Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

pfSense 2.3.4 Setup Guide

Guides, HOWTOs etc on how to setup Cryptostorm on PCs, smartphones, tablets and routers.

Topic Author
Boens
Posts: 9
Joined: Tue Jun 06, 2017 4:38 pm

pfSense 2.3.4 Setup Guide

Postby Boens » Thu Jun 08, 2017 3:44 pm

Well, it has been an interesting journey trying to get pfSense set up. After spending my free time over one and a half days trying to get things working, I finally turned to the Cryptostorm IRC channel for some help. Lo and behold parityboy answered my call and helped my fill in the last piece of the puzzle.

By way of "paying it forward" and hopefully helping others, I want to outline the steps I took to get setup. This is definitely not the final solution, as there are other things I need to do at this time, such as incorporating additional settings and preventing DNS leaks. I believe these are covered in grystch's original guide and I aim to incorporate and document them incrementally... as I've already had to reset to factory settings a couple of times following some careless config changes that I lost track of...

This is by no means, an attempt to make a better guide than others you will find. I expect that there may be mistakes and better ways of doing things. Would greatly appreciate feedback if anyone picks up any error/omissions, or can suggest improvements :)

This guide assumes you've successfully got pfSense installed and running, and can access the box using your web browser.

To begin, I used the basic steps in a youtube video for another VPN provider as a guide (not sure if I should post this here):

STEPS

1) Download client config files: https://github.com/cryptostorm/cryptost ... tion_files

2) Add New CA:
  1. On pfSense go to: System --> Cert. Manager
  2. On the 'CA' tab (open by default) select 'Add'
  3. Fill in the following info:
    - Descriptive Name: Something meaningful. I used 'CA-CS'
    - Method: leave as 'Import an existing Certificate Authority'
    - Certificate data: paste in the certificate data from below - you will need everything between (and including) "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".

    Code: Select all

    -----BEGIN CERTIFICATE-----
    MIIFHjCCBAagAwIBAgIJAKekpGXxXvhbMA0GCSqGSIb3DQEBCwUAMIG6MQswCQYD
    VQQGEwJDQTELMAkGA1UECBMCUUMxETAPBgNVBAcTCE1vbnRyZWFsMTYwNAYDVQQK
    FC1LYXRhbmEgSG9sZGluZ3MgTGltaXRlIC8gIGNyeXB0b3N0b3JtX2RhcmtuZXQx
    ETAPBgNVBAsTCFRlY2ggT3BzMRcwFQYDVQQDFA5jcnlwdG9zdG9ybV9pczEnMCUG
    CSqGSIb3DQEJARYYY2VydGFkbWluQGNyeXB0b3N0b3JtLmlzMB4XDTE0MDQyNTE3
    MTAxNVoXDTE3MTIyMjE3MTAxNVowgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJR
    QzERMA8GA1UEBxMITW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBM
    aW1pdGUgLyAgY3J5cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMx
    FzAVBgNVBAMUDmNyeXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRt
    aW5AY3J5cHRvc3Rvcm0uaXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
    AQDJaOSYIX/sm+4/OkCgyAPYB/VPjDo9YBc+zznKGxd1F8fAkeqcuPpGNCxMBLOu
    mLsBdxLdR2sppK8cu9kYx6g+fBUQtShoOj84Q6+n6F4DqbjsHlLwUy0ulkeQWk1v
    vKKkpBViGVFsZ5ODdZ6caJ2UY2C41OACTQdblCqaebsLQvp/VGKTWdh9UsGQ3LaS
    Tcxt0PskqpGiWEUeOGG3mKE0KWyvxt6Ox9is9QbDXJOYdklQaPX9yUuII03Gj3xm
    +vi6q2vzD5VymOeTMyky7Geatbd2U459Lwzu/g+8V6EQl8qvWrXESX/ZXZvNG8QA
    cOXU4ktNBOoZtws6TzknpQF3AgMBAAGjggEjMIIBHzAdBgNVHQ4EFgQUOFjh918z
    L4vR8x1q3vkp6npwUSUwge8GA1UdIwSB5zCB5IAUOFjh918zL4vR8x1q3vkp6npw
    USWhgcCkgb0wgboxCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJRQzERMA8GA1UEBxMI
    TW9udHJlYWwxNjA0BgNVBAoULUthdGFuYSBIb2xkaW5ncyBMaW1pdGUgLyAgY3J5
    cHRvc3Rvcm1fZGFya25ldDERMA8GA1UECxMIVGVjaCBPcHMxFzAVBgNVBAMUDmNy
    eXB0b3N0b3JtX2lzMScwJQYJKoZIhvcNAQkBFhhjZXJ0YWRtaW5AY3J5cHRvc3Rv
    cm0uaXOCCQCnpKRl8V74WzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IB
    AQAK6B7AOEqbaYjXoyhXeWK1NjpcCLCuRcwhMSvf+gVfrcMsJ5ySTHg5iR1/LFay
    IEGFsOFEpoNkY4H5UqLnBByzFp55nYwqJUmLqa/nfIc0vfiXL5rFZLao0npLrTr/
    inF/hecIghLGVDeVcC24uIdgfMr3Z/EXSpUxvFLGE7ELlsnmpYBxm0rf7s9S9wtH
    o6PjBpb9iurF7KxDjoXsIgHmYAEnI4+rrArQqn7ny4vgvXE1xfAkFPWR8Ty1ZlxZ
    gEyypTkIWhphdHLSdifoOqo83snmCObHgyHG2zo4njXGExQhxS1ywPvZJRt7fhjn
    X03mQP3ssBs2YRNR5hR5cMdC
    -----END CERTIFICATE-----

