By way of "paying it forward" and hopefully helping others, I want to outline the steps I took to get setup. This is definitely not the final solution, as there are other things I need to do at this time, such as incorporating additional settings and preventing DNS leaks. I believe these are covered in grystch's original guide and I aim to incorporate and document them incrementally... as I've already had to reset to factory settings a couple of times following some careless config changes that I lost track of...
This is by no means, an attempt to make a better guide than others you will find. I expect that there may be mistakes and better ways of doing things. Would greatly appreciate feedback if anyone picks up any error/omissions, or can suggest improvements
This guide assumes you've successfully got pfSense installed and running, and can access the box using your web browser.
To begin, I used the basic steps in a youtube video for another VPN provider as a guide (not sure if I should post this here):
1) Download client config files: https://github.com/cryptostorm/cryptost ... tion_files
2) Add New CA:
- On pfSense go to: System --> Cert. Manager
- On the 'CA' tab (open by default) select 'Add'
- Fill in the following info:
- Descriptive Name: Something meaningful. I used 'CA-CS'
- Method: leave as 'Import an existing Certificate Authority'
- Certificate data: paste in the certificate data from below - you will need everything between (and including) "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".Alternatively, you can open an .ovpn config file or the ca2.crt file and copy out the certificate data. .
Code: Select all
-----BEGIN CERTIFICATE----- MIIFHjCCBAagAwIBAgIJAKekpGXxXvhbMA0GCSqGSIb3DQEBCwUAMIG6MQswCQYD VQQGEwJDQTELMAkGA1UECBMCUUMxETAPBgNVBAcTCE1vbnRyZWFsMTYwNAYDVQQK FC1LYXRhbmEgSG9sZGluZ3MgTGltaXRlIC8gIGNyeXB0b3N0b3JtX2RhcmtuZXQx ETAPBgNVBAsTCFRlY2ggT3BzMRcwFQYDVQQDFA5jcnlwdG9zdG9ybV9pczEnMCUG CSqGSIb3DQEJARYYY2VydGFkbWluQGNyeXB0b3N0b3JtLmlzMB4XDTE0MDQyNTE3 MTAxNVoXDTE3MTIyMjE3MTAxNVowgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJR QzERMA8GA1UEBxMITW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBM aW1pdGUgLyAgY3J5cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMx FzAVBgNVBAMUDmNyeXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRt aW5AY3J5cHRvc3Rvcm0uaXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDJaOSYIX/sm+4/OkCgyAPYB/VPjDo9YBc+zznKGxd1F8fAkeqcuPpGNCxMBLOu mLsBdxLdR2sppK8cu9kYx6g+fBUQtShoOj84Q6+n6F4DqbjsHlLwUy0ulkeQWk1v vKKkpBViGVFsZ5ODdZ6caJ2UY2C41OACTQdblCqaebsLQvp/VGKTWdh9UsGQ3LaS Tcxt0PskqpGiWEUeOGG3mKE0KWyvxt6Ox9is9QbDXJOYdklQaPX9yUuII03Gj3xm +vi6q2vzD5VymOeTMyky7Geatbd2U459Lwzu/g+8V6EQl8qvWrXESX/ZXZvNG8QA cOXU4ktNBOoZtws6TzknpQF3AgMBAAGjggEjMIIBHzAdBgNVHQ4EFgQUOFjh918z L4vR8x1q3vkp6npwUSUwge8GA1UdIwSB5zCB5IAUOFjh918zL4vR8x1q3vkp6npw USWhgcCkgb0wgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJRQzERMA8GA1UEBxMI TW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBMaW1pdGUgLyAgY3J5 cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMxFzAVBgNVBAMUDmNy eXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRtaW5AY3J5cHRvc3Rv cm0uaXOCCQCnpKRl8V74WzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IB AQAK6B7AOEqbaYjXoyhXeWK1NjpcCLCuRcwhMSvf+gVfrcMsJ5ySTHg5iR1/LFay IEGFsOFEpoNkY4H5UqLnBByzFp55nYwqJUmLqa/nfIc0vfiXL5rFZLao0npLrTr/ inF/hecIghLGVDeVcC24uIdgfMr3Z/EXSpUxvFLGE7ELlsnmpYBxm0rf7s9S9wtH o6PjBpb9iurF7KxDjoXsIgHmYAEnI4+rrArQqn7ny4vgvXE1xfAkFPWR8Ty1ZlxZ gEyypTkIWhphdHLSdifoOqo83snmCObHgyHG2zo4njXGExQhxS1ywPvZJRt7fhjn X03mQP3ssBs2YRNR5hR5cMdC -----END CERTIFICATE-----
- You can leave the rest of the fields empty
- Click 'Save' and 'Apply Changes' on the next page
- The CA Page should now display your new CA
- On PfSense go to: System --> General Setup
- Scroll down to 'DNS Server Settings' and update DNS Servers with 2 Cryptostorm DNS servers of your choice. You can find some candidates here: https://github.com/cryptostorm/cstorm_d ... olvers.csv. You will need to scroll to the right on the table to find the resolver address.
