DrKK
FreeNAS Generalissimo
- Joined
- Oct 15, 2013
- Messages
- 3,630
In this case, that would be like teaching a bowling ball how to fly.Me, I'm a "teach a man to fish" kinda guy
In this case, that would be like teaching a bowling ball how to fly.Me, I'm a "teach a man to fish" kinda guy
That's a coconut. Not a bowling ball. Everyone knows coconuts can fly duh.That's easy!
You might consider http://www.snbforums.com/threads/asuswrt-merlin-custom-firmware-for-asus-routers.7846/I got openvpn on my router to work, but I had to use an older version of the client that didn't require a high level of encryption (because Asus is filled with a bunch of jackasses who decided to put a years old version of openvpn on their routers). I was honestly fine with it until recently when it suddenly stopped working for some reason and I've been unable to get it working again.
I don't frequently need to access the GUI, although my Plex plugin needs to be rebooted every so often. And normally I could wait until I'm home and just deal with it then, however when I'm at school I'll be away from the server for months at a time -- and should a problem arise I would like someway to access it.I hear this frequently. A (usually new) user of FreeNAS wants to access the GUI of FreeNAS remotely.
May I ask, why? What is it that you would like to do on the GUI remotely? Once your FreeNAS is set up, there is nothing you need on the GUI that can't wait until the next time you are on the LAN. At least as far as I know. Hell, @cyberjock himself once went something like 5 months without accessing the GUI....AT ALL....much less from the WAN.
So I am intellectually curious what people are after, on a day-to-day basis, that they would go through some hassle to expose it to the internet. If it's properly configured, nothing should require your tweaking in the GUI, nothing should need to be "fixed" in the GUI. At least nothing that can't wait until you get back to the local network.
I have an Asus AC68u. Are there any advantages/disadvantages to Tomato/DDWRT/openwrt/Merlin/other? Also, would there be any advantage to running the VPN on my FreeNAS server vs. the router? I had a lot of trouble the last time I tried setting up openVPN, but the more I think about it, the more I think that I may have just been doing something very stupid as that was when I first started with FreeNAS, -- I'll probably try to setup openVPN on another system I have lying around and hopefully I'll be able to get it working this time.If OpenWrt is available for the router, it should be flashed in lieu of DD-Wrt due to the lack of functionality of DD-Wrt and it's limited customization options. Due to internal politics at OpenWrt, similar to what's occurred at ownCloud, you may also want to check out LEDE... but I would avoid DD-Wrt unless it's the absolute last alternative.
If you do decide to flash and configure OpenVPN, this is a wiki I wrote for configuring OpenVPN servers and clients on OpenWrt. I also strongly encourage utilizing OpenSSL directly via the openssl.cnf in my signature in lieu of creating certs with Easy-RSA (all commands required are at the bottom of the cnf, starting at line 321)
You can do all that through SSHI don't frequently need to access the GUI, although my Plex plugin needs to be rebooted every so often. And normally I could wait until I'm home and just deal with it then, however when I'm at school I'll be away from the server for months at a time -- and should a problem arise I would like someway to access it.
You can utilize either, however for the above two uses, there's little point to doing that through a VPN, as SSH is just as secure and requires less system resources. There is no right or wrong option to choose, both are tools to get the same thing done.I really would like to setup a VPN, so I probably will give it another shot as I much prefer a VPN to SSH.
OpenWrt offers more to the end user than Tomato or DD-WRT (not familiar with Merlin), offering a package repository similar to one on a desktop distro. DD-WRT is quite lacking in many areas, as is Tomato.I have an Asus AC68u. Are there any advantages/disadvantages to Tomato/DDWRT/openwrt/Merlin/other? Also, would there be any advantage to running the VPN on my FreeNAS server vs. the router? I had a lot of trouble the last time I tried setting up openVPN, but the more I think about it, the more I think that I may have just been doing something very stupid as that was when I first started with FreeNAS, -- I'll probably try to setup openVPN on another system I have lying around and hopefully I'll be able to get it working this time.
I know I can do it through SSH, but I would really prefer to have a VPN set up anyway, the only reason I was going to do SSH this time was because I couldn't get openVPN working the last time I tried it (I also have ownCloud and I've heard that I'm better off using a VPN then trying to secure and expose that). I don't really care about system resources, I have a 1230v2 and 32gb of RAM that just has to handle plex for 1-2 users and ownCloud, so I have a ridiculous amount of headroom.You can do all that through SSH
You can utilize either, however for the above two uses, there's little point to doing that through a VPN, as SSH is just as secure and requires less system resources. There is no right or wrong option to choose, both are tools to get the same thing done.
OpenWrt offers more to the end user than Tomato or DD-WRT (not familiar with Merlin), offering a package repository similar to one on a desktop distro. DD-WRT is quite lacking in many areas, as is Tomato.
- -snip-
##::[[--- OpenVPN Server Config ---]]::## # For OpenWRT users: # Use as is # You can utilize the same file for multiple servers. # Copy & paste first config below itself with a blank line separating each. # For *nix/BSD users: # Certain words and characters will need to be altered: # Lines 28 - 31 need to be removed. # "Option" is not utilized. # Change underscores to hyphens. # Diffie-Hellmann PEM (dh4096.pem) # DH cert must be generated with a value ABOVE that with which you will be utilizing . # If you generate 2048bit certs, your dh.pem must exceed that value. # PFS [Perfect Forward Secrecy] is maintained by two methods: # SSL: # Via the TLS Auth key [ta.key] # Generate via: openvpn --genkey --secret ta.key # TLS: # Via specifying a TLS Cipher, such as TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 # Generate supported ciphers via: openvpn --show-tls config openvpn 'VPNserver' option enabled 1 # --- Protocol ---# option dev tun option dev tun1 option topology subnet option proto udp option port 1194 #--- Routes ---# option server '10.0.0.0 255.255.255.240' option ifconfig '10.0.0.1 255.255.255.240' #--- Client Config ---# # option ccd_exclusive 1 # option ifconfig_pool_persist /etc/openvpn/clients/ipp.txt # option client_config_dir /etc/openvpn/clients/ #--- Pushed Routes ---# list push 'route 192.168.0.0 255.255.255.0' list push 'dhcp-option DNS 192.168.0.1' list push 'dhcp-option WINS 192.168.0.1' list push 'dhcp-option DNS 8.8.8.8' list push 'dhcp-option DNS 8.8.4.4' list push 'dhcp-option NTP 129.6.15.30' #--- Encryption ---# # Diffie-Hellmann: option dh /etc/ssl/certs/openvpn/dh4096.pem # PKCS12: option pkcs12 /etc/ssl/certs/openvpn/vpn-server.p12 # SSL: option cipher AES-256-CBC option auth SHA512 option tls_auth '/etc/ssl/certs/openvpn/ta.key 0' # TLS: option tls_version_min 1.2 option tls_cipher 'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384:TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256:TLS-DHE-DSS-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-DSS-WITH-AES-128-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256:TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256' #--- Logging ---# option log_append /tmp/openvpn.log option status /tmp/openvpn-status.log option verb 7 #--- Connection Options ---# option keepalive '10 120' option comp_lzo yes #--- Connection Reliability ---# option client_to_client 1 option persist_key 1 option persist_tun 1 #--- Connection Speed ---# option sndbuf 393216 option rcvbuf 393216 option fragment 0 option mssfix 0 option tun_mtu 24000 #--- Pushed Buffers ---# list push 'sndbuf 393216' list push 'rcvbuf 393216' #--- Permissions ---# option user nobody option group nogroup # option chroot /var/chroot-openvpn/ ##################################################### ##----- If chroot is utilized -----## ##################################################### # chroot SHOULD be utilized in case VPN is ever exploited # chroot requires customization of the chroot directory; please google how to setup a chroot #--- Client Config ---# # option ccd_exclusive 1 # option ifconfig_pool_persist /var/chroot-openvpn/etc/openvpn/clients/ipp.txt # option client_config_dir /var/chroot-openvpn/etc/openvpn/clients #--- Encryption ---# # option cipher AES-256-CBC # option dh /var/chroot-openvpn/etc/ssl/certs/openvpn/dh4096.pem # option pkcs12 /var/chroot-openvpn/etc/ssl/certs/openvpn/vpn-server.p12 # option tls_auth '/var/chroot-openvpn/etc/ssl/certs/openvpn/ta.key 0'
##::[[--- OpenVPN Client Config ---]]::## # For Windows users: # Use as is # If PKCS12 isn't withn the same directory as the ovpn, path must be referenced. # For Android: # PKCS12 [line 32] is unnecessary,. as cert will be imported into the Android Keychain. # Certificates: # "remote-cert-tls server" should only be utilized if generating certs using Easy-RSA. # "remote-cert-ku XX" should be utilized if generating certs using an openssl.cnf. # For an explanation: https://www.v13.gr/blog/?p=386 # --- Config Type --- # client # --- Protocol ---# dev tun proto udp # --- DDNS --- # remote your.ddns.com 1194 # --- Encryption --- # # SSL: cipher AES-256-CBC auth SHA512 key-direction 1 <tls-auth> -----BEGIN OpenVPN Static key V1----- #---PASTE KEY HERE---# -----END OpenVPN Static key V1----- </tls-auth> # TLS: tls-version-min 1.2 tls_cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384:TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256:TLS-DHE-DSS-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-DSS-WITH-AES-128-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256:TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256 #--- Server Security ---# pkcs12 vpn-client1.p12 remote-cert-ku f8 auth-nocache # --- Logging --- # verb 5 # --- Connection --- # comp-lzo float nobind resolv-retry infinite # --- Connection Reliability --- # persist-key persist-tun # --- Connection Speed ---# fragment 0 mssfix 0 tun-mtu 24000
More likely than not, the server hardware will be able to vastly outperform the router with encryption/decryption (I wouldn't recommend anything less than 2048bit/SHA256). You can test cipher speeds with the command openssl speed
DDNS needs to be ran on the WAN facing router, as the DDNS address resolves to your public IP, which the server should not be receiving.