    Alternatively, you can open an .ovpn config file or the ca2.crt file and copy out the certificate data. .
    - You can leave the rest of the fields empty
  4. Click 'Save' and 'Apply Changes' on the next page
  5. The CA Page should now display your new CA
3) Configure DNS Servers.
  1. On PfSense go to: System --> General Setup
  2. Scroll down to 'DNS Server Settings' and update DNS Servers with 2 Cryptostorm DNS servers of your choice. You can find some candidates here: https://github.com/cryptostorm/cstorm_d ... olvers.csv. You will need to scroll to the right on the table to find the resolver address.
  3. After replacing and adding the DNS Servers, ensure 'DNS Server Override' is unchecked.
  4. Click 'Save' (and 'Apply Changes' if prompted)
4) Add new VPN Client
  1. On pfSense go to: VPN --> OpenVpn
  2. Click 'Clients'
  3. Click 'Add'
  4. General Information:
    - Server mode: Peer to Peer (SSL/TLS)
    - Protocol: UDP
    - Device mode: tun
    - Interface: WAN
    - Local port: (leave blank)
    - Server host or address: Open the config file from earlier and copy out a server address of your choice. I selected 'linux-balancer.cryptostorm.net'
    - Server Port: 443
    - Proxy port: (leave blank)
    - Proxy Auth - extra options: none
    - Server hostname resolution: Check 'Infinitely resolve server'
    - Description: (I left this blank)
  5. User Authentication Settings
    - Username: Paste your hashed token details here
    - Password: at least one character, but cannot be blank
  6. Cryptographic Settings
    - TLS authentication: (leave unchecked)
    - Peer Certificate Authority: Select the CA you created earlier (I selected CS-CA)
    - Client Certificate: None (Username and/or Password required)
    - Encryption Algorithm: AES-256-CBC(256 bit key, 128 bit lock)
    - Auth digest algorithm: SHA12 (512-bit)
    - Hardware Crypto: No Hardware Crypto Acceleration
  7. Tunnel Settings
    - Leave all fields blank except:
    - 'Compression: Enabled with Adaptive Compression'
    - 'Disable IPV6: Check 'Don't forward IPV6 traffic''.
  8. At this time I have not added any custom options. I hope to update this section at a later time with some feedback from the community. Ideally, I'd like to go through the list from grystch's guide and pick out the best options.
  9. Click 'Save'
5) Confirm OpenVPN connectivity:
  1. On pfSense go to: Status --> OpenVPN. The Status at this point should be 'up' - i.e. by now you should be authenticating with the VPN server.
6) Assign and Configure Interface
  1. On pfSense go to: Interfaces --> (assign)
  2. Under the 'Interface Assignments' you will see a row called 'Available netwok ports:'. On the dropdown for that row you need to select the Network Port corresponding to the OpenVPN Client you created earlier. Mine is called 'ovpnc1 ()'.
  3. Click 'Add'. This will create a new interface called 'OPT1'
  4. From the menu select: Interface --> OPT1
  5. General Configuration:
    - Enable: Check 'Enable interface'
    - Description: Give the interface a meaningful name. I chose "CSVPN"
    - IPV4 Configuration Type: DHCP
    - IPV6 Configuration Type: None
    - MAC Address: (leave blank)
    - MTU: (leave blank)
    - MSS: (leave blank)
  6. Leave all other fields blank
  7. Click 'Save'
  8. Click 'Apply Changes' on the next page.
7) Configure Outbound NAT rules:
  1. From the menu select: Firewall --> NAT
  2. Select Outbound NAT tab, and then the "Manual Outbound NAT rule generation" button.
  3. Click 'Save'. This create some (4) new mappings.
  4. Edit the second from bottom rule by clicking the pencil 'Edit mapping' icon.
  5. The only setting you will chage is the 'Interface' dropdown. Change this from 'WAN' to your new OpenVPN interface. Mine was 'CSVPN'. Ignore the 'OpenVPN' option.
  6. Click 'Save'
  7. Don't forget to change the bottom rule by following the above steps (steps 7d-7f).
  8. Click 'Apply Changes'
8) Create Firewall Rule:
  1. From the menu select: Firewall --> Rules
  2. Select 'LAN' tab
  3. Edit the rule with Desciption 'Default allow LAN to any rule' by clicking the pencil 'Edit mapping' icon.
  4. Click 'Display advanced' under the 'Extra Options' section.
  5. In the 'Advanced Options' section, go down to 'Gateway' and select the OpenVPN interface you created earlier.
  6. Click 'Save'
  7. Click 'Apply Changes' on the next page.
9) Restart the OpenVPN Service:
  1. From the menu select: Status --> OpenVPN
  2. Restart the OpenVPN service by clicking circular arrow 'Restart openVPN Service' icon
  3. After a few moments the OpenVPN service should restart successfully, and display Status 'up'. You may need to refresh your browser (F5) to update the status.
10) Update system DNS entries:
  1. Go to System --> General Setup.
  2. Add a (or edit the existing) DNS entry so that it points to the DeepDNS instance for the exit node you've connected to above. If you've connected to linux-balancer.cryptostorm.net, then any DeepDNS instance will do. DeepDNS instances can be found here.
  3. Set the gateway to VPN1_VPNV4

