cryptostorm

web UI

The first thing you should do is update to the latest pfSense.
You can do that from the main page near the "Version" section.
As of writing this, the latest is 2.5.1
Most of these instructions were written for 2.4.4-RELEASE-p2, but the majority of it still applies to 2.5.1

After you've updated, you need to add the cryptostorm CA certificate to the system.
To do that, go to System -> Cert. Manager
On the default "CAs" page, click the green "Add" button in the bottom right

In the "Descriptive name" section, write in "cryptostorm CA".
For the "Method" drop down list, select "Import an existing Certificate Authority"
In "Certificate data" copy/paste the following:

If you're using pfSense 2.5.x and your OpenVPN version is => 2.4.3 and OpenSSL is => 1.1.1, then you can also use our Ed25519 or Ed448 instances.
With Ed25519, the only port you can connect to is 5061. With Ed448, it's 5062.
If you want to use our Ed25519 instances, replace the above certificate with the one here.
If you want to use our Ed448 instances, replace the above certificate with the one here.
All the other options should be left blank or at their defaults, so just click the blue "Save" button at the bottom.

Now you can begin with the OpenVPN settings.
Click the "VPN" menu at the top and select "OpenVPN".
That puts you in the "Servers" section by default, so click the "Clients" section
since we're setting up OpenVPN as a client, not a server.
On the "Clients" page, click the green "Add" button in the bottom right.
Under "General Information", most of the defaults can stay as they are.
If you want to use TCP, change "Protocol" to "TCP on IPv4 only", but keep in mind TCP should only be used if UDP is blocked.
The settings that must be changed are "Server host or address" and "Server port".
For "Server host or address", you can view a list of our server hosts at https://cryptostorm.nu/nodes.txt
Use something from the list if you want to connect to a specific region, or use the balancer if you don't care where you connect to.
Also, if for any reason you don't want to use the default "cstorm.is" domain, you can also replace the domain for any node in that list with any of the following:
cryptostorm.pw, or cstorm.net
So if for example you wanted to use the London node and the cryptostorm.pw domain, you would put in "england.cryptostorm.pw".

For the "Server port", that can be anything from 1 to 29999.
The default is 443, but some people might get better speeds with port 53, or 5060, or 123. It all depends on whether your ISP is doing port-based QoS
If you've chosen to use our Ed25519 instances, the port MUST be 5061. If you're using Ed448, it MUST be 5062.

For the "User Authentication Settings" section, your cryptostorm token goes into the "Username" field.
You can also use the SHA512 hash of your cryptostorm token.
The password and retry options can both be blank.

In the "Cryptographic Settings" section, first select "Use a TLS key".
Then, deselect "Automatically generate a TLS Key."
In the "TLS Key" section, copy/paste the following:
```
-----BEGIN OpenVPN Static key V1-----
4875d729589689955012a2ee77f180ec
b815c4a336c719c11241a058dafaae00
806bbc21d5f1abad085341a3fca4b4f9
3949151c2979b4ee4390e8d9443acb00
61d537f1e9157e45f542c3648f563305
05f3eaff97ef82ee063b9d88bb9d5aa0
060428455b51a2a4fd929d9af4b94adc
b0a4acaa14ff62a9b0f4f9f0b3f01e71
fc98a6c60e8584f4deb3de793a5a7bc2
7014c9369f9724bc810ef0d191b30204
78eead725b3ae6aaef2e1030a197e417
421f159ed54eb2629afcfb337cf9a002
5bf1d5c0d820fffb219d0b4214043d2d
f27ed367b522945a5dadc748e2ca379e
3971789dbdf609b3d9bfe866361b28e3
c90589baa925157ad833093a5a7bede5
-----END OpenVPN Static key V1-----
```
For "TLS Key Usage Mode", choose "TLS Encryption and Authentication"
If there's a "TLS keydir direction" option, leave that to the default.
The "Peer Certificate Authority" section should already have "cryptostorm CA" in it if you followed the pevious steps correctly.
The "Peer Certificate Revocation list" isn't needed, so that can be left as is.
Same goes for "Client Certificate".

"Encryption Algorithm" should be set to "AES-256-GCM (256 bit key, 128 bit block)", but if you're on a newer pfSense you might see a "CHACHA20-POLY1305 (256 bit key, stream cipher)" listed. Choose that one if it's there.
The "Enable Negotiable Cryptographic Parameters" option should be only be checked if you're on pfSense 2.5.x
Click the algorithms in "Allowed Data Encryption Algorithms" until it only contains CHACHA20-POLY1305.
If you're on an older pfSense, or you just don't want to use CHACHA20-POLY1305, you can skip the "NCP Algorithms" section and just select "AES-256-GCM" for the algorithm.

"Auth digest algorithm" can be left as is since it's ignored anyways, because we're using an AEAD algorithm.
"Hardware Crypto" can probably be left at "No Hardware Crypto Acceleration", unless your device supports it.

Everything the "Tunnel Settings" section should be left as is.

In the "Advanced Configuration" section, "Custom options" should be set to:
```
remote-cert-tls server
tls-version-min 1.2
```
Otherwise pfSense won't do anything to verify the remote server certificates (which would mean man-in-the-middle attacks could happen)
and it would default to TLSv1, which isn't as secure as v1.2.

explicit-exit-notify 3

Once you've done all of the above, click the blue "Save" button at the bottom of the page.
After that, pfSense should automatically start OpenVPN to connect to cryptostorm, so you're done!
Load up https://cryptostorm.is/test to make sure you're connected.

This last step only applies if your network or gateway router or ISP supports IPv6.
To prevent IPv6 leaks, go to System -> Advanced -> Networking and deselect the first "Allow IPv6" option, then click the blue "Save" button at the bottom.

pfSense

pfSense users can connect to cryptostorm using the web interface

Updated in 2021

web UI