OpenVPN is extremely easy to configure and if you haven't already, I really would recommend reading the OpenVPN HowTo [~15min] and OpenVPN man page [~45min]. Both help to fully understand not only what possibilities you have, but options you may benefit from setting, and what each option you set means.
- If you're going to run OpenVPN within a jail, there may be certain security measures that may need to be implemented (other senior members should be to provide feedback on that). I'd also recommend searching the forum for threads related to running OpenVPN in a jail and exposing that jail directly to WAN.
Since your post made everything seem quite a bit more complicated than I originally thought I decided to give the openVPN server on my router another shot...and by some magic it worked. I don't know how or why because I literally changed nothing, but it seems to work and it even works with a modern version of Tunnelblick (previously I had to use an antiquated version of Tunnelblick). So for the time being I won't setup openVPN on my server and hopefully I won't regret this decision after I'm back at school (for a few months).Simply utilize the configs above in place of those in the guide; however, it's extremely important you understand what the options in the configs, both server and client, mean. I cannot stress that enough, as too many people simply copy and paste without bothering to learn what they're copying and pasting, and in turn, majority of new users to OpenVPN end up with an insecure VPN.
-snip-
I've read through the openVPN pages and the configs, but they really don't mean much to me. I don't know what custom config settings are necessary to add, which aren't, and potentially which are going to cause problems with the VPN server since I've already had issues with it in the past.You're still missing the glaring fact I've been repeatedly trying to get one setting up a VPN server to understand... unless you understand some core things, your VPN will be no more secure than communicating over the internet directly.
It doesn't matter on which device OpenVPN is set up on, all OpenVPN servers require the same things, but most likely, your router's VPN config is not secure... I've yet to come across a store bought router's OEM firmware that enforces a secure SSL VPN configuration, nor one that properly generates VPN certs.
Bottom line is this: If one is not willing to take an hour or two to secure, and properly configure, their VPN, then one shouldn't be setting up their own VPN
This is what's really frustrating... I've already done 90% of your work for you in getting OpenVPN up and running, yet you don't want to take an hour or two to get everything set up. Why exactly did you ask for help?
- It only takes ~30 min to setup OpenVPN from scratch with what I've provided in this thread, with the remaining 30 - 90 minutes required to educate one's self with what the configuration values utilized mean
I think it's just for adding fields which aren't specified.I could be misinterpreting your settings page, however it appears you can paste in your own config under Custom Configuration. If this is the case, I would recommend using the config I posted earlier, as it's not only secure, it's been tweaked for the fastest upload/download speeds possible. If that isn't what the box is for, then it's probably to add it additional values that aren't specified in the drop down menus, and if this is the case, please provide the information requested below and I can reply back with what extra values should be input.
I'm only mentioning values below that should be different than shown or for which additional information is required.
Protocol: UDP
- Please expand Interface Type
- TUN should be what's selected, but I'm curious what other options it's offering
Username/Password: OFF
- Please expand firewall drop down
- Please expand Authorization Mode, both for TLS as well as Content modification
- VPN should be secured by SSL certs only, with a password on the SSL key if you wish to have one
Does it offer any help information or hint as to what the Respond to DNS option is for (as it could mean a few different things in the context of the VPN server)
- Please expand Extra HMAC athorization
Manage Client-Specific Options: Yes
- Please expand Encryption Cipher
- Please expand Compression
- Please reply back with that options it provides once you select Yes
From the Advanced Settings, it appears to be a Net30 implementation of OpenVPN (I could very well be wrong, but the lack of a topology specification indicates it's likely a Net30).
