OpenVPN cannot Disable -ncp-disable Cipher Encryption

openvpn

Would be really thankful if anyone could help. My OpenVPN version is 2.2.1-8 according to

apt-cache show openvpn

According to numerous sources you have to use -ncp-disable in order to turn off encryption on your server side. Now I have tried all of the following (separately and one by one of course):

ncp-disable
-ncp-disable
--ncp-disable
ncp-disable-
-ncp-disable-
--ncp-disable--
--ncp-disable-
ncp disable
disable ncp
cipher none

but none of them works after I restart my openvpn. It always says, "starting VPN failed". Now what are the correct lines and where do I have to put them in my vpn.conf in order for them to work? Perhaps it should be something totally different in my openvpn version? I would be really grateful for any suggestions as I am totally clueless now.

P.S. It's working perfectly fine without any of these lines at all.

P.S.S. Here are my config files as asked by Nikita:

Server:
daemon
port 1194
proto udp
dev tun0

ca /etc/openvpn/easy-rsa-first/keys/ca.crt
cert /etc/openvpn/easy-rsa-first/keys/name.com.crt
key /etc/openvpn/easy-rsa-first/keys/name.com.key
dh /etc/openvpn/easy-rsa-first/keys/dh2048.pem 

server 1.2.3.4 255.255.255.0
ifconfig-pool-persist openvpn.dhcp
push "redirect-gateway"
push "dhcp-option DNS 1.2.3.4"
push "dhcp-option DNS 208.67.222.222"

push "route 1.2.3.4 255.255.255.0"

keepalive 10 120
comp-lzo

user myvpn
group myvpn

persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append  /var/log/openvpn/openvpn.log
verb 7
mute 20

#;push "route 192.168.0.0 255.255.255.0"
#;push "route 192.168.173.0 255.255.255.0"

#;client-config-dir ccd
#;route 192.168.40.128 255.255.255.248
#;client-to-client
#;max-clients 3
============================

Client:
float
client
dev tun0
proto udp

remote 1.2.3.4 1194
;redirect-gateway

resolv-retry infinite
nobind
persist-key
persist-tun
ca "ca.crt"
cert "Certificate.crt"
key "Key.key"
auth-nocache

ns-cert-type server
comp-lzo
verb 7
mute 20

Solution 1:

Your OpenVPN is quite old. And ncp-disable does not disable encryption. Official OpenVPN manual says:

--ncp-disable
    Disable "negotiable crypto parameters".
    This completely disables cipher negotiation.

OpenVPN introduced a cipher negotiation in version 2.4, and this directive is meant as a debug aid to disable negotiation and to work like previous versions, which just used whatever is configured with cipher option in them, defaulting to BF-CBC if that option is missing. Versions 2.3 and below don't support NCP and therefore don't have this directive and its use should result in an error. Also, this directive is deprecated in OpenVPN 2.5 and 2.6 and will be removed in, I think, in 2.7.

There is also a part in manual just near that, which directly says how to disable encryption:

--cipher alg
    Encrypt data channel packets with cipher algorithm alg.

    The default is BF-CBC, an abbreviation for Blowfish in Cipher Block 
    Chaining mode. When cipher negotiation (NCP) is allowed, OpenVPN 2.4
    and newer on both client and server side will automatically upgrade to 
    AES-256-GCM. See --ncp-ciphers and --ncp-disable for more details on NCP.

    Using BF-CBC is no longer recommended, because of its 64-bit block size. 
    This small block size allows attacks based on collisions, as demonstrated
    by SWEET32. See https://community.openvpn.net/openvpn/wiki/SWEET32 for 
    details. Due to this, support for BF-CBC, DES, CAST5, IDEA and RC2 ciphers 
    will be removed in OpenVPN 2.6.

    To see other ciphers that are available with OpenVPN, use the 
    --show-ciphers option.

    Set alg=none to disable encryption.

You write in the config file:

cipher none

to disable encryption. You still might need to use this ncp-disable option on systems where OpenVPN 2.4 to 2.6 is installed and intended to connect to this server. I believe it isn't possbile to set ncp-ciphers none, but I didn't checked it.

Also note. Trying random strings as options never helps, and can even cause harm if you accidentally hit something meaningful. Manual lists all available directives, and also there is specified that you write them with with two dashes (like --ncp-disable) on the command line, but without leading dashes (like ncp-disable) in the config file.

I strongly suggest to always consult with official manuals first, and only if it isn't clear enough to look for additional third-party information. And always check that information agianst official manual which is available on Unix-like systems as man openvpn and corresponds to the used version.

Related

Converting an integer to a boxed enum type only known at runtime
Automatic start of a WebSphere Windows service
Can't find 301 redirect source
How to open dovecot backup on windows and save as *.eml
WDC WD40PURZ-85AKKY0 is missing smartclt attributes?
Calculate correlation with cor(), only for numerical columns
VLAN passthrough security
How to group mysql rows with same column value into one row?
Calling base class method in Python
Custom subdomain support with Cloudflare DNS and Netlify Pages
How can I copy a file from one Windows server to another in a script?
Wireguard client communication without peer key via 1 router server