Setup Cryptostorm on PfSense

The following guide will help you with configuring your pfSense router to be a OpenVPN client to the Cryptostorm OpenVPN servers.

The following guide will help you with configuring your pfSense router to be a OpenVPN client to the Cryptostorm OpenVPN servers. You must first be a member and have a token, if you do not have a token then you must first purchase one and then hash it.


  1. Download client config files

  2. Add New CA:

  • On pfSense go to: System –> Cert. Manager
  • On the ‘CA’ tab (open by default) select ‘Add’

Fill in the following info:

  • Descriptive Name: Something meaningful. I used ‘CA-CS’
  • Method: leave as ‘Import an existing Certificate Authority’
  • Certificate data: paste in the certificate data from below - you will need everything between (and including) “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–”.
eXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRtaW5AY3J5cHRvc3Rv                               cm0uaXOCCQCnpKRl8V74WzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IB

Note: Alternatively, you can open an .ovpn config file or the ca2.crt file and copy out the certificate data.

  • You can leave the rest of the fields empty
  • Click ‘Save’ and ‘Apply Changes’ on the next page
  • The CA Page should now display your new CA
  1. Configure DNS Servers
  • On PfSense go to: System –> General Setup
  • Scroll down to ‘DNS Server Settings’ and update DNS Servers with two Cryptostorm DNS servers of your choice. You will need to scroll to the right on the table to find the resolver address.

Note: After replacing and adding the DNS Servers, ensure ‘DNS Server Override’ is unchecked.

  • Click ‘Save’ (and ‘Apply Changes’ if prompted)
  1. Add new VPN Client
  • On pfSense go to: VPN –> OpenVpn
  • Click ‘Clients’
  • Click ‘Add’

General Information:

  • Server mode: Peer to Peer (SSL/TLS)
  • Protocol: UDP
  • Device mode: tun
  • Interface: WAN
  • Local port: (leave blank)
  • Server host or address: Open the config file from earlier and copy out a server address of your choice. I selected ‘’
  • Server Port: 443
  • Proxy port: (leave blank)
  • Proxy Auth - extra options: none
  • Server hostname resolution: Check ‘Infinitely resolve server’
  • Description: (I left this blank)

User Authentication Settings

  • Username: Paste your hashed token details here
  • Password: at least one character, but cannot be blank

Cryptographic Settings

  • TLS authentication: (leave unchecked)
  • Peer Certificate Authority: Select the CA you created earlier (I selected CS-CA)
  • Client Certificate: None (Username and/or Password required)
  • Encryption Algorithm: AES-256-CBC(256 bit key, 128 bit lock)
  • Auth digest algorithm: SHA12 (512-bit)
  • Hardware Crypto: No Hardware Crypto Acceleration

Tunnel Settings

  • Leave all fields blank except:
  • ‘Compression: Enabled with Adaptive Compression’
  • ‘Disable IPV6: Check ‘Don’t forward IPV6 traffic’’.

Custom options

resolv-retry 16;

remote 443 udp;
remote 443 udp;
remote 443 udp;
remote 443 udp;

comp-lzo no;

explicit-exit-notify 3;

hand-window 37;
mssfix 1400;

auth-user-pass /etc/crypto-token.txt;
ca /etc/crypto-cert.txt;ns-cert-type server;replay-window 128 30;

key-method 2;

Click ‘Save’

  1. Confirm OpenVPN connectivity:

On pfSense go to: Status –> OpenVPN. The Status at this point should be ‘up’ - i.e. by now you should be authenticating with the VPN server.

  1. Assign and Configure Interface
  • On pfSense go to: Interfaces –> (assign)

Under the ‘Interface Assignments’ you will see a row called ‘Available netwok ports:’. On the dropdown for that row you need to select the Network Port corresponding to the OpenVPN Client you created earlier. Mine is called ‘ovpnc1 ()’.

  • Click ‘Add’. This will create a new interface called ‘OPT1’

  • From the menu select: Interface –> OPT1 General Configuration:

    • Enable: Check ‘Enable interface’
    • Description: Give the interface a meaningful name. I chose “CSVPN”
    • IPV4 Configuration Type: DHCP
    • IPV6 Configuration Type: None
    • MAC Address: (leave blank)
    • MTU: (leave blank)
    • MSS: (leave blank)

Note: Leave all other fields blank

  • Click ‘Save’
  • Click ‘Apply Changes’ on the next page.
  1. Configure Outbound NAT rules:
  • From the menu select: Firewall –> NAT
  • Select Outbound NAT tab, and then the “Manual Outbound NAT rule generation” button.
  • Click ‘Save’. This create some (4) new mappings.
  • Edit the second from bottom rule by clicking the pencil ‘Edit mapping’ icon.
  • The only setting you will change is the ‘Interface’ drop down. Change this from ‘WAN’ to your new OpenVPN interface. Mine was ‘CSVPN’. Ignore the ‘OpenVPN’ option.
  • Click ‘Save’
  • Click ‘Apply Changes’

Note: Don’t forget to change the bottom rule by following the above steps.

  1. Create Firewall Rule:
  • From the menu select: Firewall –> Rules
  • Select the ‘LAN’ tab
  • Edit the rule with Desciption ‘Default allow LAN to any rule’ by clicking the pencil ‘Edit mapping’ icon.
  • Click ‘Display advanced’ under the ‘Extra Options’ section. In the ‘Advanced Options’ section, go down to ‘Gateway’ and select the OpenVPN interface you created earlier.
  • Click ‘Save’
  • Click ‘Apply Changes’ on the next page.
  1. Restart the OpenVPN Service:
  • From the menu select: Status –> OpenVPN
  • Restart the OpenVPN service by clicking circular arrow ‘Restart openVPN Service’ icon

After a few moments the OpenVPN service should restart successfully, and display Status ‘up’. You may need to refresh your browser (F5) to update the status. If it does not have an ‘up’ status, try the following:

  • Go to Status > System logs > OpenVPN and look through the log file to see what might be wrong. If your Verbosity level is on ‘3’ and you are not finding the information you need try ‘4’. You can edit this in the OpenVPN client configuration we have been editing.
  • Verify the /etc/crypto-token.txt file and that your token is in there. Assure that there is no space at the end of the line where your token is pasted in.
  1. Update system DNS entries:
  • Go to System –> General Setup.
  • Add a (or edit the existing) DNS entry so that it points to the DeepDNS instance for the exit node you’ve connected to above. If you’ve connected to, then any DeepDNS instance will do. DeepDNS instances can be found here.
  • Set the gateway to VPN1_VPNV4, or whichever name reflects the the VPN gateway you have

Note: Do not use non-cryptostorm DNS servers at the same time as using cryptostorm servers. It can contribute to DNS leaks.

  1. You should be good to go now. To be sure everything is running as intended:

Check your IP, using a service like: Go to Ensure ‘You are connected to cryptostorm’ is displayed in a green box at the top of the page Go to and run a leak test.

Load Comments?