The following guide will help you with configuring your pfSense router to be a OpenVPN client to the Cryptostorm OpenVPN servers. You must first be a member and have a token, if you do not have a token then you must first purchase one and then hash it.
Add New CA:
- On pfSense go to: System –> Cert. Manager
- On the ‘CA’ tab (open by default) select ‘Add’
Fill in the following info:
- Descriptive Name: Something meaningful. I used ‘CA-CS’
- Method: leave as ‘Import an existing Certificate Authority’
- Certificate data: paste in the certificate data from below - you will need everything between (and including) “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–".
-----BEGIN CERTIFICATE----- MIIFHjCCBAagAwIBAgIJAKekpGXxXvhbMA0GCSqGSIb3DQEBCwUAMIG6MQswCQYD VQQGEwJDQTELMAkGA1UECBMCUUMxETAPBgNVBAcTCE1vbnRyZWFsMTYwNAYDVQQK FC1LYXRhbmEgSG9sZGluZ3MgTGltaXRlIC8gIGNyeXB0b3N0b3JtX2RhcmtuZXQx ETAPBgNVBAsTCFRlY2ggT3BzMRcwFQYDVQQDFA5jcnlwdG9zdG9ybV9pczEnMCUG CSqGSIb3DQEJARYYY2VydGFkbWluQGNyeXB0b3N0b3JtLmlzMB4XDTE0MDQyNTE3 MTAxNVoXDTE3MTIyMjE3MTAxNVowgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJR QzERMA8GA1UEBxMITW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBM aW1pdGUgLyAgY3J5cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMx FzAVBgNVBAMUDmNyeXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRt aW5AY3J5cHRvc3Rvcm0uaXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDJaOSYIX/sm+4/OkCgyAPYB/VPjDo9YBc+zznKGxd1F8fAkeqcuPpGNCxMBLOu mLsBdxLdR2sppK8cu9kYx6g+fBUQtShoOj84Q6+n6F4DqbjsHlLwUy0ulkeQWk1v vKKkpBViGVFsZ5ODdZ6caJ2UY2C41OACTQdblCqaebsLQvp/VGKTWdh9UsGQ3LaS Tcxt0PskqpGiWEUeOGG3mKE0KWyvxt6Ox9is9QbDXJOYdklQaPX9yUuII03Gj3xm +vi6q2vzD5VymOeTMyky7Geatbd2U459Lwzu/g+8V6EQl8qvWrXESX/ZXZvNG8QA cOXU4ktNBOoZtws6TzknpQF3AgMBAAGjggEjMIIBHzAdBgNVHQ4EFgQUOFjh918z L4vR8x1q3vkp6npwUSUwge8GA1UdIwSB5zCB5IAUOFjh918zL4vR8x1q3vkp6npw USWhgcCkgb0wgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJRQzERMA8GA1UEBxMI TW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBMaW1pdGUgLyAgY3J5 cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMxFzAVBgNVBAMUDmNy eXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRtaW5AY3J5cHRvc3Rv cm0uaXOCCQCnpKRl8V74WzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IB AQAK6B7AOEqbaYjXoyhXeWK1NjpcCLCuRcwhMSvf+gVfrcMsJ5ySTHg5iR1/LFay IEGFsOFEpoNkY4H5UqLnBByzFp55nYwqJUmLqa/nfIc0vfiXL5rFZLao0npLrTr/ inF/hecIghLGVDeVcC24uIdgfMr3Z/EXSpUxvFLGE7ELlsnmpYBxm0rf7s9S9wtH o6PjBpb9iurF7KxDjoXsIgHmYAEnI4+rrArQqn7ny4vgvXE1xfAkFPWR8Ty1ZlxZ gEyypTkIWhphdHLSdifoOqo83snmCObHgyHG2zo4njXGExQhxS1ywPvZJRt7fhjn X03mQP3ssBs2YRNR5hR5cMdC -----END CERTIFICATE-----
Note: Alternatively, you can open an .ovpn config file or the ca2.crt file and copy out the certificate data.
- You can leave the rest of the fields empty
- Click ‘Save’ and ‘Apply Changes’ on the next page
- The CA Page should now display your new CA
- Configure DNS Servers
- On PfSense go to: System –> General Setup
- Scroll down to ‘DNS Server Settings’ and update DNS Servers with two Cryptostorm DNS servers of your choice. You will need to scroll to the right on the table to find the resolver address.
Note: After replacing and adding the DNS Servers, ensure ‘DNS Server Override’ is unchecked.
