pfSense+Cryptohippie

Cryptohippie is by far the best VPN (anonymity network more accurate in this case) provider out there. It’s anonymous authentication, multijurisdictional organizational setup and traffic routing, and its expert technical implementation put it far above the competition and justify its high price point.

Sadly its documentation for setting up the RoadWarrior product on routers is non-existent. So I decided to plug that gap for the router firmware pfSense.

My guide on how to set up a multi-VPN, VLAN segmented pfSense network can be found here.

Download configuration files

  1. Go to secure.cryptohippie.com > Login (Account) > Installation

  2. Download installation files zip for “other operating systems”

  3. Unpack Cryptohippie-OtherOS on your workstation

  4. Open Cryptohippie4.ovpn and be ready to copy text from it to your pfSense router’s web console

Add the Certificate Authority to the Certificate Manager

  1. Enter your pfSense router’s local IP address into your browser’s address bar and login to the web console

  2. Go to System > Certificate Manager > CAs

  3. Click Add

    Descriptive Name: Cryptohippie CA
    Method: Import an existing Certificate Authority
    Certificate data: Copy and paste text between <ca> and </ca> from Cryptohippie4.ovpn into the field 
    Certificate Private Key (optional): Blank
    Serial for next certificate: Blank
    

    CA

Add the Certificate to the Certificate Manager

  1. Go to System > Certificate Manager > Certificates

  2. Click Add/Sign

    Method: Import an existing Certificate
    Descriptive name: Cryptohippie Cert
    Certificate data: Copy and paste text between <cert> and </cert> from Cryptohippie4.ovpn into the field
    Private key data: Copy and paste text between <key> and </key> from Cryptohippie4.ovpn into the field
    

    Cert

Add OpenVPN client config

  1. Go to VPN > OpenVPN > Clients

  2. Click Add

    Server host or address: random.vpngatev4.cryptohippie.net
    Server Port: 1194
    Description: Cryptohippie4
    TLS Configuration: Use a TLS key
    TLS Key: Copy and paste text between <tls-auth> and </tls-auth> from Cryptohippie4.ovpn into the field
    TLS Key Usage Mode: TLS Authentication
    TLS keydir direction: Direction 1
    Peer Certificate Authority: Cryptohippie CA
    Client Certificate: Cryptohippie Cert
    Encryption Algorithm: AES-256-CBC
    Enable NCP: Unchecked
    Auth digest algorithm: SHA512
    Hardware Crypto: BSD cryptodev engine (if you setup with my pfSense-guide)
    Compression: Adaptive LZO Compression
    Bars the server from adding routes to the client's routing table: Checked
    Custom options: remote-random-hostname;persist-tun;persist-key;keepalive 5 50;mssfix 1400;fragment 1400;tls-client;tls-version-min 1.2;key-method 2;tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256;remote-cert-eku "TLS Web Server Authentication";verify-x509-name server- name-prefix;reneg-sec 1800;hand-window 20;tran-window 1800;replay-window 128 30;bcast-buffers 1024;tcp-queue-limit 256;mute-replay-warnings;route-delay 2;redirect-gateway def1;up-restart;script-security 2
    UDP Fast I/O: Unchecked
    Send/Receive Buffer: Default
    Gateway creation: IPv4 only
    

    Cryptohippie4_1 Cryptohippie4_2 Cryptohippie4_3 Cryptohippie4_4 Cryptohippie4_5 Cryptohippie4_6 Cryptohippie4_7 Cryptohippie4_8

These next steps are taken from my pfSense-guide. Look there for more information or incorporate the above client configuration into your existing setup.

VPN Interfaces

  1. Go to Interfaces > Interface Assignments

  2. Available network ports: Cryptohippie4

  3. Click Add

  4. Click on the newly created interface, for example OPT2

    Enable interface
    Description: Cryptohippie4
    
  5. Click Save

  6. Click Apply Changes

Floating

This is a failsafe rule to prevent traffic destined for VPN leaving on WAN

  1. Go to Firewall > Rules > Floating

  2. Click Add

    Action: Block
    Interface: WAN
    Address Family: IPv4+IPv6
    Protocol: Any
    Description: Disable Cryptohippie WAN Egress
    Display Advanced > Tagged: CRYPTOHIPPIE_NO_WAN_EGRESS
    
  3. Click Save

  4. Click Apply Changes

DHCP Server

  1. Go to Services > DHCP Server > <interface you want to route>

    DNS Servers: 91.239.100.100 & 89.233.43.71
    

    This ensures that DNS requests don’t go the local unbound DNS resolver so they can be hijacked by Cryptohippie. If Cryptohippie fails to do this (which they never do), worst case your DNS requests will be forwarded to the excellent Uncensored DNS service.

  2. Click Save

Firewall Rules

  1. Go to Firewall > Rules > <interface you want to route>

  2. Delete all rules except Anti-Lockout Rule

  3. Click Apply Changes

  4. Click Add

    Action: Block
    Interface: <interface you want to route>
    Address Family: IPv4+IPv6
    Protocol: TCP/UDP
    Source: Any
    Destination: This firewall (self)
    Destination Port Range: From DNS(53) to DNS(53)
    Description: Block <interface you want to route> local DNS leak
    
  5. Click Save

  6. Click Add

    Action: Block
    Interface: <interface you want to route>
    Address Family: IPv6
    Protocol: Any
    Source: Any
    Destination: Any
    Description: Drop <interface you want to route> ipv6 traffic
    
  7. Click Save

  8. Click Add

    Action: Pass
    Interface: <interface you want to route>
    Address Family: IPv4
    Protocol: Any
    Source: Any
    Destination: Any
    Description: Send <interface you want to route> over Cryptohippie4
    Display Advanced > Tag: CRYPTOHIPPIE_NO_WAN_EGRESS
    Display Advanced > Gateway: CRYPTOHIPPIE...
    
  9. Click Save

  10. Click Apply Changes

Outbound NAT

  1. Go to Firewall > NAT > Outbound

  2. Change Mode to Manual Outbound NAT rule generation

  3. Click Save

  4. Click on Auto created rule - <interface you want to route> to WAN

    Interface: CRYPTOHIPPIE4
    Description: <interface you want to route> to CRYPTOHIPPIE4
    
  5. Delete Auto created rule for ISAKMP - <interface you want to route> to WAN

  6. Click Apply Changes

VPN test

  1. Restart your Cryptohippie 4 under Status > OpenVPN

  2. Head to any website and login with your Cryptohippie credentials

  3. Head to ipinfo.io and make sure you have a Cryptohippie IP address

  4. Head to dnsleaktest.com, run an extended test, and make sure you have a Cryptohippie DNS hostname

  5. Disable Cryptohippie4 (Status > VPN) and ensure you have no internet connectivity from devices in <interface you want to route>

  6. Restart Cryptohippie4

Congratulations you’re done