OpenVPN unable to disable encryption
up vote
11
down vote
favorite
Both in server and client config I have set:
cipher none
auth none
Following this advice I am also using UDP port 1195.
When I launch server and client I get following warnings:
Tue Dec 4 12:58:25 2018 ******* WARNING *******: '--cipher none' was specified. This means NO encryption will be performed and tunnelled data WILL be transmitted in clear text over the network! PLEASE DO RECONSIDER THIS SETTING!
Tue Dec 4 12:58:25 2018 ******* WARNING *******: '--auth none' was specified. This means no authentication will be performed on received packets, meaning you CANNOT trust that the data received by the remote side have NOT been manipulated. PLEASE DO RECONSIDER THIS SETTING!
...which is good, but still openvpn is using encryption. I know this, because:
1) I get following message on server side when client connects:
Tue Dec 4 12:59:59 2018 client_abc/10.20.73.2:36752 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Dec 4 12:59:59 2018 client_abc/10.20.73.2:36752 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2) I get huuuge CPU load on both sides
3) I see in Wireshark that data is encrypted
What else is required to disable encryption?
openvpn
add a comment |
up vote
11
down vote
favorite
Both in server and client config I have set:
cipher none
auth none
Following this advice I am also using UDP port 1195.
When I launch server and client I get following warnings:
Tue Dec 4 12:58:25 2018 ******* WARNING *******: '--cipher none' was specified. This means NO encryption will be performed and tunnelled data WILL be transmitted in clear text over the network! PLEASE DO RECONSIDER THIS SETTING!
Tue Dec 4 12:58:25 2018 ******* WARNING *******: '--auth none' was specified. This means no authentication will be performed on received packets, meaning you CANNOT trust that the data received by the remote side have NOT been manipulated. PLEASE DO RECONSIDER THIS SETTING!
...which is good, but still openvpn is using encryption. I know this, because:
1) I get following message on server side when client connects:
Tue Dec 4 12:59:59 2018 client_abc/10.20.73.2:36752 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Dec 4 12:59:59 2018 client_abc/10.20.73.2:36752 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2) I get huuuge CPU load on both sides
3) I see in Wireshark that data is encrypted
What else is required to disable encryption?
openvpn
1
Could you please share a context of usage? As you are trying to disable any auth and encryption the usage of openvpn may be questionable... There may be even better approach to just encapsulate the traffic (e.g. ipip, gre,...)
– Kamil J
Dec 4 at 12:25
6
I am just experimenting, trying to find out what is the encryption impact on CPU load
– user2449761
Dec 4 at 12:46
add a comment |
up vote
11
down vote
favorite
up vote
11
down vote
favorite
Both in server and client config I have set:
cipher none
auth none
Following this advice I am also using UDP port 1195.
When I launch server and client I get following warnings:
Tue Dec 4 12:58:25 2018 ******* WARNING *******: '--cipher none' was specified. This means NO encryption will be performed and tunnelled data WILL be transmitted in clear text over the network! PLEASE DO RECONSIDER THIS SETTING!
Tue Dec 4 12:58:25 2018 ******* WARNING *******: '--auth none' was specified. This means no authentication will be performed on received packets, meaning you CANNOT trust that the data received by the remote side have NOT been manipulated. PLEASE DO RECONSIDER THIS SETTING!
...which is good, but still openvpn is using encryption. I know this, because:
1) I get following message on server side when client connects:
Tue Dec 4 12:59:59 2018 client_abc/10.20.73.2:36752 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Dec 4 12:59:59 2018 client_abc/10.20.73.2:36752 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2) I get huuuge CPU load on both sides
3) I see in Wireshark that data is encrypted
What else is required to disable encryption?
openvpn
Both in server and client config I have set:
cipher none
auth none
Following this advice I am also using UDP port 1195.
When I launch server and client I get following warnings:
Tue Dec 4 12:58:25 2018 ******* WARNING *******: '--cipher none' was specified. This means NO encryption will be performed and tunnelled data WILL be transmitted in clear text over the network! PLEASE DO RECONSIDER THIS SETTING!
Tue Dec 4 12:58:25 2018 ******* WARNING *******: '--auth none' was specified. This means no authentication will be performed on received packets, meaning you CANNOT trust that the data received by the remote side have NOT been manipulated. PLEASE DO RECONSIDER THIS SETTING!
...which is good, but still openvpn is using encryption. I know this, because:
1) I get following message on server side when client connects:
Tue Dec 4 12:59:59 2018 client_abc/10.20.73.2:36752 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Dec 4 12:59:59 2018 client_abc/10.20.73.2:36752 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2) I get huuuge CPU load on both sides
3) I see in Wireshark that data is encrypted
What else is required to disable encryption?
openvpn
openvpn
edited Dec 4 at 12:52
asked Dec 4 at 12:05
user2449761
1586
1586
1
Could you please share a context of usage? As you are trying to disable any auth and encryption the usage of openvpn may be questionable... There may be even better approach to just encapsulate the traffic (e.g. ipip, gre,...)