In my config above, I specify the topology as subnet, which is what everyone is used to dealing with, since it's the topology used by PCs and routers. Subnet topology also makes it far easier on you to create firewall rules for the VPN (this is far more important when more than one user is utilizing the VPN). Net30 prevents the user from designating static IPs to the devices they'll be connecting from, which in turn affects security of the VPN.
- Net30 is obsolete and quite dated, referring to the subnet mask of /30. This means it's a literal point to point VPN:
- 1st client connection
- Server is given an IP of 10.8.0.1 and the 1st Client an IP of 10.8.0.2
- 2nd client connection
- Server is given an IP of 10.8.0.3 and the 2nd Client an IP of 10.8.0.4
- 3rd client connection
- Server is given an IP of 10.8.0.5 and the 3rd Client an IP of 10.8.0.6 (and so forth)
- In other words, Net30 is enormously inefficient to say the least. Each Server and Client pair must have chronological, sequential IPs (i.e. Server can't be 10.8.0.1 and client be 10.8.0.10)
Without overwhelming you with more information than is necessary, once we get the config ironed out, you will have to use openssl to generate a CA, then server and client certs. If you provide me with some information via PM, I will edit the openssl.conf, with the information you provide and list in chronological order what commands you will need to give (simply copy and paste).
- For example, I connect to my VPN through two devices only. I have created firewall rules to only allow VPN traffic when the proper device is utilized by specifying MAC addresses in the firewall rules. This means even if someone garnished access to my PKCS12 cert, and discovered my password, unless they were connecting from one of the two devices, the traffic would be immediately dropped by the router prior to performing NAT and handing the connection off to OpenVPN.
Setting 'Respond to DNS' to yes displays another field -- 'advertise dns to clients'.Interface: TUN
Protocol: UDP
Firewall: Choose Custom (if custom means you create your own rules)
- TCP should only be used for troubleshooting purposes (unless packet loss is high). The reason why is TCP cannot efficiently encapsulate TCP packets. OpenVPN encapsulates TCP over UDP, however when the same is done over TCP, a substantial hit on speed occurs due to the inefficient way in which TCP must encapsulate itself, so unless one sees high packet loss on UDP, they should not utilize TCP.
- There was a really great write up explaining this that I thought I bookmarked, however I must not have. If you do some searching on google, you should be able to find at least one write up that explains exactly what occurs when TCP tries to encapsulate a TCP packet.
- However, if you experience a problem, TCP should be utilized for troubleshooting purposes. This is why OpenVPN firewall rules should be both TCP & UDP rules, as it prevents one from having to do more work than is necessary when one needs to troubleshoot the connection.
Authorization Mode: TLS
- Use the rules from the OpenWrt Wiki I wrote
Content Modification: This is where you will need to paste in the certificates you generate with OpenSSL using the openssl.cnf above.
- I need to research exactly what Asus will be using, as it should offer the option of what TLS ciphers to use. You can see what TLS ciphers should look like in my configs above.
- When you go to create them, PM me and I can walk you through what you'll need to customize in the openssl.cnf
Extra HMAC Authorization: Bi-directional
Respond to DNS: I need to research this as well. Most likely, Yes (my hunch is it applies to LAN and not to WAN)
- This should refer to TLS-Auth and the use of a ta.key in both the server and client configs. I need to research this on google however to see what Asus is referring to exactly (as Asus does not appear to be using the correct OpenVPN terminology)
Encryption Cipher: Choose one of the AES ciphers under Custom (Do not use any of the others)
- AES-128-CBC, AES-192-CBC, AES-256-CBC SSL ciphers
- I utilize AES-256-CBC for my SSL cipher, however this is personal preference as to what one of the three you choose. I would recommend using google to search the three ciphers and choose which one you find best for your uses. Technically, AES-128 hasn't been broken in the public forum (IIRC it was broken in a research setting, though I could be mis-remembering).
- Obviously, the higher you go up in encryption, the speed with thich encryption/decryption occurs increases. I would run the openssl speed test I mentioned above on your PC to determine how fast the PC is able to encrypt/decrypt
- Speed test may be able to be done on the router, however you will need to use google to see is Asus offers a way to access it's telnet server (the cli of the router). Some routers offer this hidden ability in their OEM firmware, some do not. Tech Support may know, however they also may very well not know.
- I have no clue what it's referring to for TLS, as TLS should refer to TLS ciphers, of which it does not list. You can see the what the TLS ciphers look like in my configs above.
