cryptostorm's community forum

guides, HOWTOs & tutorials • Re: pfSense 2.3.4 Setup Guide

2017-06-10T17:37:25+05:00

@Boens

No worries, chances are you happened across this post which did cover some pfSense setup. I've edited the original post to link to the original guide and reflect correct attribution.

I'll PM you with a couple of suggested edits.

Statistics: Posted by parityboy — Sat Jun 10, 2017 5:37 pm

guides, HOWTOs & tutorials • Re: pfSense 2.3.4 Setup Guide

2017-06-10T17:28:56+05:00

parityboy wrote:
@OP

Many thanks for sharing this. Just out of interest, can you link the original guide, I can't seem to find it...

By the way, I'm going to move this to the HOWTO section...moved.

No probs at all. Thanks again for the help

I could swear you did (or were involved in) this pfSense guide: viewtopic.php?f=37&t=615 ... but it appears the original author was grystch.

Must be going senile, my bad

I'll update original post as well.

Edit: I don't seem to have the option to edit the original post. Oh well.

Statistics: Posted by Boens — Sat Jun 10, 2017 5:28 pm

general chat, suggestions, industry news • [Request] Send Encrypted Token Emails

2017-06-10T17:18:33+05:00

The idea here is that when paying for a token, the TokenBot is able to use a PGP public key (supplied from either a keyserver or by the payment form) to encrypt token-bearing emails.

Statistics: Posted by parityboy — Sat Jun 10, 2017 5:18 pm

general chat, suggestions, industry news • [Request] Add QR Code To Token Delivery

2017-06-10T17:10:39+05:00

As the title says, it would be useful to have the token expressed as a QR Code when delivered via browser or email. It would make life much easier when adding a new token to OpenVPN on a mobile device.

Statistics: Posted by parityboy — Sat Jun 10, 2017 5:10 pm

member support & tech assistance • Re: Exclude programs or websites from VPN connection?

2017-06-10T17:06:49+05:00

@rwilcher

Go to a console and print the routing table and post it here.

Statistics: Posted by parityboy — Sat Jun 10, 2017 5:06 pm

guides, HOWTOs & tutorials • Re: pfSense 2.3.4 Setup Guide

2017-06-10T14:20:01+05:00

@OP

Many thanks for sharing this. Just out of interest, can you link the original guide, I can't seem to find it...

By the way, I'm going to move this to the HOWTO section...moved.

Statistics: Posted by parityboy — Sat Jun 10, 2017 2:20 pm

member support & tech assistance • Re: Token Not Authorized

2017-06-10T14:12:32+05:00

@noauth

You can also do "echo -n | sha512sum".

Statistics: Posted by parityboy — Sat Jun 10, 2017 2:12 pm

member support & tech assistance • Re: token not working; previous slow connection speeds

2017-06-10T14:09:05+05:00

@OP

Apologies for the late response. If by now you've waited two minutes for the sessions to reset and they haven't, send the token to support@cryptostorm.is and they will reset it for you.

As for connections speeds, what's the hardware of your Mac and which node are you using?

Statistics: Posted by parityboy — Sat Jun 10, 2017 2:09 pm

member support & tech assistance • Re: Exclude programs or websites from VPN connection?

2017-06-09T00:41:35+05:00

LAN includes wired and wireless.
Someone with more knowledge than me in that area, should point rwilcher how to check for a correct routing table.

Statistics: Posted by DudeOfLondon — Fri Jun 09, 2017 12:41 am

member support & tech assistance • Re: Exclude programs or websites from VPN connection?

2017-06-08T23:28:39+05:00

I have no wired interfaces on this box. All are WPA2 n.

Statistics: Posted by rwilcher — Thu Jun 08, 2017 11:28 pm

member support & tech assistance • Re: Exclude programs or websites from VPN connection?

2017-06-08T23:20:08+05:00

I have no wired interfaces on this box. All are WPA2 n.