– Kamil J
Dec 4 at 12:25
6
I am just experimenting, trying to find out what is the encryption impact on CPU load
– user2449761
Dec 4 at 12:46
add a comment |
1
Could you please share a context of usage? As you are trying to disable any auth and encryption the usage of openvpn may be questionable... There may be even better approach to just encapsulate the traffic (e.g. ipip, gre,...)
– Kamil J
Dec 4 at 12:25
6
I am just experimenting, trying to find out what is the encryption impact on CPU load
– user2449761
Dec 4 at 12:46
1
1
Could you please share a context of usage? As you are trying to disable any auth and encryption the usage of openvpn may be questionable... There may be even better approach to just encapsulate the traffic (e.g. ipip, gre,...)
– Kamil J
Dec 4 at 12:25
Could you please share a context of usage? As you are trying to disable any auth and encryption the usage of openvpn may be questionable... There may be even better approach to just encapsulate the traffic (e.g. ipip, gre,...)
– Kamil J
Dec 4 at 12:25
6
6
I am just experimenting, trying to find out what is the encryption impact on CPU load
– user2449761
Dec 4 at 12:46
I am just experimenting, trying to find out what is the encryption impact on CPU load
– user2449761
Dec 4 at 12:46
add a comment |
2 Answers
2
active
oldest
votes
up vote
27
down vote
accepted
It looks like you have Negotiable Crypto Parameters (NCP) enabled. You should specify
ncp-disable
Disable “negotiable crypto parameters”. This completely disables cipher negotiation.
When two OpenVPN instances have NCP enabled (default for recent versions) they will negotiate which cipher to use from a set of ciphers defined by ncp-ciphers. The default for that is 'AES-256-GCM:AES-128-GCM' which explains why you see AES-256-GCM on your connection.
add a comment |
up vote
12
down vote
Assuming you are running openvpn 2.4 I belive you also need to set
ncp-disable
https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f942810%2fopenvpn-unable-to-disable-encryption%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
27
down vote
accepted
It looks like you have Negotiable Crypto Parameters (NCP) enabled. You should specify
ncp-disable
Disable “negotiable crypto parameters”. This completely disables cipher negotiation.
When two OpenVPN instances have NCP enabled (default for recent versions) they will negotiate which cipher to use from a set of ciphers defined by ncp-ciphers. The default for that is 'AES-256-GCM:AES-128-GCM' which explains why you see AES-256-GCM on your connection.
add a comment |
up vote
27
down vote
accepted
It looks like you have Negotiable Crypto Parameters (NCP) enabled. You should specify
ncp-disable
Disable “negotiable crypto parameters”. This completely disables cipher negotiation.
When two OpenVPN instances have NCP enabled (default for recent versions) they will negotiate which cipher to use from a set of ciphers defined by ncp-ciphers. The default for that is 'AES-256-GCM:AES-128-GCM' which explains why you see AES-256-GCM on your connection.
add a comment |
up vote
27
down vote
accepted
up vote
27
down vote
accepted
It looks like you have Negotiable Crypto Parameters (NCP) enabled. You should specify
ncp-disable
Disable “negotiable crypto parameters”. This completely disables cipher negotiation.
When two OpenVPN instances have NCP enabled (default for recent versions) they will negotiate which cipher to use from a set of ciphers defined by ncp-ciphers. The default for that is 'AES-256-GCM:AES-128-GCM' which explains why you see AES-256-GCM on your connection.
It looks like you have Negotiable Crypto Parameters (NCP) enabled. You should specify
ncp-disable
Disable “negotiable crypto parameters”. This completely disables cipher negotiation.
When two OpenVPN instances have NCP enabled (default for recent versions) they will negotiate which cipher to use from a set of ciphers defined by ncp-ciphers. The default for that is 'AES-256-GCM:AES-128-GCM' which explains why you see AES-256-GCM on your connection.
edited Dec 4 at 12:43
answered Dec 4 at 12:27
Iain
104k13164257
104k13164257
add a comment |
add a comment |
up vote
12
down vote
Assuming you are running openvpn 2.4 I belive you also need to set
ncp-disable
https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/
add a comment |
up vote
12
down vote
Assuming you are running openvpn 2.4 I belive you also need to set
ncp-disable
https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/
add a comment |
up vote
12
down vote
up vote
12
down vote
Assuming you are running openvpn 2.4 I belive you also need to set
ncp-disable
https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/
Assuming you are running openvpn 2.4 I belive you also need to set
ncp-disable
https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/
answered Dec 4 at 12:26
Peter Green
2,860622
2,860622
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f942810%2fopenvpn-unable-to-disable-encryption%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Could you please share a context of usage? As you are trying to disable any auth and encryption the usage of openvpn may be questionable... There may be even better approach to just encapsulate the traffic (e.g. ipip, gre,...)
– Kamil J
Dec 4 at 12:25
6
I am just experimenting, trying to find out what is the encryption impact on CPU load
– user2449761
Dec 4 at 12:46