OpenVPN unable to disable encryption

Both in server and client config I have set:

cipher none
auth none

Following this advice I am also using UDP port 1195.

When I launch server and client I get following warnings:

Tue Dec  4 12:58:25 2018 ******* WARNING *******: '--cipher none' was specified. This means NO encryption will be performed and tunnelled data WILL be transmitted in clear text over the network! PLEASE DO RECONSIDER THIS SETTING!
Tue Dec  4 12:58:25 2018 ******* WARNING *******: '--auth none' was specified. This means no authentication will be performed on received packets, meaning you CANNOT trust that the data received by the remote side have NOT been manipulated. PLEASE DO RECONSIDER THIS SETTING!

...which is good, but still openvpn is using encryption. I know this, because:

1) I get following message on server side when client connects:

Tue Dec  4 12:59:59 2018 client_abc/10.20.73.2:36752 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Dec  4 12:59:59 2018 client_abc/10.20.73.2:36752 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

2) I get huuuge CPU load on both sides

3) I see in Wireshark that data is encrypted

What else is required to disable encryption?


It looks like you have Negotiable Crypto Parameters (NCP) enabled. You should specify

ncp-disable

Disable “negotiable crypto parameters”. This completely disables cipher negotiation.

When two OpenVPN instances have NCP enabled (default for recent versions) they will negotiate which cipher to use from a set of ciphers defined by ncp-ciphers. The default for that is 'AES-256-GCM:AES-128-GCM' which explains why you see AES-256-GCM on your connection.


Assuming you are running openvpn 2.4 I belive you also need to set

ncp-disable

https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/

Some background:

Openvpn used to require you to manually configure the encryption algorithm to the same value on both ends. This however posed a problem, it made it very difficult to upgrade the encryption on an existing multi-user VPN. In 2016 an attack called "sweet32" was devised, allowing plaintext to be recovered in some circumstances. It wasn't exactly an easy attack to pull off in practice and there was a way of mitigating it without changing cipher but it was still a concerning development.

Openvpn 2.4 introduced a new feature, enabled by default for negotiating crypto parameters. I'm not sure if this was a reaction to sweet32 or a result of general concerns about the implications of being effectively locked into a single cipher-suite.

So when negotiation of crypto parameters is enabled the "cipher" setting effectively acts as a fall-back to be used if the other side of the connection does not support negotiation.