11) You should be good to go now. To be sure everything is running as intended:
  1. Check your IP, using a service like: http://ifconfig.me/
  2. Go to https://cryptostorm.is/. Ensure 'You are connected to cryptostorm' is displayed in a green box at the top of the page
  3. Go to https://dnsleaktest.com/ and run a leak test.


That's all I have for now. As mentioned above, I hope to update this guide incrementally by adding the most important/useful custom options.

Please feel free to comment on errors, omissions and improvements and I will update accordingly :)

User avatar

parityboy
Site Admin
Posts: 1244
Joined: Wed Feb 05, 2014 3:47 am

Re: pfSense 2.3.4 Setup Guide

Postby parityboy » Sat Jun 10, 2017 2:20 pm

@OP

Many thanks for sharing this. :D Just out of interest, can you link the original guide, I can't seem to find it... :)

By the way, I'm going to move this to the HOWTO section...moved.


Topic Author
Boens
Posts: 9
Joined: Tue Jun 06, 2017 4:38 pm

Re: pfSense 2.3.4 Setup Guide

Postby Boens » Sat Jun 10, 2017 5:28 pm

parityboy wrote:@OP

Many thanks for sharing this. :D Just out of interest, can you link the original guide, I can't seem to find it... :)

By the way, I'm going to move this to the HOWTO section...moved.


No probs at all. Thanks again for the help :thumbup:

I could swear you did (or were involved in) this pfSense guide: viewtopic.php?f=37&t=615 ... but it appears the original author was grystch.

Must be going senile, my bad :crazy:

I'll update original post as well.

Edit: I don't seem to have the option to edit the original post. Oh well.

User avatar

parityboy
Site Admin
Posts: 1244
Joined: Wed Feb 05, 2014 3:47 am

Re: pfSense 2.3.4 Setup Guide

Postby parityboy » Sat Jun 10, 2017 5:37 pm

@Boens

No worries, chances are you happened across this post which did cover some pfSense setup. :) I've edited the original post to link to the original guide and reflect correct attribution.

I'll PM you with a couple of suggested edits. :)


Topic Author
Boens
Posts: 9
Joined: Tue Jun 06, 2017 4:38 pm

Re: pfSense 2.3.4 Setup Guide

Postby Boens » Tue Jun 13, 2017 2:50 pm

Ah, I may have confused myself there.

Thanks for edits - it's looking much cleaner now :D


timedwardjones
Posts: 2
Joined: Wed Aug 02, 2017 6:02 am

Re: pfSense 2.3.4 Setup Guide

Postby timedwardjones » Sun Dec 24, 2017 3:39 am

Thanks for the excellent guide!
Is there a way to get Voodoo going with PfSense?
I've tried the same method as per the normal setup you mentioned but haven't had any luck.


Return to “guides, HOWTOs & tutorials”

Who is online

Users browsing this forum: No registered users and 4 guests

cron

Login