Skip to main content

Tutorial: Turn Off Encryption

Abstract

You can turn off encryption on the OpenVPN tunnel while retaining the encapsulation and routing capabilities.

Overview

This tutorial describes the steps for a narrow use case of turning off encryption between Access Server and VPN clients.

Warning

We don't officially recommend or support turning off encryption. Following these steps effectively turns off all encryption and data protection. You should only proceed if you use it when the consequences are known and acceptable, such as on a trusted network where you want OpenVPN tunneling capabilities without the encryption overhead or where the data is encrypted via another means when it's transported.

Prerequisites

This tutorial assumes the following:

  • You have a running Access Server that you can manage from the command-line interface (CLI).

  • Your Access Server and clients are running on a trusted, private network.

  • OpenVPN 2 clients.

Important

Turning off encryption isn't supported at this time with OpenVPN Connect v3.

Step 1: Set client and server ciphers to none

  1. Connect to your console and get root privileges.

  2. Change to the directory to use the sacli tool to run the necessary commands:

    cd /usr/local/openvpn_as/scripts/

  3. Set the ciphers to none:

    ./sacli --key "vpn.server.data_ciphers" --value "none" ConfigPut
./sacli --key "vpn.server.cipher" --value "none" ConfigPut
./sacli --key "vpn.client.cipher" --value "none" ConfigPut

Step 2: Turn off packet signing and verification with the auth directive

  1. Run these commands:

    ./sacli --key "vpn.server.config_text" --value "auth none" ConfigPut
./sacli --key "vpn.client.config_text" --value "auth none\ndata-ciphers none" ConfigPut

  2. Restart the service:

    service openvpnas restart

With these changes applied, any new connection profile generated by Access Server and loaded into an OpenVPN client should result in an unencrypted connection. You can verify this by checking Access Server's log file.

Here is a sample that shows a client connection that uses no encryption:

2024-03-18T13:04:31+0000 [stdout#info] [OVPN 1] OUT: "2024-03-18 13:04:31 176.120.105.232:54014 PUSH: Received control message: 'PUSH_REQUEST'"
2024-03-18T13:04:31+0000 [stdout#info] [OVPN 1] OUT: '2024-03-18 13:04:31 user/176.120.105.232:54014 MULTI: Learn: 172.27.232.7 -> user/176.120.105.232:54014'
2024-03-18T13:04:31+0000 [stdout#info] [OVPN 1] OUT: '2024-03-18 13:04:31 user/176.120.105.232:54014 MULTI: primary virtual IP for user/176.120.105.232:54014: 172.27.232.7'
2024-03-18T13:04:31+0000 [stdout#info] [OVPN 1] OUT: "2024-03-18 13:04:31 user/176.120.105.232:54014 ******* WARNING *******: '--cipher none' was specified. This means NO encryption will be performed and tunnelled data WILL be transmitted in clear text over the network! PLEASE DO RECONSIDER THIS SETTING!"
2024-03-18T13:04:31+0000 [stdout#info] [OVPN 1] OUT: "2024-03-18 13:04:31 user/176.120.105.232:54014 ******* WARNING *******: '--auth none' was specified. This means no authentication will be performed on received packets, meaning you CANNOT trust that the data received by the remote side have NOT been manipulated. PLEASE DO RECONSIDER THIS SETTING!"
2024-03-18T13:04:31+0000 [stdout#info] [OVPN 1] OUT: '2024-03-18 13:04:31 user/176.120.105.232:54014 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.'
2024-03-18T13:04:31+0000 [stdout#info] [OVPN 1] OUT: "2024-03-18 13:04:31 user/176.120.105.232:54014 SENT CONTROL [user]: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway 172.27.232.1,dns server 10 address 67.207.67.2,dns server 11 address 67.207.67.3,dns server 12 address 67.207.67.2,dns server 13 address 67.207.67.3,dns server 14 address 67.207.67.2,dns server 15 address 67.207.67.3,dhcp-option NBT 1,register-dns,block-ipv6,ifconfig 172.27.232.7 255.255.248.0,peer-id 0,auth-tokenSESS_ID,cipher none,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)"
2024-03-18T13:04:32+0000 [stdout#info] [OVPN 1] OUT: "2024-03-18 13:04:32 user/176.120.105.232:54014 Data Channel: cipher '[null-cipher]', auth '[null-digest]', peer-id: 0"
2024-03-18T13:04:32+0000 [stdout#info] [OVPN 1] OUT: '2024-03-18 13:04:32 user/176.120.105.232:54014 Timers: ping 12, ping-restart 100'
2024-03-18T13:04:32+0000 [stdout#info] [OVPN 1] OUT: '2024-03-18 13:04:32 user/176.120.105.232:54014 Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt'

Step 3: Make adjustments for client versions

You may need to make adjustments based on your client.

OpenVPN Connect v3

Turning off encryption is not supported at this time.

OpenVPN 2.3 and older

You shouldn't need to make any adjustments here. OpenVPN 2.3 should use the auth and cipher none set above and ignore the data-ciphers setting.

OpenVPN 2.4

You shouldn't need to make any adjustments here. OpenVPN 2.4 recognizes ncp-ciphers, should work with the auth and cipher none set above, and ignore the data-ciphers setting.

OpenVPN 2.5 and newer

You shouldn't need to make any adjustments here. OpenVPN 2.5 and newer should recognize the auth none and data-ciphers setting and ignore the cipher.

In this section:
See also: