until you see Gateway. Change this from Default to OPT1GW.
    Now click the Save then Apply Changes buttons.

  14. And if you're doing IPv6 too, go to Firewall -> Rules, select the LAN tab, then click the first Add button.
    On this page, interface should be set to LAN, and Address Family to IPv6, but change Protocol to any.
    In the Source section, choose Network and set it to your LAN's network (fd00:20:20::/64 in the above example).
    If you only want certain devices to use the VPN (and not all of them), you can instead use single addresses here (fd00:20:20:0:7c1b:78f2:cfce:b367/128 for example, repeating the rule for each device).
    Scroll down to the bottom and click the "Display Advanced" button. Scroll down some more until you see Gateway. Change this from Default to OPT1GWv6.
    Now click the Save then Apply Changes buttons. The rules page should look something like this: pfsense wg screenshot 14

  15. The last step is stopping DNS leaks. Go to Firewall -> NAT, and on the default page (Port Forward) click the first Add button.
    Set Interface to LAN, Address Family to IPv4, Protocol to TCP/UDP, Destination to Any, the Destination Port range to DNS,
    and for Redirect target IP, select Address or Alias, and for Address type in 10.31.33.7 (or 10.31.33.8 if you don't want ad/tracker blocking).
    For Redirect target port, also set it to DNS. Filter rule association can be set to None.

    If using IPv6, repeat the previous step, but select IPv6 for Address Family, and 2001:db8::7 for the Address (or 2001:db8::8 if you don't want ad/tracker blocking).

    These rules should force all DNS requests to get redirected to the VPN's DNS servers. The page should look like this:
    pfsense openvpn screenshot 10

  16. The devices connected to pfSense should now be using the VPN. On those devices, go to https://cryptostorm.is/test to verify that they're connected to the VPN.

  17. In the above setup, traffic generated from the pfSense device itself won't be using the VPN.
    If you want that, go to System -> Routing, then Gateway Groups, then click the Add button.
    Set the Group Name to Prefer_WG4, OPTGW to Tier 1, and WAN_DHCP to Tier 2, then Save / Apply Changes.
    If using IPv6, add another Gateway Group, with the Group Name set to Prefer_WG6, OPTGWv6 to Tier 1, and WAN_DHCPv6 to Tier 2, then Save / Apply Changes.
    Go back to System -> Routing, then change the Default gateway IPv4 to Prefer_WG4, and for IPv6 to Prefer_WG6. Click Save / Apply Changes.

    To verify that pfSense is now using WireGuard for it's own traffic, go to Diagnostics -> Command Prompt and run the command:
    curl -s https://cryptostorm.is/test -4
    To test IPv6, use the command:
    curl -s https://cryptostorm.is/test -6

    pfsense openvpn screenshot 8

    pfsense openvpn screenshot 9

  18. For more complex network scenarios, see the pfSense documentation.