The question is simple: how can I access my office LAN from anywhere, while I don't have a public IP address on my office router? This is a common scenario when you're connected through a fiber cable MAN and your router gets a 10.x.y.z address that is natted several times before going to the internet.
What you need
First of all, jump to www.pfsense.org and download it. In this scenario I'm using 1.2 release.
Next you need the possibility to publish a machine running pfSense on the internet with a public IP address. You really need only 2 ports to be published, so you can reuse a published server address on a firewall or similar.
This is the big picture of the solution. The basic concept is to setup 2 VPN tunnels, one between the 2 pfSense hosts (I'll call this the Shared Key tunnel, SKT), and one (or several) between the roadwarrior (RW) and the pfSense Public (I'll call this the Public Key Infrastructure Tunnel, PKT).
Let's start setting up pfSense Public
Configure it as it can be seen from the internet on 2 ports: in my solution I choose 4443 for the PKI OpenVPN and 4444 for the Shared Key OpenVPN. This can really be any unused ports, see ahead for considerations. The internal LAN can have any addressing you need, it will be not used in this setup.
Next setup the PKI OpenVPN: this will be used from your clients around the world to connect. Just follow the guides on www.pfsense.org and use these parameters:
Local port: 4443 in my example, using TCP as protocol
Address pool: 192.168.133.0/24
This way you should be able to setup the VPN between the client and pfSense Public, that can be pinged via the tunnel. You can use another Shared Key VPN in place of the PKI one of course: it is simpler to setup but you can read about managing/security consideration on the forums.
Next we setup the LAN to LAN SKT.
On your public pfSense create a new OpenVPN server session. The important parameters here are:
Finally add an access rule to your WAN interface allowing packets from any (or from your office provider public subnet) to the port you used.
Now let's configure pfSense Office
Setup a basic internet firewall, with pfsense it's just a couple of minutes! I assume you are able to surf the internet from SERVER at 192.168.0.10. Your gateway is the 192.168.0.2 pfsense machine. You can have a different gateway as long SERVER has a route for 192.168.133.0/24 through pfSense Office.
Create a new OpenVPN client session, using these key parameters:
Server address: pfSense Public IP
After applying the tunnel should go up. Go to Status->System logs->OpenVPN and check to find something like:
Now that you have the tunnel up, you are one step away from having it running: go to pfSense Public and teach it the way to go to your office.
Create the config file for roadwarrior
The config file for your romaing computer is no more than a PKI client standard configuration. The only thing you can think about is the way to setup your routes. If you want a clear and simpler (!) configuration on the pfSense side, you can have a client config just like this:
Now you can jump to the internet with your laptop and connect the PKT. Once authenticated you should get an address in the class 192.168.133.0/24, and can ping 192.168.0.10 (SERVER) as you were in the office!
OpenVPN is a very cool VPN system. If you choose TCP port 443 for your PKT, you'll be able to connect to it using OpenVPN client from any location that lets you reach HTTPS sites. Also OpenVPN client can work through HTTP proxyes letting you escape from network jails :)
Also note that you go in and out from the same interface on pfSense Public, so consider that to generate a 1 Mbit traffic to the client (RW) you need 1 Mbit incoming and 1 Mbit outgoing, other than 1 Mbit office upload. You can surely use LZO Compression on PKT and SKT: this will add a little latency with the benefit of compression.
Thanks goes to all the pfSense team, for creating such a valid product. Specifically I must thank GruensFroeschli who helped me setting it all up.