Reaching your natted office from the net

The question is simple: how can I access my office LAN from anywhere, while I don't have a public IP address on my office router? This is a common scenario when you're connected through a fiber cable MAN and your router gets a 10.x.y.z address that is natted several times before going to the internet.

What you need

First of all, jump to www.pfsense.org and download it. In this scenario I'm using 1.2 release.

Next you need the possibility to publish a machine running pfSense on the internet with a public IP address. You really need only 2 ports to be published, so you can reuse a published server address on a firewall or similar.

This is the big picture of the solution. The basic concept is to setup 2 VPN tunnels, one between the 2 pfSense hosts (I'll call this the Shared Key tunnel, SKT), and one (or several) between the roadwarrior (RW) and the pfSense Public (I'll call this the Public Key Infrastructure Tunnel, PKT).

Let's start setting up pfSense Public

Configure it as it can be seen from the internet on 2 ports: in my solution I choose 4443 for the PKI OpenVPN and 4444 for the Shared Key OpenVPN. This can really be any unused ports, see ahead for considerations. The internal LAN can have any addressing you need, it will be not used in this setup.

Next setup the PKI OpenVPN: this will be used from your clients around the world to connect. Just follow the guides on www.pfsense.org and use these parameters:

Local port: 4443 in my example, using TCP as protocol

The only additional thing is to to add this in the Custom options:
push route 192.168.0.0/24
This will let your clients know how to reach your network office. You can also avoid pushing routes and use a route-up script on the client and add something like:
route add -net 192.168.0.0/24 192.168.133.9
You can also see later for the way to put routes in client config file.

This way you should be able to setup the VPN between the client and pfSense Public, that can be pinged via the tunnel. You can use another Shared Key VPN in place of the PKI one of course: it is simpler to setup but you can read about managing/security consideration on the forums.

Next we setup the LAN to LAN SKT.

On your public pfSense create a new OpenVPN server session. The important parameters here are:

Of course you need a preshared key. Generate it with openvpn --genkey --secret myshared.key

Finally add an access rule to your WAN interface allowing packets from any (or from your office provider public subnet) to the port you used.

Now let's configure pfSense Office

Setup a basic internet firewall, with pfsense it's just a couple of minutes! I assume you are able to surf the internet from SERVER at 192.168.0.10. Your gateway is the 192.168.0.2 pfsense machine. You can have a different gateway as long SERVER has a route for 192.168.133.0/24 through pfSense Office.

Create a new OpenVPN client session, using these key parameters:

Finally paste the shared key into the box.

After applying the tunnel should go up. Go to Status->System logs->OpenVPN and check to find something like:
Apr 11 11:11:11 openvpn[408]: Initialization Sequence Completed
Apr 11 11:11:11 openvpn[408]: Peer Connection Initiated with 190.x.y.z:4444

Now that you have the tunnel up, you are one step away from having it running: go to pfSense Public and teach it the way to go to your office.
Click System->Static routes, add e new one having:
Destination network: 192.168.0.0/24
Gateway: 192.168.134.2 (this is the address your pfSense Office gets from the SKT)

Create the config file for roadwarrior

The config file for your romaing computer is no more than a PKI client standard configuration. The only thing you can think about is the way to setup your routes. If you want a clear and simpler (!) configuration on the pfSense side, you can have a client config just like this:

The last line lets you bring up the route to your PKI VPN tunnel to reach your office network. In this case no routes need to be pushed by pfSense Public.

That's all!

Now you can jump to the internet with your laptop and connect the PKT. Once authenticated you should get an address in the class 192.168.133.0/24, and can ping 192.168.0.10 (SERVER) as you were in the office!

Considerations

OpenVPN is a very cool VPN system. If you choose TCP port 443 for your PKT, you'll be able to connect to it using OpenVPN client from any location that lets you reach HTTPS sites. Also OpenVPN client can work through HTTP proxyes letting you escape from network jails :)
You can also use UDP or other well known ports, so that you have more chances that you can reach pfSense Public passing through firewalls, but remember that nowadays several device perform deep inspection on protocols, so aim to use ciphered ones.

Also note that you go in and out from the same interface on pfSense Public, so consider that to generate a 1 Mbit traffic to the client (RW) you need 1 Mbit incoming and 1 Mbit outgoing, other than 1 Mbit office upload. You can surely use LZO Compression on PKT and SKT: this will add a little latency with the benefit of compression.

Thanks to...

Thanks goes to all the pfSense team, for creating such a valid product. Specifically I must thank GruensFroeschli who helped me setting it all up.
Also lots of thanks to the guys in the openvpn project for their flexible and affordable program.

You can discuss this setup here in the forum (this is my forum, that is not associated or endorsed by pfSense)

You can also jump to http://www.gorlani.com/portal/ home and find other tools/articles