- Click ‘Save’ (and ‘Apply Changes’ if prompted)
- Add new VPN Client
- On pfSense go to: VPN –> OpenVpn
- Click ‘Clients’
- Click ‘Add’
- Server mode: Peer to Peer (SSL/TLS)
- Protocol: UDP
- Device mode: tun
- Interface: WAN
- Local port: (leave blank)
- Server host or address: Open the config file from earlier and copy out a server address of your choice. I selected ‘linux-balancer.cryptostorm.net’
- Server Port: 443
- Proxy port: (leave blank)
- Proxy Auth - extra options: none
- Server hostname resolution: Check ‘Infinitely resolve server’
- Description: (I left this blank)
User Authentication Settings
- Username: Paste your hashed token details here
- Password: at least one character, but cannot be blank
- TLS authentication: (leave unchecked)
- Peer Certificate Authority: Select the CA you created earlier (I selected CS-CA)
- Client Certificate: None (Username and/or Password required)
- Encryption Algorithm: AES-256-CBC(256 bit key, 128 bit lock)
- Auth digest algorithm: SHA12 (512-bit)
- Hardware Crypto: No Hardware Crypto Acceleration
- Leave all fields blank except:
- ‘Compression: Enabled with Adaptive Compression’
- ‘Disable IPV6: Check ‘Don’t forward IPV6 traffic’'.
client; resolv-retry 16; float; remote-random; remote linux-usnorth.cryptostorm.net 443 udp; remote linux-usnorth.cryptostorm.nu 443 udp; remote linux-usnorth.cryptostorm.org 443 udp; remote linux-usnorth.cstorm.pw 443 udp; comp-lzo no; explicit-exit-notify 3; hand-window 37; mssfix 1400; auth-user-pass /etc/crypto-token.txt; ca /etc/crypto-cert.txt;ns-cert-type server;replay-window 128 30; tls-client; key-method 2;
- Confirm OpenVPN connectivity:
On pfSense go to: Status –> OpenVPN. The Status at this point should be ‘up’ - i.e. by now you should be authenticating with the VPN server.
- Assign and Configure Interface
- On pfSense go to: Interfaces –> (assign)
Under the ‘Interface Assignments’ you will see a row called ‘Available netwok ports:'. On the dropdown for that row you need to select the Network Port corresponding to the OpenVPN Client you created earlier. Mine is called ‘ovpnc1 ()'.
Click ‘Add’. This will create a new interface called ‘OPT1’
From the menu select: Interface –> OPT1 General Configuration:
- Enable: Check ‘Enable interface’
- Description: Give the interface a meaningful name. I chose “CSVPN”
- IPV4 Configuration Type: DHCP
- IPV6 Configuration Type: None
- MAC Address: (leave blank)
- MTU: (leave blank)
- MSS: (leave blank)
Note: Leave all other fields blank
- Click ‘Save’
- Click ‘Apply Changes’ on the next page.
- Configure Outbound NAT rules:
- From the menu select: Firewall –> NAT
- Select Outbound NAT tab, and then the “Manual Outbound NAT rule generation” button.
- Click ‘Save’. This create some (4) new mappings.
- Edit the second from bottom rule by clicking the pencil ‘Edit mapping’ icon.
- The only setting you will change is the ‘Interface’ drop down. Change this from ‘WAN’ to your new OpenVPN interface. Mine was ‘CSVPN’. Ignore the ‘OpenVPN’ option.
- Click ‘Save’
- Click ‘Apply Changes’
Note: Don’t forget to change the bottom rule by following the above steps.
- Create Firewall Rule:
- From the menu select: Firewall –> Rules
- Select the ‘LAN’ tab
- Edit the rule with Desciption ‘Default allow LAN to any rule’ by clicking the pencil ‘Edit mapping’ icon.
- Click ‘Display advanced’ under the ‘Extra Options’ section. In the ‘Advanced Options’ section, go down to ‘Gateway’ and select the OpenVPN interface you created earlier.
- Click ‘Save’
- Click ‘Apply Changes’ on the next page.
- Restart the OpenVPN Service:
- From the menu select: Status –> OpenVPN
- Restart the OpenVPN service by clicking circular arrow ‘Restart openVPN Service’ icon
After a few moments the OpenVPN service should restart successfully, and display Status ‘up’. You may need to refresh your browser (F5) to update the status. If it does not have an ‘up’ status, try the following:
- Go to Status > System logs > OpenVPN and look through the log file to see what might be wrong. If your Verbosity level is on ‘3’ and you are not finding the information you need try ‘4’. You can edit this in the OpenVPN client configuration we have been editing.
- Verify the /etc/crypto-token.txt file and that your token is in there. Assure that there is no space at the end of the line where your token is pasted in.
- Update system DNS entries:
- Go to System –> General Setup.
- Add a (or edit the existing) DNS entry so that it points to the DeepDNS instance for the exit node you’ve connected to above. If you’ve connected to linux-balancer.cryptostorm.net, then any DeepDNS instance will do. DeepDNS instances can be found here.
- Set the gateway to VPN1_VPNV4, or whichever name reflects the the VPN gateway you have
Note: Do not use non-cryptostorm DNS servers at the same time as using cryptostorm servers. It can contribute to DNS leaks.
- You should be good to go now. To be sure everything is running as intended:
Check your IP, using a service like: http://ifconfig.me/ Go to https://cryptostorm.is/. Ensure ‘You are connected to cryptostorm’ is displayed in a green box at the top of the page Go to https://dnsleaktest.com/ and run a leak test.