Statistics: Posted by rwilcher — Thu Jun 08, 2017 11:20 pm

member support & tech assistance • Re: Token Not Authorized

2017-06-08T17:48:56+05:00

Here's what fixed it - instead of using the online hash calculators:

echo -n "{token}" | openssl dgst -sha512

Statistics: Posted by Guest — Thu Jun 08, 2017 5:48 pm

member support & tech assistance • Re: Token Not Authorized

2017-06-08T17:02:39+05:00

I've got the same thing with a new token, and the token checker says:

That token is VALID and has not yet been used.
It will expire 365 days after first use.

Statistics: Posted by Guest — Thu Jun 08, 2017 5:02 pm

guides, HOWTOs & tutorials • pfSense 2.3.4 Setup Guide

2017-06-08T15:44:02+05:00

Well, it has been an interesting journey trying to get pfSense set up. After spending my free time over one and a half days trying to get things working, I finally turned to the Cryptostorm IRC channel for some help. Lo and behold parityboy answered my call and helped my fill in the last piece of the puzzle.

By way of "paying it forward" and hopefully helping others, I want to outline the steps I took to get setup. This is definitely not the final solution, as there are other things I need to do at this time, such as incorporating additional settings and preventing DNS leaks. I believe these are covered in grystch's original guide and I aim to incorporate and document them incrementally... as I've already had to reset to factory settings a couple of times following some careless config changes that I lost track of...

This is by no means, an attempt to make a better guide than others you will find. I expect that there may be mistakes and better ways of doing things. Would greatly appreciate feedback if anyone picks up any error/omissions, or can suggest improvements

This guide assumes you've successfully got pfSense installed and running, and can access the box using your web browser.

To begin, I used the basic steps in a youtube video for another VPN provider as a guide (not sure if I should post this here):

STEPS

1) Download client config files: https://github.com/cryptostorm/cryptost ... tion_files

2) Add New CA:
2a) On pfSense go to: System --> Cert. Manager
2b) On the 'CA' tab (open by default) select 'Add'
2c) Fill in the following info:
- Descriptive Name: Something meaningful. I used 'CA-CS'
- Method: leave as 'Import an existing Certificate Authority'
- Certificate data: Open a config file and copy out the certificate data. You will only need everything between (and including) "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----". Paste the certificate here.
- You can leave the rest of the fields empty
2d) Click 'Save' and 'Apply Changes' on the next page
2e) The CA Page should now display your new CA

3) Configure DNS Servers.
3a) On PfSense go to: System --> General Setup
3b) Scroll down to 'DNS Server Settings' and update DNS Servers with 2 Cryptostorm DNS servers of your choice. You can find some candidates here: https://github.com/cryptostorm/cstorm_d ... olvers.csv. You will need to scroll to the right on the table to find the resolver address.
3c) After replacing and adding the DNS Servers, ensure 'DNS Server Override' is unchecked.
3d) Click 'Save' (and 'Apply Changes' if prompted)

4)Add new VPN Client
4a) On pfSense go to: VPN --> OpenVpn
4b) Click 'Clients'
4c) Click 'Add'
4d) General Information:
- Server mode: Peer to Peer (SSL/TLS)
- Protocol: UDP
- Device mode: tun
- Interface: WAN
- Local port: (leave blank)
- Server host or address: Open the config file from earlier and copy out a server address of your choice. I selected 'linux-balancer.cryptostorm.net'
- Server Port: 443
- Proxy port: (leave blankO
- Proxt Auth - extra options: none
- Server hostname resolution: Check 'Infinitely resolve server'
- Description: (I left this blank)
4e) User Authentication Settings
- Username: Paste your hashed token details here
- Password: (Leave blank)
4f) Cryptographic Settings
- TLS authentication: (leave unchecked)
- Peer Certificate Authority: Select the CA you created earlier (I selected CS-CA)
- Client Certificate: None (Username and/or Password required)
- Encryption Algorithm: AES-256-CBC(256 bit key, 128 bit lock)
- Auth digest algorithm: SHA12 (512-bit)
- Hardware Crypto: No Hardware Crypto Acceleration
4g) Tunnel Settings
- Leave all fields blank except:
- 'Compression: Enabled with Adaptive Compression'
- 'Disable IPV6: Check 'Don't forward IPV6 traffic''.
4h) At this time I have not added any custom options. I hope to update this section at a later time with some feedback from the community. Ideally, I'd like to go through the list from grystch's guide and pick out the best options.
4i) Click 'Save'

