How to disable encryption in OpenVPN?


#1

Hello!
I’m looking for the way to disable encryption in OpenVPN completely.
In the country where I live now OpenVPN is blocked, so I use it via proxy which encrypts and hides traffic and I do not need to add additional encryption layer.
I tried to add openvpn-option “–cipher none” but seems that vyos openvpn service doesn’t honor this option (or may be i wrote it wrong) because I see this messages in log

Apr 14 11:18:19 vyos openvpn-vtun0[1635]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key

Is there another way to disable encryption?


#2

Hello, @Tualua!

Show us, please, the complete interface configuration and logs:

sudo journalctl /usr/sbin/openvpn

Hint. There must be between others the line:

******* WARNING *******: null cipher specified, no encryption will be used

#3

Hello, sorry for delay. Here is log output

-- Logs begin at Fri 2019-04-19 18:30:37 CST, end at Mon 2019-04-22 11:13:48 CST. --
Apr 19 18:36:05 vyos openvpn-vtun0[1608]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Apr 19 18:36:05 vyos openvpn-vtun0[1608]: ******* WARNING *******: null cipher specified, no encryption will be used
Apr 19 18:36:05 vyos openvpn-vtun0[1608]: TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:1080
Apr 19 18:36:05 vyos openvpn-vtun0[1608]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Apr 19 18:36:05 vyos openvpn-vtun0[1608]: Attempting to establish TCP connection with [AF_INET]127.0.0.1:1080 [nonblock]
Apr 19 18:36:05 vyos openvpn-vtun0[1608]: TCP connection established with [AF_INET]127.0.0.1:1080
Apr 19 18:36:05 vyos openvpn-vtun0[1608]: UDP link local: (not bound)
Apr 19 18:36:05 vyos openvpn-vtun0[1608]: UDP link remote: [AF_INET]10.224.252.2:1194
Apr 19 18:31:00 vyos openvpn-vtun0[1608]: TLS: Initial packet from [AF_INET]10.224.252.2:1194, sid=a836d369 05d5d2af
Apr 19 18:31:00 vyos openvpn-vtun0[1608]: VERIFY OK: depth=1, CN=CET OpenVPN CA
Apr 19 18:31:00 vyos openvpn-vtun0[1608]: VERIFY OK: depth=0, CN=10.224.252.2
Apr 19 18:31:00 vyos openvpn-vtun0[1608]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Apr 19 18:31:00 vyos openvpn-vtun0[1608]: [10.224.252.2] Peer Connection Initiated with [AF_INET]10.224.252.2:1194
Apr 19 18:31:01 vyos openvpn-vtun0[1608]: SENT CONTROL [10.224.252.2]: 'PUSH_REQUEST' (status=1)
Apr 19 18:31:01 vyos openvpn-vtun0[1608]: PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.224.253.1,topology subnet,ping 120,ping-restart 1200,ifconfig 10.224.253.2 255.255.255.0,peer-id
Apr 19 18:31:01 vyos openvpn-vtun0[1608]: OPTIONS IMPORT: timers and/or timeouts modified
Apr 19 18:31:01 vyos openvpn-vtun0[1608]: OPTIONS IMPORT: --ifconfig/up options modified
Apr 19 18:31:01 vyos openvpn-vtun0[1608]: OPTIONS IMPORT: route-related options modified
Apr 19 18:31:01 vyos openvpn-vtun0[1608]: OPTIONS IMPORT: peer-id set
Apr 19 18:31:01 vyos openvpn-vtun0[1608]: OPTIONS IMPORT: adjusting link_mtu to 1625
Apr 19 18:31:01 vyos openvpn-vtun0[1608]: OPTIONS IMPORT: data channel crypto options modified
Apr 19 18:31:01 vyos openvpn-vtun0[1608]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 19 18:31:01 vyos openvpn-vtun0[1608]: Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 19 18:31:01 vyos openvpn-vtun0[1608]: TUN/TAP device vtun0 opened
Apr 19 18:31:01 vyos openvpn-vtun0[1608]: TUN/TAP TX queue length set to 100
Apr 19 18:31:01 vyos openvpn-vtun0[1608]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Apr 19 18:31:01 vyos openvpn-vtun0[1608]: /sbin/ip link set dev vtun0 up mtu 1500
Apr 19 18:31:01 vyos openvpn-vtun0[1608]: /sbin/ip addr add dev vtun0 10.224.253.2/24 broadcast 10.224.253.255
Apr 19 18:31:01 vyos openvpn-vtun0[1608]: Initialization Sequence Completed

I can see the line you have mentioned. Does it mean that tunnel is running without encryption?