When optimizing VPN performance for high-throughput scenarios, many developers attempt to disable encryption using:
cipher none
auth noneHowever, as shown in the error logs, OpenVPN stubbornly defaults to AES-256-GCM despite these directives:
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized
Incoming Data Channel: Cipher 'AES-256-GCM' initializedThe root cause lies in OpenVPN's modern versions (2.4+) where the --ncp (Negotiable Crypto Parameters) feature automatically negotiates encryption, overriding explicit "none" settings. Here's what actually happens:
- Server advertises available ciphers through NCP
- Client automatically selects strongest available (AES-256-GCM)
- Manual cipher settings get ignored during handshake
To enforce true unencrypted mode, you need these combined settings:
# Server configuration (server.conf)
cipher none
auth none
ncp-disable
compress lz4-v2
tun-mtu 1500
mtu-disc yes# Client configuration (client.ovpn)
cipher none
auth none
ncp-disable
nobind
remote-cert-tls serverConfirm encryption is truly disabled using:
- Wireshark Analysis: UDP packets should show cleartext payloads
- Performance Test: Compare with/without settings using:
iperf3 -c [server_ip] -t 60 - OpenVPN Logs: Should show:
Data Channel: using unencrypted/null cipher
For specific use cases like gaming VPNs or IoT networks:
# For UDP acceleration
socket-flags TCP_NODELAY
sndbuf 393216
rcvbuf 393216
# For legacy compatibility
script-security 2
up "/etc/openvpn/update-resolv-conf"
down "/etc/openvpn/update-resolv-conf"Remember this configuration should only be used in trusted networks or testing environments due to obvious security implications.
When attempting to disable encryption in OpenVPN by setting cipher none and auth none in both server and client configurations, many administrators encounter unexpected encryption behavior. Despite these settings, OpenVPN continues to use AES-256-GCM encryption, as evidenced by:
Tue Dec 4 12:59:59 2018 client_abc/10.20.73.2:36752 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized
Tue Dec 4 12:59:59 2018 client_abc/10.20.73.2:36752 Incoming Data Channel: Cipher 'AES-256-GCM' initializedThe confusion arises from OpenVPN's dual-channel architecture:
- Control Channel: Handles key exchange and management (TLS)
- Data Channel: Handles actual payload encryption
When you specify cipher none, it only affects the data channel, while the control channel remains encrypted by default.
To achieve truly unencrypted communication, you need these additional parameters:
# Server configuration (server.conf)
proto udp
port 1195
dev tun
topology subnet
server 10.8.0.0 255.255.255.0
cipher none
auth none
tls-server
tls-auth ta.key 0
tls-cipher "NULL"
ncp-disable
compress lz4-v2# Client configuration (client.ovpn)
client
proto udp
remote your.server.com 1195
dev tun
cipher none
auth none
tls-client
tls-auth ta.key 1
tls-cipher "NULL"
ncp-disable
compress lz4-v2
remote-cert-tls server1. tls-cipher "NULL": Disables TLS encryption for the control channel
2. ncp-disable: Prevents OpenVPN from negotiating cipher parameters (New in OpenVPN 2.4+)
3. compress lz4-v2: Recommended when encryption is disabled, as compression can still provide some security through obfuscation
When properly configured without encryption:
- CPU usage should drop to near-zero for VPN processing
- Throughput can increase by 300-500% compared to encrypted tunnels
- Wireshark should show cleartext traffic (use filters:
udp.port == 1195)
While disabling encryption might be necessary for:
- Testing environments
- High-throughput internal networks
- Legacy device compatibility
Be aware that:
- All traffic is visible to anyone on the network path
- Packets can be modified in transit
- No protection against replay attacks exists
If encryption persists after these changes:
# Check active configuration
grep -E "cipher|auth|ncp|tls-cipher" /etc/openvpn/server.conf
# Verify running parameters
ps aux | grep openvpn | grep -v grep
# Check logs for negotiation details
journalctl -u openvpn@server -fRemember that some OpenVPN versions may require a complete service restart rather than a soft reload when changing encryption parameters.