pfSense users can connect to cryptostorm using the web interface


web UI


  • The first thing you should do is update to the latest pfSense.
    You can do that from the main page near the "Version" section.
    As of writing this, the latest is 2.4.4-RELEASE-p2

  • After that, you need to add the cryptostorm CA certificate to the system.
    To do that, go to System -> Cert. Manager
    On the default "CAs" page, click the green "Add" button in the bottom right

  • In the "Descriptive name" section, write in "cryptostorm CA".
    For the "Method" drop down list, select "Import an existing Certificate Authority"
    In "Certificate data" copy/paste the following:
    -----BEGIN CERTIFICATE-----
    MIICCzCCAW2gAwIBAgIUMRTTJ6nuPjmSxaRfbw5f+dZ9d/gwCgYIKoZIzj0EAwQw
    GTEXMBUGA1UEAwwOY3J5cHRvc3Rvcm0gQ0EwHhcNMTgwOTE3MjAwODU4WhcNMzgw
    OTE3MjAwODU4WjAZMRcwFQYDVQQDDA5jcnlwdG9zdG9ybSBDQTCBmzAQBgcqhkjO
    PQIBBgUrgQQAIwOBhgAEARKu20PBrr226TP6mQQGtzCqQqBKfGaA05Ml5nrGSV6w
    zBQDQga4/cPepGrE/tpzRX72KSfZD6nJfQLYen7kdc3PAEvWFBhCovq7e4L6xJ5q
    V5aMf89QjNhJ/xn//dlxE8Z6UfIx63dJX9q3EHNxateU84lDkbCrqckkckcZF4C1
    a9Ooo1AwTjAdBgNVHQ4EFgQUdaVDaoi48Yf2RugXqJ4yJ4Z4utgwHwYDVR0jBBgw
    FoAUdaVDaoi48Yf2RugXqJ4yJ4Z4utgwDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQD
    BAOBiwAwgYcCQVcCw/8OVpNqltDYczqHmX4sMRsZTY0iIzl1rYY/0/ZPIvzjlMFn
    ouHwb8asJZRMBNECq7u9PCbG3jdu6lYtcCm+AkIB3IYYKuXLKW7ucdttNODBqH2R
    ail+9oBWTV2ZFKVVwELlKadHx9UvAcpAaV1alkN80CgI2tad2/qVdpSIQpfVvTI=
    -----END CERTIFICATE-----
    The "Certificate Private Key (optional)" and "Serial for next certificate" parts can be blank,
    so just click the blue "Save" button at the bottom.

  • Now you can begin with the OpenVPN settings.
    Click the "VPN" menu at the top and select "OpenVPN".
    That puts you in the "Servers" section by default, so click the "Clients" section
    since we're setting up OpenVPN as a client, not a server.
    On the "Clients" page, click the green "Add" button in the bottom right.

  • Under "General Information", most of the defaults can stay as they are.
    If you want to use TCP, change "Protocol" to "TCP on IPv4 only", but keep in mind TCP should only be used if UDP is blocked.
    The settings that must be changed are "Server host or address" and "Server port".
    For "Server host or address", you can view a list of our server hosts at https://cryptostorm.is/nodes.txt
    Use something from the list if you want to connect to a specific region, or use the balancer if you don't care where you connect to.
    Also, if for any reason you don't want to use the default "cstorm.is" domain, you can also replace the domain for any node in that list with any of the following:
    cryptostorm.ch, cryptostorm.pw, or cstorm.net
    So if for example you wanted to use the London node and the cryptostorm.ch domain, you would put in "england.cryptostorm.ch".

    For the "Server port", that can be anything from 1 to 29999.
    The default is 443, but some people might get better speeds with port 53, or 5060, or 123. It all depends on whether your ISP is doing port-based QoS

  • For the "User Authentication Settings" section, your cryptostorm token goes into the "Username" field.
    You can also use the SHA512 hash of your cryptostorm token.
    The password and retry options can both be blank.

  • In the "Cryptographic Settings" section, first select "Use a TLS key".
    Then, deselect "Automatically generate a TLS Key."
    In the "TLS Key" section, copy/paste the following:
    -----BEGIN OpenVPN Static key V1-----
    4875d729589689955012a2ee77f180ec
    b815c4a336c719c11241a058dafaae00
    806bbc21d5f1abad085341a3fca4b4f9
    3949151c2979b4ee4390e8d9443acb00
    61d537f1e9157e45f542c3648f563305
    05f3eaff97ef82ee063b9d88bb9d5aa0
    060428455b51a2a4fd929d9af4b94adc
    b0a4acaa14ff62a9b0f4f9f0b3f01e71
    fc98a6c60e8584f4deb3de793a5a7bc2
    7014c9369f9724bc810ef0d191b30204
    78eead725b3ae6aaef2e1030a197e417
    421f159ed54eb2629afcfb337cf9a002
    5bf1d5c0d820fffb219d0b4214043d2d
    f27ed367b522945a5dadc748e2ca379e
    3971789dbdf609b3d9bfe866361b28e3
    c90589baa925157ad833093a5a7bede5
    -----END OpenVPN Static key V1-----
    For "TLS Key Usage Mode", choose "TLS Encryption and Authentication"
    The "Peer Certificate Authority" section should already have "cryptostorm CA" in it if you followed the pevious steps correctly.
    The "Peer Certificate Revocation list" isn't needed, so that can be left as is.
    Same goes for "Client Certificate".
    "Encryption Algorithm" must be set to "AES-256-GCM (256 bit key, 128 bit block)" since that's the only one that will work.
    The "Enable Negotiable Cryptographic Parameters" option should be unchecked since there's only one cipher.
    Skip the "NCP Algorithms" section since we're not doing NCP.
    "Auth digest algorithm" can be left as is since it's ignored anyways, because we're using an AEAD algorithm (GCM).
    "Hardware Crypto" can probably be left at "No Hardware Crypto Acceleration", unless your device supports it.

  • Everything the "Tunnel Settings" section should be left as is.

  • In the "Advanced Configuration" section, "Custom options" should be set to:
    remote-cert-tls server
    tls-version-min 1.2
    Otherwise pfSense won't do anything to verify the remote server certificates (which would mean man-in-the-middle attacks could happen)
    and it would default to TLSv1, which isn't as secure as v1.2.

  • Once you've done all of the above, click the blue "Save" button at the bottom of the page.
    After that, pfSense should automatically start OpenVPN to connect to cryptostorm, so you're done!
    Load up https://cryptostorm.is/test to make sure you're connected.

  • This last step only applies if your network or gateway router or ISP supports IPv6.
    To prevent IPv6 leaks, go to System -> Advanced -> Networking and deselect the first "Allow IPv6" option, then click the blue "Save" button at the bottom.