- After replacing and adding the DNS Servers, ensure 'DNS Server Override' is unchecked.
- Click 'Save' (and 'Apply Changes' if prompted)
- On pfSense go to: VPN --> OpenVpn
- Click 'Clients'
- Click 'Add'
- General Information:
- Server mode: Peer to Peer (SSL/TLS)
- Protocol: UDP
- Device mode: tun
- Interface: WAN
- Local port: (leave blank)
- Server host or address: Open the config file from earlier and copy out a server address of your choice. I selected 'linux-balancer.cryptostorm.net'
- Server Port: 443
- Proxy port: (leave blank)
- Proxy Auth - extra options: none
- Server hostname resolution: Check 'Infinitely resolve server'
- Description: (I left this blank)
- User Authentication Settings
- Username: Paste your hashed token details here
- Password: at least one character, but cannot be blank
- Cryptographic Settings
- TLS authentication: (leave unchecked)
- Peer Certificate Authority: Select the CA you created earlier (I selected CS-CA)
- Client Certificate: None (Username and/or Password required)
- Encryption Algorithm: AES-256-CBC(256 bit key, 128 bit lock)
- Auth digest algorithm: SHA12 (512-bit)
- Hardware Crypto: No Hardware Crypto Acceleration
- Tunnel Settings
- Leave all fields blank except:
- 'Compression: Enabled with Adaptive Compression'
- 'Disable IPV6: Check 'Don't forward IPV6 traffic''.
- At this time I have not added any custom options. I hope to update this section at a later time with some feedback from the community. Ideally, I'd like to go through the list from grystch's guide and pick out the best options.
- Click 'Save'
- On pfSense go to: Status --> OpenVPN. The Status at this point should be 'up' - i.e. by now you should be authenticating with the VPN server.
- On pfSense go to: Interfaces --> (assign)
- Under the 'Interface Assignments' you will see a row called 'Available netwok ports:'. On the dropdown for that row you need to select the Network Port corresponding to the OpenVPN Client you created earlier. Mine is called 'ovpnc1 ()'.
- Click 'Add'. This will create a new interface called 'OPT1'
- From the menu select: Interface --> OPT1
- General Configuration:
- Enable: Check 'Enable interface'
- Description: Give the interface a meaningful name. I chose "CSVPN"
- IPV4 Configuration Type: DHCP
- IPV6 Configuration Type: None
- MAC Address: (leave blank)
- MTU: (leave blank)
- MSS: (leave blank)
- Leave all other fields blank
- Click 'Save'
- Click 'Apply Changes' on the next page.
- From the menu select: Firewall --> NAT
- Select Outbound NAT tab, and then the "Manual Outbound NAT rule generation" button.
- Click 'Save'. This create some (4) new mappings.
- Edit the second from bottom rule by clicking the pencil 'Edit mapping' icon.
- The only setting you will chage is the 'Interface' dropdown. Change this from 'WAN' to your new OpenVPN interface. Mine was 'CSVPN'. Ignore the 'OpenVPN' option.
- Click 'Save'
- Don't forget to change the bottom rule by following the above steps (steps 7d-7f).
- Click 'Apply Changes'
- From the menu select: Firewall --> Rules
- Select 'LAN' tab
- Edit the rule with Desciption 'Default allow LAN to any rule' by clicking the pencil 'Edit mapping' icon.
- Click 'Display advanced' under the 'Extra Options' section.
- In the 'Advanced Options' section, go down to 'Gateway' and select the OpenVPN interface you created earlier.
- Click 'Save'
- Click 'Apply Changes' on the next page.
- From the menu select: Status --> OpenVPN
- Restart the OpenVPN service by clicking circular arrow 'Restart openVPN Service' icon
- After a few moments the OpenVPN service should restart successfully, and display Status 'up'. You may need to refresh your browser (F5) to update the status.
- Go to System --> General Setup.
- Add a (or edit the existing) DNS entry so that it points to the DeepDNS instance for the exit node you've connected to above. If you've connected to linux-balancer.cryptostorm.net, then any DeepDNS instance will do. DeepDNS instances can be found here.
- Set the gateway to VPN1_VPNV4
- Check your IP, using a service like: http://ifconfig.me/
- Go to https://cryptostorm.is/. Ensure 'You are connected to cryptostorm' is displayed in a green box at the top of the page
- Go to https://dnsleaktest.com/ and run a leak test.
That's all I have for now. As mentioned above, I hope to update this guide incrementally by adding the most important/useful custom options.
Please feel free to comment on errors, omissions and improvements and I will update accordingly