- Please select TLS, then see if that changes any of the options under Extra HMAC Authorization
Compression: Adaptive or Enable
Client Specific Options:
- I need to do some research as to what Asus is utilizing for compression
I'll reply back today or tomorrow with what additional options should be included in the Custom Configuration section
- Allow Client to Client: This allows clients to see other clients (i.e. enabling you to communicate with other devices, such as the FreeNAS server, while connected to the VPN)
- Allow Specified Clients: Yes (Refers to CCD Exclusive)
- Allowed Client List
- UserName: not sure what Asus is referring to (unless it's the username/pass option further up in the config, which should not be utilized)
- IP: Static IP of device you will be connecting from
- Repeat for each device, you will need to assign your devices static IPs for the VPN subnet
- Subnet Mask: VPN subnet mask
- Push: Yes (this should refer to pushing information to the client)
CCD doesn't require clients to have a static IP set, however I d recommend it, as it's an additional layer of security as you can then configure specific firewall rules only for those IPs you assign. The static IPs are not set via the way in which you're probably thinking (via the router's WebGUI) however.Setting 'Respond to DNS' to yes displays another field -- 'advertise dns to clients'.
For 'manage client specific options' what if the client/s don't have static IPs? Or is that referring to the local IP of the device (so 10.8.0.x)? Would the subnet mask be 255.255.255.0?
I still have to do the openssl.cnf file for the content modification.
Selecting TLS doesn't change anything under 'Extra HMAC authorization'.
For custom firewall, I don't see anything in the firewall section (which is outside of the VPN section). So maybe there is a firewall specifically for the VPN that has it's rules set in the custom configuration box?
root@WRT1900:/# cat /tmp/openvpn.log Tue Jul 7 19:57:02 2015 us=55343 OpenVPN 2.3.6 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jun 2 2015 Tue Jul 7 19:57:02 2015 us=55674 library versions: OpenSSL 1.0.2a 19 Mar 2015, LZO 2.08 Tue Jul 7 19:57:02 2015 us=454270 Diffie-Hellman initialized with 2048 bit key Tue Jul 7 19:57:02 2015 us=546774 Control Channel Authentication: using '/etc/openvpn/keys/ta.key' as a OpenVPN static key file Tue Jul 7 19:57:02 2015 us=547010 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Jul 7 19:57:02 2015 us=547197 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Jul 7 19:57:02 2015 us=547412 TLS-Auth MTU parms [ L:48058 D:166 EF:66 EB:0 ET:0 EL:0 ] Tue Jul 7 19:57:02 2015 us=547644 Socket Buffers: R=[163840->327680] S=[163840->327680] Tue Jul 7 19:57:02 2015 us=567559 TUN/TAP device tun0 opened Tue Jul 7 19:57:02 2015 us=567788 TUN/TAP TX queue length set to 100 Tue Jul 7 19:57:02 2015 us=567990 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Tue Jul 7 19:57:02 2015 us=568318 /sbin/ifconfig tun0 10.0.0.1 netmask 255.255.255.240 mtu 24000 broadcast 10.0.0.15 Tue Jul 7 19:57:02 2015 us=608940 Data Channel MTU parms [ L:48058 D:48058 EF:58 EB:135 ET:0 EL:0 AF:3/1 ] Tue Jul 7 19:57:02 2015 us=609448 GID set to nogroup Tue Jul 7 19:57:02 2015 us=609690 UID set to nobody Tue Jul 7 19:57:02 2015 us=609897 UDPv4 link local (bound): [undef] Tue Jul 7 19:57:02 2015 us=610077 UDPv4 link remote: [undef] Tue Jul 7 19:57:02 2015 us=610251 MULTI: multi_init called, r=256 v=256 Tue Jul 7 19:57:02 2015 us=610560 IFCONFIG POOL: base=10.0.0.2 size=13, ipv6=0 Tue Jul 7 19:57:02 2015 us=610897 ifconfig_pool_read(), in='WRT1900ac-VPNclient-Client1,10.0.0.2', TODO: IPv6 Tue Jul 7 19:57:02 2015 us=612378 succeeded -> ifconfig_pool_set() Tue Jul 7 19:57:02 2015 us=612581 ifconfig_pool_read(), in='WRT1900ac-VPNclient-Nexus6,10.0.0.3', TODO: IPv6 Tue Jul 7 19:57:02 2015 us=612747 succeeded -> ifconfig_pool_set() Tue Jul 7 19:57:02 2015 us=612912 IFCONFIG POOL LIST Tue Jul 7 19:57:02 2015 us=613077 WRT1900ac-VPNclient-Client1,10.0.0.2 Tue Jul 7 19:57:02 2015 us=613349 WRT1900ac-VPNclient-Nexus6,10.0.0.3 Tue Jul 7 19:57:02 2015 us=614653 Initialization Sequence Completed