5) Confirm OpenVPN connectivity:
5a) On pfSense go to: Status --> OpenVPN. The Status at this point should be 'up' - i.e. by now you should be authenticating with the VPN server.

6) Assign and Configure Interface
6a) On pfSense go to: Interfaces --> (assign)
6b) Under the 'Interface Assignments' you will see a row called 'Available netwok ports:'. On the dropdown for that row you need to select the Network Port corresponding to the OpenVPN Client you created earlier. Mine is called 'ovpnc1 ()'.
6c) Click 'Add'. This will create a new interface called 'OPT1'
6d) From the menu select: Interface --> OPT1
6e) General Configuration:
- Enable: Check 'Enable interface'
- Description: Give the interface a meaningful name. I chose "CSVPN"
- IPV4 Configuration Type: DHCP
- IPV6 Configuration Type: None
- MAC Address: (leave blank)
- MTU: (leave blank)
- MSS: MSS
6f) Leave all other fields blank
6g) Click 'Save'
6h) Click 'Apply Changes' on the next page.

7) Configure Outbound NAT rules:
7a) From the menu select: Firewall --> NAT
7b) Select Outbound NAT tab.
7c) Click 'Save'. This create some (4) new mappings.
7d) Edit the bottom second last rule by clicking the pencil 'Edit mapping' icon.
7e) The only setting you will chage is the 'Interface' dropdown. Change this from 'WAN' to your new OpenVPN interface. Mine was 'CSVPN'. Ignore the 'OpenVPN' option.
7f) Click 'Save'
7g) Don't forget to change the bottom rule by following the above steps (steps 7d-7f).
7h) Click 'Apply Changes'

8) Create Firewall Rule:
8a) From the menu select: Firewall --> Rules
8b) Select 'LAN' tab
8c) Edit the rule with Desciption 'Default allow LAN to any rule' by clicking the pencil 'Edit mapping' icon.
8d) Click 'Display advanced' under the 'Extra Options' section.
8e) In the 'Advanced Options' section, go down to 'Gateway' and select the OpenVPN interface you created earlier.
8f) Click 'Save'https://dnsleaktest.com/
8g) Click 'Apply Changes' on the next page.

9) Restart the OpenVPN Service:
8a) From the menu select: Status --> OpenVPN
8b) Restart the OpenVPN service by clicking circular arrow 'Restart openVPN Service' icon
8c) After a few moments the OpenVPN service should restart successfully, and display Status 'up'. You may need to refresh your browser (F5) to update the status.

10) You should be good to go now. To be sure everything is running as intended:
10a) Check your IP, using a service like: http://ifconfig.me/
10b) Go to https://cryptostorm.is/. Ensure 'You are connected to cryptostorm' is displayed in a green box at the top of the page
10c) Go to https://dnsleaktest.com/ and run a leak test.

That's all I have for now. As mentioned above, I hope to update this guide incrementally by adding the most important/useful custom options.

Please feel free to comment on errors, omissions and improvements and I will update accordingly

Statistics: Posted by Boens — Thu Jun 08, 2017 3:44 pm

member support & tech assistance • Re: token not working; previous slow connection speeds

2017-06-07T17:32:00+05:00

@parityboy

Thanks for the response

Password wise; i've never entered one before and it's worked previously, but i will input one

I checked the token, it is valid but has exceeded max number of sessions - any advice?

Any advice on connection speeds too?

Statistics: Posted by Guest — Wed Jun 07, 2017 5:32 pm